We’re always looking for ways to improve the security of our apps to keep you safe. Our latest version focuses on improving the way we use cryptography to protect your data.
Here, we’ll walk you through the changes.
Since our inception, we’ve used a classic cryptography algorithm named PBKDF2 to protect your data.
The goal of this piece of software is to create (“derive”) a complex cryptographic key based on the password that you use to secure your Dashlane account.
Deriving a cryptographic key takes time, depending on the complexity of the key string. We need to be able to derive a key fast enough that you’re able to use it on a slow device, but make it complex enough that an adversary with a lot of computing power would need to spend an insane amount of energy, time, and money in order to crack it.
While PBKDF2 is still the only algorithm recommended by the American National Institute of Standards and Technology (NIST), the advances in computing technology—especially consumer graphic cards improvements—have made it less effective today.
A cryptographic contest, aptly named the “Password Hashing Contest,” ran from 2013 to 2015. The contest winner? A new cryptography algorithm named Argon2.
We’ve since added Argon2 as a derivation option on all of our supported platforms. (To be precise, we added the variant called Argon2d.)
Because we think it’s the best protection for everyone, we’ll soon make it the default setting for all Dashlane customers.
However, since some organizations need to comply with the official NIST recommendations, you can still choose to use PBKDF2 if you prefer. In order to improve its complexity, we’ve increased the number of iterations from 10,000 to 200,000 (i.e. a factor of 20x). This option is being progressively rolled out to all Dashlane customers.
For more technical insight, don’t hesitate to review our security white paper.
Local extension communication
The second change we made helped improve the security of our web extension.
The Dashlane application is made up of two important parts: 1. The native application (which lives on your computer) and 2. The web extension (which lives in your web browser). These two elements need to be able to securely exchange your sensitive information, so Dashlane can securely add or autofill your personal data online when you need it most.
To improve the robustness of the communication between these two components, we introduced a pairing mechanism into the backend of our native application and web extension communication. We now create a random “secret” and exchange it using a classic and proven cryptographic algorithm named Diffie Hellman.
This change will provide better protection of your Dashlane account from malicious people in the event that they manage to partly compromise your workstation.
- For new customers, this pairing will occur automatically the first time the web extension is launched.
- Existing customers will be auto-updated into our new pairing solution the next time they’re logged in to Dashlane.
In both of these cases, we’re happy that we were able to provide better security for Dashlane customers without interfering with our simple and intuitive user experience you’ve come to love!
Have any questions or comments? Leave them below and we’ll do our best to answer them as soon as possible.