Review my startup: Automate registration, sign-in and checkout.
Several key points about our security:
- Each Dashlane user has a master password, solely used to encrypt data locally and another key for each device used for authentication against Dashlane’s servers
- The Master password is derived using more than 10,000 PBKDF2 rounds with a 32 bytes random salt to produce the encryption key used to encrypt user’s data locally. Encryption algorithm used is AES-256 (CBC mode).
- Neither the Master Password nor any derivative of it is ever sent to or stored on our servers, nor locally on your computer. When synchronized, personal data are sent encrypted to our servers.
If you are interested in details about our security, here's a white paper that explains in technical words exactly what we do: https://www.dashlane.com/download/Security-Whitepaper-Final-Nov-2011.pdf
Anyway, I would love to have HNers testing our product, so I have 300 invites for those who would be interested: https://www.dashlane.com/hackernews.
Please let me know what you think about it, the Dashlane team and me would be happy to talk with you.
17 comments
[ 4.8 ms ] story [ 50.7 ms ] threadWe have chosen a strong security architecture, so we have no way of decrypting your data. If you loose your password, you're screwed. :)
The user's master password is not encrypted, it is used to create the key to encrypt and decrypt user's data, and the encryption key created from the master password, as a derivative of the master password, is never stored or transmitted.
This way, we can assure our users that even us cannot ever access their data.
Good question. Actually we have a technology that analyses semantically the webpage and determines the meaning of each elements.
Basically it's a bottom-up approach, we first try to guess the meaning of an element; then we take one step back and try to find contextual information that helps us refine the meaning.
We thought about the crowdsourcing approach, but it requires that the few first users have a shitty experience (because Dashlane isn't working as expected on these sites). That's why we prefered a more generic approach.
Just imagine the case where a site changes drastically, all the crowdsourced results would be out of date, how do you detect that ? Because a user signaled it ? What if it has been incorreclty signaled ? Sure you could set a sort of treshold, but that means that a bunch of users will have a poor user experience in the meantime.
But it makes sense. Though, how do you deal with false positive ?
We prefer to rely on our semantic backend, but if we implement a crowdsourced method, I think it would be more to spare computing power than for the quality of our results (which are already quite impressive).
Now we are focusing on adoption, but since we will have a huge impact on conversion rates during checkout for ecommerce sites, we are convinced we can add enough value for merchants to generate revenue when we have critical mass.
In the future we may add premium features keeping most part of the service free for our users.
Roboform and others passwords manager such as Lastpass were already available when we decided to launch. I would say that the ambition of Dashlane is different. Dashlane is not about just about password but we try to offer a new experience on the web where there is no need to switch between keyboard and mouse all the time. We have worked a lot on the user experience and everything has been designed to be simple and convenient.
Dashlane is also very different when it comes to online shopping. not only does Dashlane make check-out much simpler but in addition Dashlane gives a global history of every purchase in the app with many details. We really want to be the simplest solution to manage personal data. Feel free to have a look to our demo videos if you want more information: https://www.dashlane.com/en/tour#clicktopay