A major flaw in web encryption was disclosed earlier this week. Dubbed the FREAK flaw, the vulnerability has been around for more than a decade, affecting the security of your Android and Apple devices and their built-in browsers.

Here’s everything you need to know about the FREAK flaw…what it is, how it affects you, and how to protect yourself from it.

What is the FREAK flaw?

According to freakattack.com, “The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered.”

Plainly, there’s a flaw in the way your browser connects you to a site, and that flaw allows an attacker to intercept and alter communications between you and that site.

How does it affect your Dashlane account?

In short, it doesn’t.

  • Your Dashlane account remains safe.
  • Your Master Password is safe because it is never transmitted anywhere.
  • If/when your personal data is transmitted, it is always ciphered locally with AES-256, so even if an attacker eavesdrop, he won’t be able to read your data.

Vulnerabilities and exploits are why we’ve made sure you’re the only person with the keys to your castle.

Are you at risk? 

The FREAK flaw affects more browsers than initially thought. At the time of this post, it affects around 10% of Alexa’s top 1 million domains (down from 12%). If in the last 10 years you’ve accessed a vulnerable site using a vulnerable device and public WiFi, you could be susceptible to a man-in-the-middle attack.

According to freakattack.com, here are the vulnerable browsers:

  • Internet Explorer
  • Chrome on Mac OS and Android
  • Safari on Mac OS and iOS
  • Blackberry Browser
  • Opera on Mac OS and Linux

You can also view a list of Alexa’s top 1 million domains that were affected here.

Unless you happen to be a public figure (or a government agency), then it’s unlikely that an attacker spent the time and energy to attack you, personally. However, just because your perceived risk feels small, your perception may be distorted. There are a lot of unknowns that come along with a disclosure like this, so you should still take action to protect yourself.

What should you do to protect yourself?

Though an attack seems unlikely, it’s not impossible. Thus, you should use precaution and take action to protect yourself. Here’s what you can do:

  • Change the passwords of any accounts that you’ve accessed on your mobile device. You should change them now and again after more sites and devices have been patched. Also, if you’re reusing your passwords in lots of places, well…it’s time to clean those up.
  • Remove any public WiFi connections from your devices. As nice of an option as being connected all the time is, you really shouldn’t use public WiFi to access important accounts. Even if it’s password protected, it doesn’t really matter if everyone knows the password.
  • For now, use Firefox to browse on mobile and Mac. Apple and Google are working to push fixed versions of Safari and Chrome. However, on Android devices, you’re going to have to update your operating system to get the fix, which Android users notoriously don’t do. So, make fast friends with Firefox.
  • When you’re prompted to update your operating system on your mobile device or Mac computer, do it. These next updates will include important security fixes. If it’s been a hot minute since you’ve processed any updates, know that by staying behind on your updates, you’re staying vulnerable. (…and need to use Firefox.)

 

 

 

 

View all posts by Ashley Thurston Posted in Security | 1 Comment

This week sees the annual Mobile World Congress take place in Barcelona, one of the biggest events in the global technology calendar. This year has already again seen a number of exciting technologies and innovations surface in the mobile technology space, including new phones from the likes of Microsoft and Sony to Google announcing a new wireless surface.

Biometrics Dashlane

Another area which has been ripe with announcements is the security sector. Notably, Fujitsu has announced that it has managed to create a smart eye tracking device that can recognize each user’s unique iris, taking biometric authentication a step further than the current de-facto touch IDs we find on many of our devices. This latest take on biometric authentication will require the appropriate hardware to run, so don’t expect to see it on your smartphone any time soon. However the real question is this. What are the pros and cons of biometric authentication?

There are traditionally three classes of authentication factor: knowledge of a piece of information (passwords, PINs, or secret questions); ownership of a physical device (tokens, cards); and an inherited physical characteristic (iris signature or fingerprints).

Enterprise or government systems that store highly sensitive information often use a combination of multiple factors of authentication that combines two or three factors among these three classes. For convenience, most consumer websites rely on single-factor authentication based on login details and passwords.

Biometrics’ main advantage is that they can solve both identification (assessing your identity) and authentication (confirming your right to access something). On paper, biometrics is a great way to prevent identity theft and various kinds of fraud. The argument goes like this: “My credit card number and passwords can be stolen, but not my fingerprints.”

The problem is however that this premise has already been broken. Biometric authentication can be hacked, as can any other form of authentication. Last year, hackers from the Chaos Computer Club managed to reproduce fingerprints of the German Defense Minister from high resolution public photos and they know how to use them on consumer phones biometric sensors. On the lighter side, there have even been reported cases of “Sleep-Jacking”, when someone opens a person’s device using their touch ID by placing the device on the sleeping persons authorized finger.

