Originally published Jan. 20, 2023
High-profile security breaches have many people wanting to better understand the quality and strength of their online security tools. At Dashlane, our unique security approach is reflected in our technology and culture. We don't believe in taking shortcuts, so every decision we make begins with your security in mind. And it starts with encryption.
Dashlane’s encryption protects ALL your data
While our Security White Paper explains the technical aspects, here’s a summary of what you need to know about the encryption of customer data.
- We rely on best-in-class cryptographic primitives to manage vault encryption. This is an area where it’s critical to leverage reliable, proven solutions that have been reviewed and approved across the industry.
- We use Argon2, the winner of the Password Hashing Competition, to generate an Advanced Encryption Standard (AES) 256-bit key for encryption and decryption of someone’s personal data on their device.
- Access to someone’s data requires their Master Password, which is only known by that individual and never stored on Dashlane servers or transmitted over the internet. For organizations using single sign-on (SSO) with Dashlane, employees don’t need to create a Master Password. However, the end result is still the same: We protect all your data.
Learn why you should always pair SSO with a password manager for an extra layer of security.
Dashlane's zero-knowledge architecture means only you can access your data
The architecture principle that supports our security is called a zero-knowledge system. This means no one—not even Dashlane—has access to your data.
Your logins and personal information are always encrypted, which locks them away behind a jumble of unrecognizable data. No one can see your logins and personal information without decrypting, or unlocking, the data. The only way your information can be decrypted is with your Master Password. Since no one but you knows your Master Password (we never see it), only you can access your data. For customers using SSO, we maintain the same zero-knowledge approach.
We never trust any server, code, or person with access to customer data. But zero knowledge, while important, is a pretty common standard in the security world. What sets Dashlane apart is how we build on that approach.
Check out these frequently asked security questions to learn more. Or, take a deep dive into Dashlane’s security architecture with our Security White Paper.
Dashlane exemplifies our security culture in 4 ways
Security isn’t just about expensive tools and software—it’s about people, and the people at Dashlane are passionate about privacy. Data privacy is at the heart of our product, and we built Dashlane on the belief that your passwords and data should always be secure, private, and accessible only to you. To live those values and maintain the best culture of security, we take consistent steps to mitigate the risk of potential attacks against Dashlane by:
- Identifying potential exploitation of application vulnerabilities: Our software development process aims to minimize the risk of vulnerabilities through code review, automated tests, and quality gates. However, we know no code is perfect; there are always bugs and issues a malicious actor could try to use to access customers’ data. Thus, security researchers are another important building block in our strong security foundation. Our bug bounty program incentivizes white-hat hackers (the good ones) to look for vulnerabilities and help us fix any issues before bad actors find them.
- Blocking access to our servers: Server-side security hardening allows us to leverage industry best practices and standards such as PCI-DSS or SOC2. We benefit from the built-in security of AWS (one of the most respected and secure cloud hosting services), as well as from years of best practices and lessons on server security from the tech community. For Dashlane, it’s about enforcing our zero-knowledge concept and making sure we follow those best practices.
- Preventing our internal systems from being compromised: Internal system compromise is a critical risk, as past security incidents like the Solarwind supply chain attack have illustrated. Dashlane works to stay ahead of such incidents by evaluating scenarios involving levels of access, content sensitivity, and the degree to which harm can occur. We operate on a zero-trust model, meaning we never trust anybody when it comes to issuing access to our servers. We also apply strong IT security practices like multifactor authentication on all systems, as well as segregation of roles, least-privilege access, and extensive monitoring.
- Accounting for the human factor: We trust our employees, but for their own safety, we also need to ensure that if any employee was bribed with money, threatened, or went rogue, they couldn’t harm our customers or our company. One of our most sensitive systems is our software factory. We’ve taken steps to ensure we have a very secure release pipeline with full traceability. Approval from multiple engineers is required to be able to ship code. The goal here is to make sure an employee can’t ship a corrupted Dashlane build.
Many of our customers switched to Dashlane from other password management solutions and have been happy to share their experiences. Learn more from organizations like Consero Global, VillageReach, and Mercy Medical.
Dashlane evolves as the threat landscape grows
Our culture of security not only works to keep your data safe but also fosters an environment that encourages innovation. And we’re continually looking for state-of-the-art ways to broaden and strengthen the security of our products.
In 2018, we saw computing power increase and migrated our key derivation function from PBKDF2 to Argon2 to ensure we were offering the most up-to-date solution. Argon2 is optimized to resist GPU cracking attacks. Not only did we make Argon2 the default for our new customers, but we also made sure to automatically migrate existing customers so they benefited from the most up-to-date and secure solution.
Another example of forward-thinking is our efforts to usher in a passwordless era. The newest authentication technology using passkeys has the potential to significantly reduce the risk of weak passwords. We’ve already announced passkey support in Dashlane, and we were the first password manager to offer an in-browser passkey solution. This adds security and makes things easier—and soon, you’ll be able to log in to your password manager without a password.
What’s next? We’re already considering how post-quantum cryptography fits into Dashlane’s future. We’re leveraging new computing technologies to make integrations with single sign-on (SSO) systems easier and more secure. These developments, and others like them, help reduce security exposures while making it easier than ever to keep your data secure.
Take a closer look at our privacy overview to learn how Dashlane uses cookies and data. We never sell personal user data, and you always have a choice about how cookies and other information are used.
Protect your data with Dashlane
As data compromise continues to rise, it’s important to understand the extent to which your tools can access, use, and store your data. At Dashlane, our customers’ security is our number one priority. We believe building a product and adhering to a strict process aligned to best-in-class security is critical to this success.
We don’t expect you to just take our word for it. As we continue working every day to protect people’s data, we encourage you to hold us to the highest standard and keep asking questions. We want to provide you with the answers and support you need to feel confident in your data security.
—Frederic Rivain, CTO
If your organization is looking for a secure password management solution, you can try Dashlane for free today—it only takes 3 minutes to get started, and we have a site license program that can help you save.
And if you want to try Dashlane to better manage your personal cybersecurity, we’ve got you covered.
Sign up to receive news and updates about Dashlane
Thanks! You're subscribed. Be on the lookout for updates straight to your inbox.
