On Monday, April 7th, a vulnerability called Heartbleed was discovered in OpenSSL, a cryptographic library used by websites to handle SSL and HTTPS. The vulnerability is a major concern because OpenSSL is widely used, and it could allow normally encrypted web communications to be intercepted.

First, we want to update you on how this impacts Dashlane:

  • Your Dashlane accounts are not impacted by this flaw
  • Your Master Passwords are safe as they are never transmitted
  • Your personal data when transmitted is always ciphered locally with AES 256, which is not affected by the Heartbleed vulnerability

More specifically, though we use OpenSSL when syncing your personal data with our servers:

  • Your Master Password is never transmitted over any network, neither is any derivative of your Master Password
  • Your personal data is ciphered locally, with your Master Password, before being sent to our servers, using a cryptographic algorithm not affected by Heartbleed (AES 256)

The HeartBleed Bug – What is it?

According to Heartbleed.com (a site built by the bug’s discoverers):

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

How does this affect my Dashlane account?

As we mentioned above, your Dashlane account and Master Passwords are safe. Our servers have been updated with the patch, we have revoked previous certificates and rolled out new ones. There will be no interruption in our services, and the information that you store in Dashlane is not affected by the Heartbleed bug.

Though your Dashlane account remains safe, many of the websites that you use do not have the level of security and encryption that we use. We recommend you generate new passwords on your most important accounts – banking, email, social networks, or any shopping sites where you store your payment info. However, the sites that you use need to employ the patch for this bug before your account is secure again. Otherwise, you’ll need to change your passwords again once that’s done.

What’s next? 

We understand you might be worried as the whole Internet seems to be a bit shaken by this. We see this issue as a test for our security architecture that gave proof to how solid it is.

The most important thing is to make sure you use different passwords everywhere, because if your password is stolen on one site, it will not impact other sites; this was true before Heartbleed and is even more true today.

We’ll be sure to keep you updated about the situation, and we want to thank you for securing your data in Dashlane.

 

About Ashley Thurston

I'm Dashlane's Community Manager, where I work to grow and engage with our user base.
This entry was posted in Security. Bookmark the permalink.

52 Responses to Dashlane and the Heartbleed Bug

  1. MB says:

    Dashlane customer here. I Highly recommend you try and get ahold of that list of of 500,000 websites that are supposedly vulnerable, feed it into it into our Security Dashboard and list the every single one of those sites as Compromised. Anyone who has an account on any of these sites needs to assume the worst and after the bug has been patched new passwords need to be created at for all of those sites. Thank you.

  2. Tony Gill says:

    Thanks for providing a succinct, comprehensive, timely, and reassuring update!

  3. Thank you for this post, it’s nice to be reassured.

    If I could just offer one piece of criticism: the advice to “generate new passwords”, while very sound, clashes a bit with your application’s UI. There’s no way to sort password by Date Updated — like you can with Secure Notes —, so, unless you’re keeping track of the passwords you’ve already changed, it can quickly become quite a frustrating task. Of course, you’ll rarely ever need to change all of your passwords, but such a feature would play nice with another good practise: changing passwords regularly.

    • Ashley Thurston says:

      Thanks for your comment, Paulo!

      When you’re in the Security Dashboard, you can check the box “Mark as checked” if you’ve just changed the password for that site. See here: http://ow.ly/vBGZE But we agree that it’d be helpful to see the date that you updated it, and it’s already on our roadmap.

      Hope that helps you keep track of which ones you’ve changed at least for now. Thanks!

      • MB says:

        I don’t have this option in Dashlane? Is your Mac version not the asme as your Windows version?

    • Ashley Thurston says:

      Hi Paulo, I almost forgot (Heartbleed brain)…if you go to Tools > See Generated Passwords in the app, you’ll see that date that you last generated that password. See here: http://ow.ly/vEZIh Hope that helps!

  4. Louise Owen says:

    Lastpass has set up a tool for testing whether a site is vulnerable. Can Dashlane do something of the sort?

  5. Bill Rucker says:

    This post was informative but may have glossed over some issues.

    First, as a list of affected sites becomes available, Dashlane should recommend generating new passwords for those sites based on date of password change.