Unlike passwords, biometric data that has been stolen cannot be changed: you cannot replace your stolen fingerprints with a new set. Even worse, if all your accounts were protected by the same stolen biometrics information, they would all become vulnerable at once. Biometrics authentication has other major limitations: it cannot be shared and it cannot be made anonymous. Sharing login data or using it anonymously is something increasing numbers of internet users do.

This is not to say that biometric authentication cannot be useful. As an additional layer of authentication, biometric authorization can provide another useful layer of security, particularly when using services which are especially sensitive like our bank accounts. However, the use of strong passwords as the main foundation will build up a stronger defence against breaches for the following reasons:

  • Passwords can be stolen, but if you use one unique password per website, the damage does not spread to other sites, as opposed to unique biometric data which is by definition the same everywhere.
  • Passwords can be shared, which is a necessity within groups of people such as families and work teams. Think about the Netflix account at home or the corporate Twitter account in a company. You cannot share your fingers or your eyes with someone else.
  • They preserve a kind of anonymity, a key attribute of the internet. Think about Twitter without anonymity.

Of course an effective password management strategy (unique, randomly-generated passwords) is tough to apply given the number of different accounts we now use on a daily basis. This is why many of us now use passwords managers like Dashlane to solve this problem effectively and with more ease than trying to do it yourself. Biometrics as a technology is a fantastic innovation with many useful applications. However, in its current guise, a password-killer it is not.

View all posts by Tom Posted in Features, Mobile, Security | Leave a comment

(If you want to manage your work passwords, don’t forget to read to the end for an offer you won’t refuse too!)

What would you do at work if you couldn’t get online? Many of us would probably suggest calling it a day and heading home.

Modern work life depends on online accounts and, of course, the logins and work passwords that come with them. However with this comes great responsibility. Do you choose convenience and use the same password everywhere? Or do you choose security by using unique passwords and take on the arduous task of logging into each one?

Luckily, Adrien’s here to offer some expert advice. Working in an agency that helps advertisers to better leverage their data, he knows the dilemma better than most of us. Here’s his lessons to help help you get in control and kick ass at managing business online too.Get Secure Online Like A Boss.

First of all, get those accounts in order

At my agency I work with an average of five to ten clients at any time, managing up to five accounts for each client. On top of that, I have all of my own work accounts to manage too, from email, to chat, to CRM. All that is just too much to keep track of manually – I’d go as far as to say impossible.

A completely secure repository of all of these accounts, that’s not confined to particular team members’ memory or laptops, is key to making sure the business has real control. We have everything saved in Dashlane so that all I have to remember is a single master password, leaving the app to do the rest for me.

For many people in our business, not only organizing your real accounts is important, but your alter egos too.  Anyone who has ever had to test a website for anything from errors to a good user experience will know that this involves filling in a whole lot of forms, and creating even more accounts in order to do so. It’s lengthy enough to input your own details, but when you’re signing up for demos or making purchases under different accounts, this gets very complicated.

To keep this process in check, putting in some structure around ‘fake’ as well as real credentials is important. Create complete profiles of a defined set of personas once, and refer to these whenever you’re playing around on your sites. Again, all of these identities are set up in my Dashlane account, and I use auto-filling to complete forms in seconds.

Start collaborating efficiently with your colleagues                            

More often than not, several of my colleagues and I may be working on a client’s analytics at once, with just a single login for everyone to share. Just like any team, we had plenty of experience of constant chat and email to get passwords from specific people for specific accounts. It’s a minor request, but every little thing that stops you from just getting on with your job can build up to create a fragmented and frustrating day. We now share passwords securely via Dashlane so that everyone can access the ones they need to, knowing that these are always synced and up to date.

And above all, make sure that your business is actually secure

Make sure your passwords are unique. Choosing the same password for each of your online accounts is like using the same key to lock your home, car and office – if a criminal gains access to one, all of them are compromised. Also make those passwords long and complex, so it is impossible to guess, adding numbers, symbols and mixed-case letters too. If it’s not very original, it won’t be very safe!

Mac - 2

Still be careful about who you share with. Protecting your online accounts – particularly those that touch your brand – isn’t just about passwords. You need to educate your team on how to use those accounts too and ensure they share responsibly. Make use of permissions wherever you can. But if something goes wrong, your first response should be to change the password to lock any wrongdoers out – malicious or accidental.

