Why a Local Device PIN Is Better than a Master Password
Are complex passwords the only way?
We're often advised that a complex and unique password is superior to a simple one. However, password complexity is only one way to view security. There are alternatives like biometric unlock and device PIN that are also secure. But when device support for a biometric method of unlocking your laptop or mobile is unavailable, could a 6-digit PIN be a strong substitute for a complex and unique password?
Let’s explore what the password actually does. Websites typically use passwords for user authentication, whereas password managers use them for much more:
- Websites simply need to confirm a user is who they say they are, and the password is one way to do that. The password isn’t the only way to access the user account, as the “forgot password” feature can simply reset the password with an email magic link.
- For password managers, a “master password” does more than your average website password. Password managers need a key to access the vault, and the master password is essentially the key to encrypt and decrypt the vault data. Without it, the encrypted data is inaccessible.
Let’s introduce the term “useful account data” in relation to passwords. Think of this as the data that makes having an online account valuable to you. For a social network, this valuable data would be your connections, your uploaded posts and pictures, etc. Another example is a book club website, where you can list the books you read and leave and read reviews. Creating an account allows you to create “useful account data.” In these use cases, your password acts like a key to your account information. While the password has no direct relationship to your “useful account data,” it's what unlocks your account and lets you access it. If you forget your password, there are usually ways to recover it, such as a “forgot my password” recovery flow, as mentioned earlier. The point is, you won’t lose your account data.
Password managers work differently compared to regular online accounts. The “useful account data” of a password manager is all the confidential information it protects, such as your login credentials for other websites. A key encrypts that information, and that key is typically directly tied to your master password. If you forget your master password, you typically lose access to your "useful account data" because there's no other way to decrypt it. The master password unlocks and reveals the actual data (your various passwords) stored within the password manager. Losing your master password means losing access to all the protected data unless you have a backup method (like an account recovery key).
Security and convenience with a local device PIN
When you use a “Master Password” to unlock Dashlane on your device, the password is essentially decrypting your data. Anyone that steals your data, needs your Master Password to decipher your data.
When you use a PIN to unlock Dashlane, it does not directly get involved in the decryption of your vault data. What it does is unlock a cryptographic key that is strong and unique to decrypt your vault. What’s more, the PIN code is bound to the local device you’re using and needs to be set up on that device. Typing the PIN on that device involves additional data, invisible to the user, that is unique to that device in order to unlock the cryptographic key that decrypts your vault.
Authentication Method | Does it decrypt your data? | What does it do? | What if someone else knows it? |
PIN | No | It protects a local secret that can decrypt your data. | They can't do anything with your PIN unless they also have the device that uses that PIN. |
Master Password | Yes | It directly protects your data. | They can't do anything with your master password unless they also have your data. |
What if someone has my laptop? Can they brute force the local PIN?
The parallel with a luggage combination lock is that you need the luggage to test a lock combination. While anyone can attempt hundreds of combinations on your luggage and eventually find the right one, the same isn’t true for the Dashlane local device PIN.
Dashlane introduced a local device PIN on the web because there’s no simple way to authenticate into a product that encrypts data without a complex Master Password. A local device PIN is a good solution because it allows the user to rely on an easy-to-remember secret (something they know) and combine that with their device (something they have). On top of this, there is an attempt limit that prevents someone with your device from trying thousands of combinations, which is where the parallel with your luggage lock ends, as there is no such mechanism on luggage combination locks.
Retiring passwords and Master Passwords at Dashlane
Dashlane is at the forefront of passwordless technologies. Passkeys are helping to retire passwords for websites, and Dashlane manages them on all platforms. With features like local device PIN, Dashlane is also helping to retire the Master Password, allowing users to securely and conveniently access their account without the burdens and pitfalls of a password.
Sign up to receive news and updates about Dashlane