The HeartBleed Bug: Our advice to you

heartbleed

We received several questions about what you should do to protect your accounts in light of the Heartbleed bug, and we want to offer our advice on the best course of action given the situation.

First, as we mentioned in yesterday’s post, we want you to know that your Dashlane data is safe:

  • Your Dashlane accounts are not impacted by this flaw
  • Your Master Passwords are safe as they are never transmitted
  • Your personal data when transmitted is always ciphered locally with AES 256, which is not affected by the Heartbleed vulnerability

The Heartbleed bug has put millions of websites at risk, allowing an intruder to undetectably intercept data between you and the websites you use. The keyword here is undetectably – it’s impossible to know if a site that was affected by Heartbleed was in fact exploited. All we can know is which sites were at risk.

Checking sites that were at risk and are now fixed

A lot of you have asked if we’ll be using a checker to push alerts for the sites that were affected. We’ve tested these checkers ourselves. The ones that we’ve seen provide some guidance as to which sites you should update – but they’re not 100% accurate.

heartbleed test noted

Errors with these checkers are on the rise as websites are taking measures to close the connections when they detect them. When they’re not being blocked, these checkers will tell you when a site has updated its SSL certificate only if the date that the new SSL certificate was employed was updated as well. But not all SSL certificate providers updated that date when they rolled out the new certificates. In short, looking at that date is not enough.

Without an accurate list of sites that were affected, we can’t intelligently alert you of the accounts whose passwords need updating. We could push alerts for all your accounts, meaning some that are okay will show as needing to be updated. That is not what this feature was designed for. It’s designed to send an alert on a per account basis. It’s too risky to push millions of alerts at once when the stability of our app is more critical than ever. Plus, that could get too annoying for you. You need to be alerted of the issue – websites are sending emails to let you know when it’s safe to update your passwords. Some sites are even logging you out of your accounts and requiring password changes. We’re also emailing you with our best advice…

Our advice to you

In an ideal world, you should change all of your passwords now and then again in 10 days when sites have patched the bug and issued new SSL certificates. In order to be as fully protected as possible, we’re in the process of emailing our users to advise the following:

  1. Immediately change the passwords for the accounts that are most critical to you (for example, your bank, your PayPal account, your email accounts…) by generating strong unique passwords using Dashlane
  2. Wait for an additional 10 days before changing any other passwords. You need to make sure all these sites have fixed the problem before changing your passwords
  3. In 10 days, go back to all your critical accounts and change the passwords a second time by generating strong unique passwords using Dashlane
  4. Then change all of the passwords of your less critical accounts in the same way.

How you can manage this process

If you’d like to manage this process on a per account basis, these checkers are useful for showing you which passwords are as safe to change when they work. For the reasons mentioned above, you now know why they’re only okay. (This one is popular.) Also, you can see when you last generated a password for an account by going to Tools > See Generated Passwords.

Managing this on a per account basis seems tedious. It’d be faster to change all your passwords, which isn’t the most fun thing any of us has ever had to do. We are in the midst of the biggest security vulnerability the Internet has ever seen. As they say, desperate times call for desperate measures. Luckily for any Dashlane user, it’s incredibly simple to change your passwords.

We hope this post helps clarify the actions we’re taking to help you stay safe on the Internet. We’ll continue to keep you updated and address your questions or concerns as the Heartbleed situation unfolds. As always, thanks for trusting your data in Dashlane.

  • Bruce Robertson

    Thanks for this update, Em, but could you get your guys to make Dashlane work on my older iMac again — it stopped about 6 months ago and hasn’t worked since. #FAIL

  • Aaron

    This is the important part –> “Without an accurate list of sites that were affected, we can’t intelligently alert you of the accounts whose passwords need updating.”

    Even if LastPass’s checker is inadequate from a security standpoint, on the surface it looks like they are handling things and Dashlane is dropping the ball. Write another blog post called “Why a Checker is the Wrong Solution” or something like that – don’t rely on people finding the above sentence buried in this blog post. This is a good time for Dashlane to shine, not to lose out because of PR issues. /soapbox

  • I’ve owned DashLane for almost a year. It comes with zero to inadequate instructions. I tried using it, and was locked out of almost all of my ‘important’ accounts. I have not been able to remove it, and lord knows I’ve tried. If DashLane would provide some instructions on how to use it, I’d sure give it a whirl, but as it is, it scares me. I’m 76. Slow, but not a complete dummy – have owned home computers since 1985. Can anyone help me?

    • Xavier Bernard

      Hello Paul,

      Thanks for contacting us about this issue!
      We are extremely sorry that you were locked out of your accounts using Dashlane.

      Could you please get in touch with our Support team using our contact form here in our Help Center so we can help you with this issue?

      It will be much easier than posting here! Thank you so much for your patience.

      Could you also include in your message if it happened after generating new passwords for your sites using Dashlane?

      Looking forward to your message.
      Best regards

      Xavier
      Dashlane Support

  • Martin Cowley

    Telling everyone to change every password they own twice seems overkill given many sites weren’t affected by Heartbleed, and others are affected but not yet patched. Surely the Dashlane security dashboard should be helping users through this; letting them know for which sites they should change their password due to Heartbleed being patched, and when exactly they should do it. The mechanism’s already in Dashlane for compromised sites, and I’d imagine this would draw a lot of positive attention to the tool.

  • James Cameron

    Telling everyone to change every password they own twice seems overkill given many sites weren’t affected by Heartbleed, and others are affected but not yet patched.

    —-

    I think you should re-read the post . . . in any event, this issue, if nothing else, might serve to nudge a lot of people out of their comfort zone . . . there are a lot users who are extraordinarily causal about their online security. Personally, I found the DL advice prudent – better safe than sorry – and their password generation system exactly what is required for this type of problem.

  • Norton sent me an email that said that I could use it to check if any of my high value websites are impacted by Heartbleed. I checked and was told that none were affected. Thoughts.