Has Adrien’s story inspired you to give Dashlane a go? Well it’s you’re lucky day! We’re currently offering UK startups a year’s free premium membership for three team members. To make the most of this offer (worth over £100) click here.

 

View all posts by Tom Posted in Efficiency, Security, Startup life | Leave a comment

At Dashlane we have learned a lot about how people manage their passwords over the years. One detail that always surprises us is our reluctance to let go of passwords we have a personal connection with. Even though we know we should be using random, alphanumeric codes, for some reason we still can’t let go of passwords which we have a personal connection with.

But why is this? Despite the fact that we not wired to remember complex alphanumerical passwords, there is also seems to be another reason… We are too attached to the words we use to secure our important online data.

Many of us still use weak passwords because they have a special meaning for us. Whether it’s the name of a loved one, a home town, a birthday or even a favourite sports team, they are often something that is close to our heart.

This emotional bond with our passwords is something which is holding us back from making the necessary changes to ensure we are safe online. We need to cut that emotion tie to eliminate the risk of being over-familiar with these very important words.

To learn more about why we still prefer words over random passwords visit Computer Business Review to read more from Emmanuel Schalit, CEO Of Dashlane.

 

View all posts by Tom Posted in Press, Security | 1 Comment

Earlier this week, we reminded you of the importance of making sure your passwords are up to scratch when buying your Valentine’s presents online. Now that we’ve saved you from a broken desktop, it’s time to ensure you don’t suffer from a broken heart, with some tips on keeping your Valentine’s surprise a secret.

Whatever you might have planned for this Saturday, chances are you have left a digital bread trail on one, if not all, of your devices. This becomes even more of an issue when you consider that many of us share passwords with our significant other, including social media sites and emails.

While this token of trust warms the heart, it might put you in a sticky spot when trying to keep this Saturday’s big play a secret. But don’t despair!  We’ve outlined the key ways to make sure your Valentine’s Day goes off without a hitch ;)

Want to let us know how it goes? Tweet us with your stories and password triumphs at @Dashlane.

5 ways to make sure your Valentines surprise stays a surpriseHow to keep that special Valentine’s surprise a secret: Five tips so you don’t give the game away this Valentines

Stop saving passwords in your browser

“Do you want Firefox to remember this password next time?” Sure, why not, it makes my life easier. This may seem like a quick win at the time however don’t be so sure…

Such keychains mean that anyone using your computer or logged in to the same session will have access to everywhere you have ever accessed and can access a list of websites you have stored passwords for. Not ideal.

Manage your passwords effectively

Very much like love itself, passwords aren’t easy (to remember). For your own security and privacy, you should ensure that your passwords are long and are alphanumeric, so they are even harder to guess. This will ensure that each and every one of your digital locks are secure.

It is also important to use different passwords for each site you use. After all, you don’t lock every door in your home, office and car using the same key. We understand that once you find the one you love it’s hard to let go. However, when it comes to passwords, it’s best to keep it fresh.

This might seem like a tricky process – choosing a plethora of complex passwords, let alone remembering them all… This is why a password manager, such as Dashlane, is really useful. It does all the hard work for you, protecting and remembering all those passwords in a safe and secure way!

Control how you share

There may well be times when you do need to share a password or some other personal information, however do not do it by email or on a post-it. Use a safe, encrypted method such as Dashlane’s Sharing Feature. That way, your precious passwords and data will never fall into someone else’s hands.

Make sure it’s a private affair

Did you know that when you’re signed in to Google anyone can see your entire browsing history on https://google.com/history? When you browse, you will always be leaving clues, or outright giveaways, to what you’ve been up to. As well as your browser history, your auto fill will react to your past searches and advertising will relate to what you have searched for.

The only way to ensure all the sites you visit are not traceable by everyone who lays their hands on your computer is by entering into a private browsing session. Each browser has a different name for this, for example in Chrome it is called “Incognito”. Going private will keep your activity private and will prevent you from staying constantly connected to Google or Facebook.

This will not only keep your Valentine’s surprises safe, but also any other information that you would rather keep to yourself.

Love in the Dashlane: use autofill to make speedy romantic gestures

If you need to get a last minute order done in a matter of seconds while your partner is out of the room, then the use of Dashlane’s auto form-filler will help you speed up those payment forms, delivery details and whatever else. Get a five-minute task done in 20 seconds, so those flowers can be on their way before she has even made that cup of tea.

Get Dashlane. It's FREE.

View all posts by Tom Posted in Fun, Shopping, Tips & Tricks | Comments Off