Credit: This is a © copyrighted article by Davey Winder that appeared in PC&TECH Authority Magazine – August edition – page 109.
Just as a few of the Real World Computing contributors use iStorage hardware-encrypted devices, so at least two of us have a liking for the Dashlane password management software. Or maybe that should be in the past tense?
Let me explain.
I’ve used Dashlane for a while now and rather like the combination of ease of use and security it brings. I used to recommend LastPass, but after one too many vulnerability faux pas, I switched my recommendation to Dashlane.
But I started to notice some odd behaviour: passwords were being reported as weak, with the software issuing warnings that my security was at risk until I changed them. Ordinarily this would be a good thing, apart from the fact that the passwords in question were long, random and complex. Here’s an example of a “very unsafe” password according to Dashlane:
Yes, seriously. That’s about as weak as the steroidials pushing weights in the gym next to my office. I did what any concerned user would do in the circumstances and reported the behaviour as a “premium support” customer. What happened next did nothing to restore my confidence. After 24 hours, a support person contacted me and suggested there may have been a breach on the site since creating the password, and that I should change it to one that was more than eight characters long with mixed numbers and symbols. The example I sent to them, of course, was the one I’ve just revealed here.
A tad narked, I replied and explained that the site hadn’t been breached and the 25 random character password was created by Dashlane’s own password generator. It took another day, and a request for the URL of the site concerned, before escalating the issue to the “technical experts” at Dashlane. A day later someone replied, informing me that the problem occurred when you create a password on a mobile platform and it is then checked on the desktop client. Apart from the fact that, on this occasion at least, the entry was created entirely on the desktop platform – but hey-ho. Eventually, the expert admitted: “the cross-platform issue is a part of the big problem – but, sometimes, it just fails to evaluate the strength of a password properly”.
Amazingly, he then stated that it never considers a weak password strong, so that was something. Yep, quite something. A month later, and despite Dashlane already being aware of this bug, it remains unfixed. Fine, it doesn’t impact upon the security of my passwords, but it does damage my trust. After all, if it can’t fix this bug then who knows what other ones are sitting in the code, waiting to be discovered? Looks like it’s back to KeePass with the software-encrypted password database stored on that hardware-encrypted drive.
Where he should have stayed all along.