Review my startup: Automate registration, sign-in and checkout.

13 points by hyyypr ↗ HN
Dashlane is an app for both Mac and PC: the idea is to have a very secure app where you can store all sorts of data (addresses, phone numbers, credit cards, passwords, etc) and browser plugins that allow you to use this data without having to type it in. Our concept is further described in this video here: https://www.dashlane.com/en/epiphany

Several key points about our security:

- Each Dashlane user has a master password, solely used to encrypt data locally and another key for each device used for authentication against Dashlane’s servers

- The Master password is derived using more than 10,000 PBKDF2 rounds with a 32 bytes random salt to produce the encryption key used to encrypt user’s data locally. Encryption algorithm used is AES-256 (CBC mode).

- Neither the Master Password nor any derivative of it is ever sent to or stored on our servers, nor locally on your computer. When synchronized, personal data are sent encrypted to our servers.

If you are interested in details about our security, here's a white paper that explains in technical words exactly what we do: https://www.dashlane.com/download/Security-Whitepaper-Final-Nov-2011.pdf

Anyway, I would love to have HNers testing our product, so I have 300 invites for those who would be interested: https://www.dashlane.com/hackernews.

Please let me know what you think about it, the Dashlane team and me would be happy to talk with you.

17 comments

[ 4.8 ms ] story [ 50.7 ms ] thread
So what happens if I lose / don't remember my Master password ? If it's used to encrypt my data I suppose you can't reset it ?
Hey !

We have chosen a strong security architecture, so we have no way of decrypting your data. If you loose your password, you're screwed. :)

I implemented a similar architecture, but within three weeks http://i.imgur.com/hfoyz.png :)
How are encrypted the users' master passwords ? (because "one key to to encrypt them all" is a bit dangerous, isnt it?)
Some more information here http://goo.gl/YlFkQ but no, each data-key (master) is unique to each user and stored outside of the application and network in an encrypted store, also all PID is encrypted and non-associative. Of course, I would prefer if users didn't want a restore option, however, usability sometimes trumps security :) Lost your password == lost all your data, just doesn't cut it with users IRL (I found).
We never ever store, or transmit over the network the user's master password nor any of its derivatives, therefore we don't nee to encrypt it.

The user's master password is not encrypted, it is used to create the key to encrypt and decrypt user's data, and the encryption key created from the master password, as a derivative of the master password, is never stored or transmitted.

This way, we can assure our users that even us cannot ever access their data.

Interesting guys. I've been waiting for something similar for a long time now. Quick question though: how do you map all my information to the input fields in each form. Do you kind of "crowdsource" it the first time a user comes across a new form and manually fill it in?
Hey,

Good question. Actually we have a technology that analyses semantically the webpage and determines the meaning of each elements.

Basically it's a bottom-up approach, we first try to guess the meaning of an element; then we take one step back and try to find contextual information that helps us refine the meaning.

We thought about the crowdsourcing approach, but it requires that the few first users have a shitty experience (because Dashlane isn't working as expected on these sites). That's why we prefered a more generic approach.

Why not do both?
It's a possibility, but it could be complex to put in place (client and server side). You have to find a way to aggregate the data in a smart way, to avoid getting your system messed with and minimize false positives.

Just imagine the case where a site changes drastically, all the crowdsourced results would be out of date, how do you detect that ? Because a user signaled it ? What if it has been incorreclty signaled ? Sure you could set a sort of treshold, but that means that a bunch of users will have a poor user experience in the meantime.

You could have manually take care of the most popular websites.

But it makes sense. Though, how do you deal with false positive ?

Yes we thought of that too, but the list of the most popular websites can be long, and the frequency at which these websites changes can also be high. So it's nearly a fulltime job.

We prefer to rely on our semantic backend, but if we implement a crowdsourced method, I think it would be more to spare computing power than for the quality of our results (which are already quite impressive).

Do you guys plan on keeping this service free? If yes, how do you plan to monetize the service? By mantaining such high standards in terms of security of the data, I assume that you're giving up on aggregating behavioural data that could be very valuable for advertisers.
Hi,

Now we are focusing on adoption, but since we will have a huge impact on conversion rates during checkout for ecommerce sites, we are convinced we can add enough value for merchants to generate revenue when we have critical mass.

In the future we may add premium features keeping most part of the service free for our users.

I am a happy Roboform user, and haven't heard anything that entices me to switch. Anything you want to add?
(comment deleted)
Hi,

Roboform and others passwords manager such as Lastpass were already available when we decided to launch. I would say that the ambition of Dashlane is different. Dashlane is not about just about password but we try to offer a new experience on the web where there is no need to switch between keyboard and mouse all the time. We have worked a lot on the user experience and everything has been designed to be simple and convenient.

Dashlane is also very different when it comes to online shopping. not only does Dashlane make check-out much simpler but in addition Dashlane gives a global history of every purchase in the app with many details. We really want to be the simplest solution to manage personal data. Feel free to have a look to our demo videos if you want more information: https://www.dashlane.com/en/tour#clicktopay