10 Reasons Why Biometrics Won’t Replace Passwords Anytime Soon

News has emerged that hackers have successfully duplicated copies of fingerprints used to unlock the Samsung Glazy S5 phone. According to security firm, FireEye, who will give a presentation at today’s RSA conference on the matter, a flaw in Android makes it possible to steal the personal information so it can be used elsewhere.

The flaw is the latest in a series of problems uncovered with biometric identification systems, further shedding doubt as to the feasibility of biometrics as a password killer. While biometric authorization is undoubtedly a fantastic innovation, at Dashlane we still think there are a number of issues we need to iron out before it becomes a de-facto form of identification for the masses.  So, with that in mind, let’s take a closer look at the pros and cons of biometrics versus the password:


Biometric authentication can be hacked as with any other form of authentication. But unlike passwords, biometric data that has been stolen cannot be changed: you cannot replace your stolen fingerprints with a new set, nor can you replace a finger you might lose in an accident. Once the hackers have the key, they’re in.


In 2009, 27-year-old Chinese national Lin Ring paid doctors almost £10,000 to change her fingerprints so that she could bypass the biometric sensors used in Japan’s airports by immigration authorities. Chinese surgeons swapped the fingerprints from her right and left hands. It worked, and she was successfully admitted. Biometric fraud is alive and well.


Biometrics authentication has other major limitations: it cannot be shared and cannot be made anonymous. Sharing login data, or using them anonymously is something more and more internet users do, whether for business or in their personal lives. Only a password management system can securely allow shared access for multiple individuals.


Banking is one example of a sector increasingly turning to voice biometrics (also called Interactive Voice Response, or IVR). Customers telephoning the bank either recite a passphrase or enter into a 30-second conversation with the operator which analyses their natural speech pattern and verifies it against a stored file. Barclays reported 95% accuracy. But that’s still a lot of customers relying on passwords or other “traditional” verification methods. And what if you’re under the weather and lose your voice…?


Passwords preserve anonymity – you’re not identifying who you are, simply authenticating access. When you start to remove this anonymity, it throws up all sorts of privacy issues. Where different passwords are used for authenticating access to different sites, and could therefore be anyone accessing the sites, biometrics place a specific individual at the point of access. And once hackers know it’s you, they could start to build a profile of everywhere you go, everything you do and even where all your key information is stored.


Thumbprints are all that secure. In Germany, hackers from the Chaos Computer Club lifted the fingerprint of the country’s chief of police and interior minister, Wolfgang Schäuble, from a glass of water he’d left behind after a speech. Successfully copying it, they reproduced it 4,000 times in a plastic mold, and then distributed it in their magazine urging readers to impersonate the minister. More recently, the same club hacked prints using high-resolution photography. Other hackers have also successfully hacked fingerprints using nothing more than…Play-Doh.


Jan Krissler, again from Chaos Computer Club, has used both high-resolution photography and even Google Images to hack iris scanners. “I did tests with different people and can say that an iris image with a diameter down to 75 pixels worked on our tests,” he told Forbes. The printout required a resolution of 1200 dots per inch (dpi), and at least 75 per cent of the iris to be visible. On Google Images, he found suitable images for iris hacking that included Russian president Vladimir Putin, UK Prime Minister David Cameron, US president Barack Obama and 2016 presidential candidate, Hillary Clinton.


Even your own environment can conspire against accurate biometric access. During one test by a manufacturer, a hand geometry system under review at Sandia National Labs in New Mexico in the US showed only a small error rate of 0.2%. When the same tests were run at nearby Kirtland Air Force Base, the error rate sky-rocketed to 20 percent, purely as a result of a different environment and different group of people being tested. You can read more about the research here.


Consider PayPal and its headline-grabbing work on a new generation of embeddable, injectable and ingestible devices to replace passwords. This “natural body identification” may mean that hackers no longer have to hack a system; they just need your actual body. “Brute force attacks” could take on a whole new, sinister meaning…


All of the above is not to say that biometric authentication cannot be useful. As an additional layer of authentication, biometric authorization can provide another useful layer of security, particularly when using services which are especially sensitive like our bank accounts. However, for the foreseeable future at least, the use of strong passwords should continue to be the main foundation to build up a strong defense against online breaches.

