An Update on Password Manager Security

Earlier this week, Google Security Researcher Tavis Ormandy published an article on his personal website about password managers and their security. Tavis is a talented security researcher and a voice we listen to. There’s a lot we agree with Tavis on, and have reached many of the same conclusions he does in his blog post, and have proactively built our product to address those security risks. There are other topics where we took a different approach, which we will explain in this post.

We believe online security is not black or white: it is a series of deliberate trade-offs and balance between protection and convenience.  Our goal at Dashlane is to help people, both through the product we build and efforts to make security topics more accessible and understandable for broad audiences. Raising awareness of the risks and taking customers on the path of better digital hygiene thanks to a user-friendly product, whatever their level of tech-savviness, is what matters.

A browser vs. a password manager

In his blog post, Tavis recommends readers use the password manager your browser offers.

For some people, we agree browser-based password managers are sufficient.

We do believe it is important to offer an alternative and give customers the choice of a solution that is independent of your browser and agnostic to any ecosystem. By choosing independent password managers, customers are not locked into an ecosystem and can instead rely on independent companies that value privacy without the ambiguity of a business model that could have conflicting interests.

If you:

  • Use different browsers such as Safari on your iPhone and Chrome or Firefox on your laptop
  • Want to autofill more than just passwords,  payment information, or your contact information
  • Want tools to view your or your company’s overall password hygiene to improve it over time
  • Need to share a password, file, or secure note with a colleague, friend, or family member

Then a browser’s built-in password manager will not cover your use cases. For most people and businesses, a browser’s functionality isn’t sufficient, which is why companies like us exist.

Addressing security risks

Tavis is listing a few potential vulnerabilities which either do not impact Dashlane or we think we have provided the appropriate measure against.

No solution is perfect and no one can ensure 0 risk. What matters from our perspective is that we rely on best practices of the industry to minimize the risk for our customers and for us as a company.

We run a public bug bounty, we are regularly audited and comply with standards such as SOC2. We listen to feedback from security researchers to continuously improve the security of our product.

If you want to learn more, we recommend reading about how we think about security, our bug bounty program, and our security whitepaper.

An opportunity for a more open world

Tavis’ other main arguments for using a browser-based password manager include that they can “isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use.” What this fails to acknowledge is that this is not the choice of password managers: companies such as Google do not allow access to their browser ecosystems, instead locking customers into their products and locking developers out.

Because browsers such as Chrome do not provide all the tools (for instance secure local storage, autofill APIs, consent interface…) to interface with their native user interfaces, password managers such as Dashlane must spend considerable time and resources to craft workarounds.

We believe everyone online would benefit from a more open environment and we are happy to contribute to new initiatives such as the W3C WebExtensions Community Group that aim at a better dialog and collaboration to standardize the web extension ecosystem, to developer projects such as the Apple password manager resources on Github, or to share our own autofill specifications with the community. The risks associated with online identity are increasing for all. Using a solution such as a password manager is a must-have on the Internet today for better digital hygiene. Let’s give the choice to the customer to pick the solution that best fits their need.

    Frederic Rivain

    Frederic Rivain has been Dashlane’s passionate Chief Technology Officer since 2015. He is eager to learn, innovate, and have fun with the engineering team to ensure it efficiently supports Dashlane and offers the best service to all Dashlane users.

    Read More