The recent OneLogin breach has people talking about the safety of password managers and cloud services, in general.
We understand that a data breach at a password manager or business single sign-on provider strikes fear into everyone. After all, if the best in the business can’t protect you, who can? And if these security tools can suffer hacks, aren’t they actually less safe? For years, security expert, after security expert, after security expert has replied that using a password manager is still much safer than not using one.
That remains true—you are far safer using a password manager than not—but Dashlane has another answer. A better answer:
Trust no one
To begin, though, let’s understand what a password manager is and what a single sign-on (SSO) solution does. A password manager is a tool widely used by consumers and businesses to store passwords for online accounts on a computer or mobile device, and it is secured by a Master Password. In some cases, your encrypted data may be backed up on the cloud.
OneLogin and other Identity and Access Management (IAM) companies manage access and rights to corporate software, tools and accounts and, on top of it, provide other useful features such as single sign-on (SSO)—a tool that allows someone to use one credential to access multiple connected systems.
Access to this sensitive data is a huge responsibility. In the event of a security breach, an attacker could gain access to internal systems, sensitive employee data, personal information, passwords, and account information. We do not know all of the details of the OneLogin breach, but, in theory, that much may have been exposed.
Dashlane’s security DNA is different & Zero-Knowledge
From Day 1, we built our company around one core principle: a zero-knowledge architecture. This means Dashlane does not need and more importantly has strictly no access to the data of its users. We believe that your passwords and personal data should always be secure, private, and accessible to only you. Our zero-knowledge architecture has been granted a U.S. patent and we believe it is the most robust in the industry. This is a fundamental difference with companies who retain some form of access to the data of their users, even if they make every effort to protect it.
To go into more detail, we’ve based our U.S. patented security architecture on three core principles:
“Trust No One”: We never trust any server, code, or user our product interacts with, including Dashlane’s servers. This is why every user has a unique Master Password that only they know, which encrypts their data and is never stored or transmitted in any form. This model comes with a consequence: if you lose your Master Password, Dashlane cannot recover your it for you and cannot even offer you a hint of it.
This is NOT how others products in the market are built, but we feel it is imperative. We always work with the assumption that our servers could become the next target of a cyber criminal, a rogue employee, or even a law enforcement agency, so we’ve built our system to ensure that no one, not even a Dashlane employee, can access your data.
Simplicity: A simple security architecture is easier to review, both by developers and by security researchers. It is also easier to understand globally and allows developers to modify it without having blind spots. Adhering to the simplicity principle is core to our security DNA.
Resiliency against common and known attacks: Security breaches happen every day and our security team aims at staying one step ahead of common attacks and breaches. Moreover, the simplicity of the security model makes it easy for our world-class security team at Dashlane to continually monitor recent and ongoing attacks, and vulnerabilities to ensure Dashlane’s architecture is protected from any similar exploits.
Moreover, here are a few additional security measures we take to ensure your data is safe within Dashlane:
- We use AES-256 encryption, the strongest there is. The Advanced Encryption Standard (AES) is an advanced encryption algorithm, which is trusted by the U.S. government to protect classified data.
- We use Amazon Web Services (AWS) servers because they’re the best around. There are many advantages to using AWS. One is that you get the full force of Amazon’s 24-7-365 monitoring in addition to our own.
- We audit our security like the IRS does taxes. We hire good guys who try to break Dashlane before the bad ones do. They do this within our software and our business.
- We enforce good password policies. We require Dashlane users to have a minimum 8-character Master Password with a mix of uppercase letters, lowercase letters, and a number. It makes everyone inherently safer, and although it might be stressful to know that we can never send it to you or reset it for you if you forget it, it’s for your own good.
We’re committed to continuously improving the security of Dashlane to keep the data of millions of users and thousands of businesses safe. If you want to know more, don’t hesitate to check our Security page or download our Security White Paper for technical details on our patented security infrastructure.