The company has likened its solution to that of those used by the credit card industry to monitor account details. Like credit account monitoring services Dashlane looks for user details online. When it finds a compromised password it emails the user and helps them change it. It also monitors breach announcements and uses that information to warn users of risk to their passwords.
The service is available to all Dashlane customers irrespective of whether they are using the free password manager which support a single device, the premium service which syncs to multiple devices or the premium business service. With users having to remember increasing numbers of passwords the risk of a breach, even for the most security conscious, is on the rise.
What is interesting about this announcement from Dashlane is that it offers IT Security teams some help with shadow IT. As Business Units and users increasingly take advantage of cloud-based services and move corporate data outside the enterprise, the risk of unintentional breaches has increased.
Emmanuel Schalit, Dashlane CEO, states: “This is a really important new channel for our core product. Throughout 2016 Dashlane will be making investments in our monitoring service, rolling out seamless account setup and onboarding for corporate customers while massively expanding our unrivalled Password Changer feature to be compatible with over 1,000 websites in 2016. No product on the market makes it easier for someone to manage, change, and protect their passwords.”
Dashlane making passwords easy for users
One of the features offered by Dashlane allows a user to change multiple passwords at the same time. It will also suggest and remember strong passwords for the user which means there is no reason for users to have to reuse their internal corporate passwords on external sites.
Among the list of features for Dashlane Password Defense Alert are:
- Easy Onboarding: Simple process to allow users to import passwords from all their existing web-based services and devices. Will offer advice on existing passwords such as how often used and strength.
- Automatic Password Changer: Multi-select approach means users can highlight blocks of passwords and have them changed with one click. For the security conscious this means you could change all your passwords every few days. Changes are synced across all devices providing you have the Premium or Business package.
- Password Health Dashboard: Scores passwords to help users understand where their security is weak and needs to be improved.
- Secure Password Generator: Rather than create new passwords, Dashlane will do the heavy lift for the user. This is not just for existing accounts but will happen whenever a user first creates a new online account.
- Compromised Site Alerts: To ensure that users change passwords as fast as possible they will get regular alerts when a password is compromised. This will enable them to change passwords and reduce the risk of accounts being compromised.
It will be interesting to see how quickly Dashlane can grow its enterprise business. The features it is offering fit well with the worries of many security teams. Unfortunately it doesn’t publish a baseline figure for corporate accounts which means that potential customers have to go through a sales process rather than get a list of features and costs that they can use when considering Dashlane versus other password vaulting systems.
Can Dashlane engage the banks and online retailers?
Surprisingly Dashlane has announced no deals with large companies to provide the free version of Dashlane’s password vault from their site. Banks, for example, tend to push anti-malware solutions to customers on a regular basis with Trusteer being the most commonly offered. This is about the bank showing good customer governance and providing a solution to help secure customer details which lowers their time spent dealing with hacked accounts.
The challenge for the banks and the credit card industry has been how to integrate their often convoluted logon processes to work with password vaults. Dashlane claims to already be able to support most of the systems in place but doesn’t actually list any of the banks as customers.
It is not only banks where this could be useful. Large online retailers know that they are a very easy target for hackers. Over the last few years the number of compromised customer accounts is well over the billion. Offering customers access to the Dashlane vault and compromised site alerts would mean a retailer could quickly inform customers when a breach is suspected and be proactive about getting passwords change.
This also goes to the heart of the “how often should I change my password?” question. Many web-based businesses are loathe to be prescriptive in case they scare customers away. Using a password vault solution they could remind customers to make changes regularly thus increasing security.
This suggests that there is a potential market here for Dashlane and its competitors to better engage with the online retail, banking and cloud communities. A look at over 40 cloud-based services, 25 very large online retail sites and 10 banks shows that none of them are openly promoting the potential benefits of password vaults. Whether this is about a failure of governance or just a lack of knowledge is difficult to judge.
Are password managers infallible?
Sadly, no! Over the last two years we’ve seen an increase in attacks on various password manager solutions that has resulted in at least two major breaches. In both cases the companies were quick to remediate but the problem is that with so much data in one place they will always be a highly attractive target for hackers.
Despite this risk there is an increased interest in using password managers. Offering alerts around compromised passwords through a single mechanism does at least provide users with more information than relying on site owners.
Another risk of having all passwords in one place is governments forcing them to be handed over. Like other IT companies, Dashlane is taking the position that its system means it cannot access the passwords stored in its vaults. This will frustrate law enforcement and intelligence communities and it will be interesting to see what pressure is brought to bear over the next few years as those communities see password managers and vaults as a hugely important source of data.
Despite the weakness of the password mechanism it will continue to dominate security for at least the next decade. Two-factor authentication is still a long way off as a common solution while beyond that will take a long time for the technologies to become available and adopted.
By equating their Password Defence Alert system to that of credit card monitoring, Dashlane is appealing to users who worry about how long it takes for discover their credentials are compromised. How easily it can move those customers from free to premium and then use that to pick up new business accounts remains to be seen.