If you have a question about security at Dashlane that isn't addressed in this article or elsewhere in our Help Center, please reach out for more information.
- How secure is my data?
- What happens if my phone is lost or stolen with all my Dashlane data?
- Can someone steal my Master Password when I'm using a public WiFi network?
- What would happen if Dashlane's servers were hacked?
- Can a Dashlane employee access my data?
- How to modify your cryptography settings
How secure is my data?
Dashlane takes security very seriously. Password security guides our product, our technology choices, and our business decisions every day.
Dashlane's unique set of security measures
- Dashlane requires a strong Master Password. We encourage our users to make their Master Password as complex as they can remember.
- Dashlane doesn't store your Master Password anywhere on our servers, and it's never transmitted over the internet. That means no one can take the key to your castle and your encrypted data stored on our servers is useless to hackers without it.
- Dashlane doesn't collect or store a password hint. Often these hints are weak gateways to actual passwords, and we don't use them for that reason.
- Dashlane doesn't store "authentication hashes" to enable new devices. You need to enter a token each time you log into a new device, which helps ensure the security of your data.
Steps that Dashlane takes to safeguard our infrastructure
- Dashlane is proudly hosted on Amazon AWS, one of the most respected and secure cloud hosting solutions on the market.
- Our products are audited regularly and by different security auditors.
- Our servers are regularly investigated for any trace of suspicious activity, and our infrastructure is regularly scanned for any vulnerability.
Here are things you can do to take control of your data security, and for which Dashlane can help:
With Dashlane, you have the tool you need to create strong passwords for your accounts, so make sure to use it to randomly generate strong, unique passwords for each of your accounts.
Regularly check changes in your Password Health Score and find security alerts that affect you. Deal with your compromised or weak passwords in Password Health, and be sure to take action whenever you're notified of a breach.
Improve your online security by using two-factor authentication in Dashlane.
If you have more questions on Dashlane's security or want to go through our technical Security White Paper, visit the Security webpage on the Dashlane corporate website.
What happens if my phone is lost or stolen with all my Dashlane data?
Because only you know your Master Password or the 4-digit PIN code you set up on our iOS and Android mobile apps, no one else can access your data if your phone or computer is lost or stolen.
Your data is always encrypted on your device. For this reason, only you can access it with your Master Password.
For added security, you can remotely disable Dashlane on any device:
- Sign in to your account on the web app.
- In the My account menu, select Settings then Manage Logins.
Note: The Dashlane web app is not available on Internet Explorer. To access the web app, please use Chrome, Firefox, or Edge.
- From there, select the little cross next to the device you want to disable and select De-authorize. Dashlane will deny access to your data from this device.
Can someone steal my Master Password when I'm using a public WiFi network?
No. Your Master Password is never stored or sent over the internet.
How it works
Your Master Password is used locally to decrypt your data. Dashlane then uses several layers of security to authenticate your devices and only provides you with your (encrypted) data on those devices.
So how does Dashlane know it's you if it doesn't know your Master Password? In a word, it's thanks to the magic of cryptography.
When you first enter your Master Password, a User Device Key is generated locally that is encrypted with a key derived from your Master Password. This is what is stored on Dashlane's servers and is associated with your account.
So what happens when you add another device to your account? Simply put, you must first authenticate it with Dashlane. Your device sends a request to Dashlane. Dashlane sends you a one-time password by email or SMS. The new device creates a new User Device Key locally, just as it did on your first device. It combines this with the one-time password before sending this to Dashlane.
So once you're authenticated on this new device, and only then, Dashlane will send your encrypted data to the new device. Keep in mind that this data is still not accessible! You still need to enter your Master Password for the data to be decrypted locally on your device.
Dashlane Premium users can use the Dashlane VPN for additional security when on unsecured networks such as free WiFi hotspots.
What would happen if Dashlane's servers were hacked?
If a hacker gained access to our servers despite all our security measures, any user data they would find there is encrypted with uniquely salted keys based on their Master Password.
And of course, only you know your Master Password. It is never stored on our servers, so it cannot be stolen from there.
Can a Dashlane employee access my data?
No. No Dashlane employee can get hold of your Master Password and access your data.
How to modify your cryptography settings
You can change your cryptography settings in the web app only.
To access this setting:
- In the My account menu, select Settings then Security settings.
- Under Key derivation function, choose from the available methods:
- Argon2d (Recommended): This password derivation function is state-of-the-art and recommended if your company doesn't need to meet specific compliance policies. We use three iterations, 32 MB memory cost, and two parallel tasks.
- PBKDF2 200,000: This password derivation function complies with NIST recommendations. It can, however, be slow on old devices. We use 200,000 iterations of PBKDF2 with SHA256.
- PBKDF2 10,204: This password derivation function is compatible only with older versions of Dashlane.