Want to read more on the subject? Check out our previous post here.

Get Dashlane. It's FREE.

View all posts by Tom Posted in #fixtheinternet, Security | Leave a comment

Our latest Mac version brings with it some of your popular requests! Plus, three new ways to help you find any password that you’ve stored or generated using Dashlane.

In our new Mac release, version 3.5, we’ve unified our experience across Safari, Chrome and Firefox. (This includes support for Chrome 42.)  It also brings a fresh new look with support for retina display and a savvier user experience with Dashlane in your browser.

save your password

Plus, after this update, you’ll no longer need to close your browsers to update Dashlane, thanks to much hard work on the behind-the-scenes operations of Dashlane in your browser.

This release also includes one of three new way of helping you find and use any password that you’ve stored or generated using Dashlane.

First, we’ve added a way for you to autofill not just the password that’s saved in Dashlane, but also the last password that you generated. You can also view your Password History from here. See below.

Screen Shot 2015-04-01 at 9.08.34 PM

Second, there’s your Password History, which you can access in the app by going to Tools > Password History. Your Password History is a list of all the passwords you currently have saved in the app, that you’ve generated on the web, or that you’ve replaced in Dashlane. See below.

see generated passwords

And finally, there’s our new Search that lets you find and copy passwords right from the Search bar, making it much easier to find and copy passwords for your apps and programs on your computer.


If you’re not yet running Dashlane version 3.5 for Mac, you can get today’s release by going to Dashlane > Check for updates (see below).

check for update


Or you can get the free upgrade by visiting www.dashlane.com/download, or get it on the Mac App Store.

View all posts by Ashley Thurston Posted in Updates | 7 Comments

5 Huge Holes in Your Password Security to Lock Down Now! - Dashlane Blog Chances are if you’re reading this blog, you’re pretty aware that passwords are often the key to much of our most confidential information. But with so much of our lives played out online, it’s likely there are still a few weaknesses in your security repertoire. Meaning that, right now, your own password security is probably nowhere near as locked down as it should be. And chances are it’s one of – or perhaps even all of – the following five holes leaving you compromised…

  1. Your passwords are not alphanumeric AND random

It takes a computer less than a second to hack a password that’s based on real words or phrases, even if you add in upper and lower cases and numbers. Best password practice is to create ones that are alphanumeric and entirely random. Not even so-called “keychain” systems are infallible, as anyone using your computer or logged into the same session will have access to those websites you have stored passwords for.

  1. You’re using the same password for several websites

Think about every time you have created a new online account. You likely had to provide login details for each one – including a user name, email address and undoubtedly a password. Many of you probably use the same password as the one you used before right? At least then you won’t forget it!

While convenient, this method comes with some serious risks. Think of it this way. With each new account comes another door to your personal information. And if all of those doors are locked using the same key, however strong, someone looking to access your information only has to crack that one, often simple code. Then they could potentially have access to much of your online information. Mixing it up by using different passwords everywhere makes it considerably more difficult to hack a portfolio of information.

  1. Your inbox is a goldmine for hackers

Otherwise, you are known as an “online hoarder”. You would likely be amazed how many accounts you’ve signed up to over the years using your email address. Not only will this clutter make it difficult for you to find the information you really care about, it’s also a huge security risk if your passwords are not up to scratch. Using services like Unroll.me allow you to quickly identify unwanted subscriptions and mass-unsubscribe you from dormant and redundant accounts. Paired with our new tool Dashlane Inbox Scan, you can make sure your inbox is not only hassle-free but also safe from hackers, as Inbox Scan will identify any account passwords and private data lying exposed in your inbox, so you can easily remove them and eliminate any security risks from your inbox.

  1. You are using weak or no encryption

Storing your passwords in a safe and secure way is incredibly important. This means using high-level encryption. The industry standard is AES-256 (the AES bit stands for Advanced Encryption Standard), which was first publicly accessible and open cipher approved by the National Security Agency (NSA) to protect information at a “Top Secret” level.

To find out more about AES-256 encryption take a look at our own handy “Dashlane Explains” post for military grade encryption, which spells out the technology in simple terms.