    Second, what about vulnerabilities from logging directly into the website? If Dashlane used a vulnerable OpenSSL release (which appears to be the case):
    — Doesn’t that expose the encrypted (multiple iterations of unidirectional salted hash I hope?) master password itself (with a short or guessable password exacerbating the vulnerability)?
    — Isn’t the user vulnerable to a man-in-the-middle spoof of Dashlane?

    Remember that if you use a password or password pattern at any vulnerable site, then all other sites with the same pattern are vulnerable.

    • Kevin Roulleau says:

      Hello Bill,

      Your Dashlane master password is never transmitted in any way over the network, thus it is safe from the heartbleed bug.

      Regards

  6. Bill Rucker says:

    Might also be useful if Dashlane tested whether the site is updated as it enters the credentials and warn users that a site is still vulnerable. Major sites will be updated quickly but with very roughly 3/4 of the web probably affected lots of sites will lag behind. This would probably be much easier to implement than finding all the sites that _were_ vulnerable.

  7. Adam Tybor says:

    What about device id’s and authentication? My understanding is the device id is what is used to communicate and authenticate with the dashlane cloud services. Wouldn’t this key potentially be compromised since it was being sent over the insecure ssl tunnel?

  8. Evan says:

    As others have mentioned, I would expect Dashlane to be pushing this information to the Security Dashboard. I should be notified of any accounts I have that could be compromised, as well as when those sites have patched their OpenSSL implementation and it is safe to update the passwords.

    I understand no one expected a security hole this large to ever occur, but hopefully this event will help drive development to allow Dashlane to be a proactive guardian for our security.

  9. Kevin says:

    I strongly recommend that Dashlane add a Heartbleed vulnerability list to its Security Dashboard just like Lastpass has done as quickly as possible. Lastpass is getting an enormous amount of positive press about this and is no doubt picking up thousands of new customers in the process. Dashlane is missing a huge opportunity here. Hope it is on the way soon…

  10. Naren jain says:

    Hi
    Just wondering whether Dashlane generated or saved passwords are accessible to Dashlane staff/server/network personnel?

  11. Jim Burns says:

    I’ve opened a ticket on a problem and received a response, but no one mentioned the Heartbleed Bug. On about April 8 I signed into my Dashlane account and instead of getting a list of my user IDs and passwords, I got a screen saying I have no user IDs or passwords listed with Dashlane (I had at least 20). I was told that apparently my account had been reset, but is it possible that all of this information fell victim to the Heartbleed Bug and all of my user IDs and passwords have been compromised?

  12. Kelly says:

    I’d like a feature that shows the date of when I last changed my individual passwords- I have a ton to do and it’ll take more than one sitting so its hard to keep track of what has been done. And in the regular non-panic use there are sites that I’d like to change periodically anyway, it’d be nice if Dashlane could keep track of that for me.

  13. Gerald G says:

    what about an integrated heartbleed checker for dashlane?

    it could directly check a saved url/service for vulnerability. in addition it could check certificate renewals, as one probably is only safe again after a service also uses reissued certificates.

    moreover a renewal date around mid april 2014 could be a strong indication that a service _was_ affected, even it it is no longer. it might be hard or even impossible to know that for any site/service out there, i.e. if the operator had on one hand taken all appropriate steps to fix the issue, but doesn’t also alert all its users.

    my list contains several hundred logins, and i’d be happy if there was some automated check ;)

  14. James Bray says:

    “Your Master Password is never transmitted over any network, neither is any derivative of your Master Password”

    Does this also apply when logging in on the Dashlane site using my master password?

    Cheers,

    James

  15. Everyone loves what you guys are up too. Such clever work and coverage!
    Keep up the excellent works guys I’ve added you guys to our blogroll.

  16. Joanna H. says:

    I was slow to change my passwords, and didn’t do so until a couple days ago. (Shame on me). Do I need to change them again after a couple weeks? I’m guessing not, but will do so if necessary.

    • Ashley Thurston says:

      Hi Joanna,

      Thanks for getting in touch! If you changed your passwords a few days ago, then it was after sites were secured from Heartbleed, so you’re good. I’ll add, however, that if you’re reusing passwords anywhere, you should get rid those guys and make them random & strong :) You can see which ones are weak or reused in the Security Dashboard. See here for more info: http://support.dashlane.com/customer/portal/articles/search?q=security+dashboard

      Hope that helps!

      Thanks,
      Ashley