Does anyone else stare blankly at the “enter new password” field when creating an account? *slowly raises hand*
Even though password managers are designed to let you ultimately forget all your passwords, there’s still the matter of creating one, final Master Password for Dashlane itself. Your Master Password should be something you’ve never used before, super secure and hard for hacking software to crack, but somehow easy for you to remember.
In short, it’s a tricky (and ironic!) thing to ask our customers to do when they’ve come to us to relieve their password pain.
Well, the frustration stops here. This week, we released new password creation guidance that will make it easier for our customers to create a memorable and secure Dashlane Master Password. It’s based on a strength estimate called ZXCVBN, which you can read more about below.
This guidance is already available in our Android and iOS mobile apps, and is now for IT admins and their business plan users in the web app. It will be available for all new Dashlane customers within the next month through our web app.
ZXCVBN is an algorithm designed by Dropbox that analyzes a password and gives it a rating based on how hard it is for hacking software to guess. Counterintuitively, requiring people to do things like adding numbers and special characters to passwords can actually make them not harder to crack, but much harder to remember. This is because hackers use software that already accounts for common patterns and substitutions. So while your bank might tell you “Pas$w0rd!” is a secure choice, it’s actually almost as easy for hacking software to crack it as if you used “password.”
With ZXCVBN, a password’s unpredictability—and therefore, its security—is measured by “entropy.” This is a better indicator of how long it would actually take a hacker to bruteforce a password, meaning, to use an automated system to quickly try different combinations of passwords.
According to Dropbox, ZXCVBN analyzes passwords in three stages: match, score, and search.
In the match stage, ZXCVBN notes all the patterns it can detect. (Like its namesake “pattern” on the bottom row of keys of an American keyboard!) The algorithm would then calculate the entropy for each of these patterns, independent of the rest of the password. Each pattern has its own specific entropy calculation, and the score given is the sum of the patterns’ entropies. To match some commonly used passwords and patterns, ZXCVBN searches and compares against dictionary files that contain common words and patterns. The more common the patterns, the lower the entropy, and the less secure the password.
ZXCVBN analyzes the Master Password locally—meaning it’s never transmitted to Dashlane for security purposes. The analysis happens as a customer or business user creates the password, and then Dashlane offers feedback about the strength of the password in real time plus suggestions on how to make it stronger. Only once you meet the requirements will you be able to move forward. With ZXCVBN, the suggestions are more flexible—and allow for more memorable passwords—than simply requiring that you add a number.
For example, Dashlane might suggest that you add another word or a more uncommon word to your password.
Password requirements are generally the same on most websites, meaning hackers are very familiar with patterns to look out for, such as replacing letters with a symbol (like “@” for “a”). Traditional password security requirements would accept a password like “P@ssword1” for example, even though it’s not actually secure.
Users won’t have to endure an arduous trial and error period while coming up with a new password, as the feature allows for various password styles as long as they meet a minimum entropy score.
With ZXCVBN, IT admins can easily enforce strong password requirements since this feature makes it easy for employees to create a secure password. Ultimately, businesses are able to guide employees toward stronger security habits without much disruption to their workday or the business, and all our customers can feel empowered in understanding what actually makes a pa$sw0rd stronger.