Recently I’ve been seeing a lot of Youtube ads for a thing called Dashlane, which stores all your passwords, credit card info and other sensitive data in one place, it also helps you generate hard passwords and a few more features like that.
If I understood correctly, they say that they use military grade encryption and they store only the encrypted versions of your passwords on their servers, which can be accessed only by you using your main password which is not stored on their servers or transmitted over the internet at any point. I suppose that you have an app on your pc/phone which unlocks somehow when you type in the main password and then the app sends a green light signal to the main servers. So supposedly you are the only one with the access to the real passwords, since only you have the main password.
Obviously there’s no way to check this for sure and I highly doubt that they can’t see your non-encrypted passwords themselves without the main password which supposedly only you know. They own the encryption system, only they know how it works and they use the decryption system once your computer requests it by using the main password, so what is stopping them from accessing your data at any point via the decryption system they own without you authorizing it via the main password? Does anyone really believe they couldn’t do that if they wanted, especially if the government/military requested it? Who can guarantee that someone in Dashlane, angry employee, a criminal or whatever won’t leak all that out at some point?
Tech and banking giants like Yahoo, Ebay, Sony, JP Morgan have had massive leaks, but if a way smaller company like Dashlane leaked, not only your passwords for every site you have an account on, but your banking and other details will be available to anyone to steal.
Sounds like a crappy deal in exchange for a person having to type a few keys on the keyboard or keep complicated passwords on a piece of paper on a hard to find location in the house.
Espionage safe level passwords IMO are basically overkill. My* pw123abc* level passwords have never been guessed to the best of my knowledge. My data that WAS swiped were on corporate and governmental systems that should have been better at it. So I am no longer going to worry about my personal passwords. And all the banks and insurance companies that keep suggesting 30 day changes with 3 or four different alphanumeric character classes can just shove it.
The encryption and decryption happens on your device. As the key (your password) never leaves the device and they’ve never seen the plaintext of the encrypted data, Dashlane is not able to recover or use your passwords themselves.
Assuming they’re on the up and up. I haven’t even gone as far as to go to their homepage. I’m just going from the OP and how such a service should work.
Mithras is right and, as described in our whitepaper , your Master Password is used locally on your device to decrypt your data. The whole process is done by the app and even Dashlane employees do not have any way to access your encrypted data since your Master Password is never sent to the Web.
For free … Just store the passwords on your own computer in a WORD document I call mine “Password.docx”. WORD uses RSA encryption so I only need to remember the password for that file. My password file contains all sorts of secret information (bank account numbers, etc). And “just in case”, the file is printed once in a while and saved in my safety deposit box. And when I die, all the information I’ve typed here is on another file called “Password.txt” which is not encrypted.
I have not used Dashlane or any other third-party password service but my understanding is that it integrates with your browser. You don’t have to look up a password in a separate file and type it in; it is decrypted when needed and auto-populated in your browser form.
Word does not use RSA. A public key system wouldn’t be appropriate for that application. Office 2007 through 2013 used AES-128 which is currently very secure. Office 2016 uses AES-256 which is also secure. Versions before 2007 used RC4 which is totally insecure and easily broken, so upgrade if you’re using an old version of Word. Whether the AES algorithms will remain secure for the rest of your life depends on unpredictable advances in cryptography and computing technology (eg. quantum computing).