  1. You’re insecurely sharing work passwords

Texting or emailing a colleague for the password to a work account is a bad idea, and one of the easiest ways to compromise your company’s security. Don’t be that person. If sharing is a necessity, ensure the system you use allows you to securely manage and share access to team passwords, and if anyone changes a password, the system should also sync that new login information across both the team and any devices they’re using.

Get Dashlane. It's FREE.

View all posts by Tom Posted in Efficiency, Privacy, Security | Leave a comment

Unroll.Me 25/7 Campaign

We’re always looking for productive ways to get ahead of the game. Whether it’s a short cut to work, a better workout routine or the latest new app that’s going to revolutionize your life, we’re all keen on making things that little bit easier for ourselves. Silly not to right?

For all of you in search of the next little-big win, we’ve teamed up with clean inbox maestros, Unroll.Me, to offer you eight great apps at killer prices.

25/7 is here to declutter your life. From tracking your online shopping to cooking up a storm in the kitchen to never forgetting another password, 25/7 is giving you the chance to grab eight of the latest online tools to help make the most of your precious time.

This week-long program will show you easy ways to ditch distractions as well as providing time-saving secrets from leading CEOs. These tips and tools will help you gain an extra hour in your day to spend doing whatever it is you love.

We’ve already spoken about the merits of Unroll.Me before on the blog. It’s a great tool for cleaning up your inbox, letting you unsubscribe from emails with ease. Keeping your inbox in good shape can also eliminate the security fear factor as well the frustration factor. Paired with our new tool Dashlane Scan, you can make sure your inbox is not only hassle-free but safe from hackers too.

Check out the 25/7 page for more details on the offers and don’t forget to try Dashlane out during this special offer!

View all posts by Tom Posted in Convenience, Efficiency, Security, Tips & Tricks | Leave a comment

Last week, news broke of a security flaw on dating website, Match.com, leading to tens of millions of the dating websites users’ passwords potentially being at risk.

This was due to the site not using HTTPS encryption so emails addresses and passwords of users logging into the site could potentially be stolen by anyone on the same Wi-Fi network as them. So, anyone using their match.com account while, say, using a public network in a café, could have been at risk.

This method of hacking is known as a man-in-the-middle attack.

But what exactly is it? And how you can ensure you are not vulnerable from such an occurrence?

In simple terms, a man-in-the-middle attack is a situation in which a malicious eavesdropper (the “man in the middle”) is able to read (or write) data that is being transmitted between you and the website you’re browsing. The attacker is typically a link in the chain through which data travels as it goes from you to the website or vice versa, and they have been able to successfully impersonate each side to the other, hence getting total access to the communication. For this type of attack to be possible, both sides of the conversation need to have a security flaw.

The consequences are that any sensitive personal information (think passwords, personal data, financial information, etc.) can be read by the attacker in such a situation.

So, how can you protect yourself?

In the case of the match.com security flaw, the most important thing is to change your match.com password if you think you could have been breached. Ask yourself whether you have accessed any Wi-Fi connections recently which were open to others?

Next, ask yourself whether you have used your match.com password on any other services (email, social media etc.)? More likely than not, the answer to this question is yes, which means you will need to change all of those passwords too. This is because if a hacker has managed to access a user’s details, they will also be vulnerable across any other sites where they have used the same password.

It’s crucial to make sure you are using a different password in all locations across the web to ensure that the damage of any breach is limited to that site. After all, you wouldn’t use the same key to lock your house, car and office. To find out how many weak passwords you are using why not try out our new tool, Dashlane Inbox Scan, which will reveal how many times you have re-used certain passwords and which ones are most vulnerable to attacks.

More generally speaking, here is some more advice to ensure you are safe from a man-in-the-middle attack:

  • Do not use Wi-Fi connections that aren’t yours (Think: your coffee shop Wi-Fi, the free Wi-Fi in your building or even the airport)
  • Delete Wi-Fi networks from your devices that aren’t yours, and make sure to secure your Wi-Fi connection with a unique, private password
  • Use strong, unique passwords everywhere
View all posts by Tom Posted in Security | Leave a comment