High-profile security breaches have many people wanting to better understand the quality and strength of their online security tools. At Dashlane, we take a unique security approach that is reflected in our technology and culture.
This approach, along with the fact that we’ve never been breached, is what makes us different from other password managers. It’s also why people feel confident choosing us to protect their data. We don’t believe in taking shortcuts, so every decision we make begins with your security in mind. And it starts with encryption.
Dashlane’s encryption protects ALL your data
While our Security White Paper explains the technical aspects, here is a summary of what you need to know about the encryption of customer data.
- We rely on best-in-class cryptographic primitives to manage vault encryption. This is really an area where it is critical to leverage reliable, proven solutions that have been reviewed and approved across the industry.
- We use Argon2, the winner of the Password Hashing Competition, to generate an Advanced Encryption Standard (AES) 256-bit key for encryption and decryption of the user’s personal data on the user’s device.
- Unlike some other password managers, we encrypt all of our customers’ data, not just passwords. This includes Secure Notes, domains, and more.
- Access to a user’s data requires that user’s Master Password, which is only known by the user and never stored on Dashlane servers or transmitted over the internet. For organizations using single sign-on (SSO) with Dashlane, employees don’t need to create a Master Password. However, the end result is still the same: we protect all your data.
Dashlane’s zero-knowledge architecture means only you can access your data
The architecture principle that supports our security is called a zero-knowledge system. This means no one—not even Dashlane—has access to your data.
Your logins and personal information are always encrypted, which locks them away behind a jumble of unrecognizable data. No one can see your logins and personal information without decrypting, or unlocking, the data. The only way your information can be decrypted is with your Master Password. Since no one but you knows your Master Password (we never see it), only you can access your data.
For customers using SSO, we maintain the same zero-knowledge approach by ensuring part of the required keys are only known by the SSO connector and the client apps, both of which are managed by the customers.
We never trust any server, code, or person with access to user data. But zero knowledge, while important, is a pretty common standard in the security world. What sets Dashlane apart is how we build on that approach.
Want to take a deep dive into Dashlane’s security architecture? Download our Security White Paper.
Dashlane exemplifies its security culture in 4 ways
Security isn’t just about expensive tools and software—it’s about people, and the people at Dashlane are passionate about privacy. Data privacy is at the heart of our product, and we built Dashlane on the belief that your passwords and data should always be secure, private, and accessible only to you. To live those values and maintain the best culture of security, we take consistent steps to mitigate the risk of potential attacks against Dashlane by:
- Identifying potential exploitation of application vulnerabilities: Our software development process aims to minimize the risk of vulnerabilities through code review, automated tests, and quality gates. However, we know no code is perfect; there are always bugs and issues a malicious actor could try to use to access customers’ data. Thus, security researchers are another important building block in our strong security foundation. Our bug bounty program incentivizes white-hat hackers (the good ones) to look for vulnerabilities and help us fix any issues before bad actors find them.
- Blocking access to our servers: Server-side security hardening enables us to leverage best practices from the industry and from standards such as PCI-DSS or SOC2. We benefit from the built-in security of AWS (one of the most respected and secure cloud hosting services), as well as from years of best practices and lessons on server security from the tech community. For Dashlane, it’s about enforcing our zero-knowledge concept and making sure we follow those best practices.
- Preventing our internal systems from being compromised: Internal system compromise is a critical risk, as past security incidents like the Solarwind supply chain attack have illustrated. Dashlane works to stay ahead of such incidents by evaluating scenarios involving levels of access, sensitivity of content, and the degree to which harm can occur. We operate on a zero-trust model, meaning we never trust anybody when it comes to issuing access to our servers. We also apply strong IT security practices like multifactor authentication on all systems, as well as segregation of roles, least-privilege access, and extensive monitoring.
- Accounting for the human factor: We trust our employees, but for their own safety, we also need to ensure that if any employee was bribed with money, threatened, or went rogue, they could not harm our customers or our company. One of our most sensitive systems is our software factory. We’ve taken steps to ensure we have a very secure release pipeline with full traceability. Approval from multiple engineers is required to be able to ship code. The goal here is to make sure an employee cannot ship a corrupted Dashlane build.
Many of our customers switched to Dashlane from other password management solutions and have been happy to share their experiences. Learn more from organizations like Consero Global, VillageReach, and Mercy Medical.
Dashlane evolves as the threat landscape grows
Our culture of security not only works to keep your data safe but it also fosters an environment that encourages innovation. And we’re continually looking for state-of-the-art ways to broaden and strengthen the security of our products.
In 2018, we saw computing power increase and migrated our key derivation function from PBKDF2 to Argon2 to ensure we were offering the most up-to-date solution. Argon2 is optimized to resist GPU cracking attacks. Not only did we make Argon2 the default for our new customers, but we also made sure to automatically migrate existing customers so they benefited from the most up-to-date and secure solution.
Another example of forward thinking is our efforts to usher in a passwordless era. The newest authentication technology using passkeys has the potential to significantly reduce the risk of weak passwords. We’ve already announced passkey support in Dashlane and were the first password manager to offer an in-browser passkey solution. This adds security and makes things easier—soon, you’ll be able to log in to your password manager without a password.
What’s next? We’re already considering how post-quantum cryptography fits into Dashlane’s future. We’re leveraging new computing technologies to make integrations with single sign-on (SSO) systems easier and more secure. These developments, and others like them, help reduce security exposures while making it easier than ever to keep your data secure.
You have questions about Dashlane’s security, and we have answers. Check out these frequently asked questions to learn more.
Protect your data with Dashlane
As data compromise continues to rise, it’s important to understand the extent to which your tools can access, use, and store your data. At Dashlane, our customers’ security is our number one priority. We believe building a product and adhering to a strict process aligned to best-in-class security is critical to this success.
We don’t expect you to just take our word for it. As we continue working every day to protect people’s data, we encourage you to hold us to the highest standard and keep asking questions. We want to provide you with the answers and support your need to feel confident in your data security.
—Frederic Rivain, CTO