In this article, you will find answers to some of the most frequently asked questions about security at Dashlane.
If the question you have is not addressed below or elsewhere in our Help Center, please contact us for more information.
- How secure is my data?
- What happens if my phone is lost or stolen with all my Dashlane data?
- Can someone steal my Master Password when I'm using a public WiFi network?
- What would happen if Dashlane’s servers were hacked?
- Can a Dashlane employee access my data?
- How to modify your cryptography settings
How secure is my data?
Dashlane takes security very seriously. Password security guides our product, our technology choices, and our business decisions every day.
Dashlane's unique set of security measures
- Dashlane requires a strong Master Password. We encourage our users to make their Master Password as complex as they can remember.
- Dashlane does not store your Master Password anywhere on our servers, and it is never transmitted over the internet. That means no one can take the key to your castle and your encrypted data stored on our servers is useless to hackers without it.
- Dashlane does not collect or store a password hint. Often these hints are weak gateways to actual passwords, and we do not use them for that reason.
- Dashlane does not store “authentication hashes” to enable new devices. You must enter a token each time you log into a new device, which helps ensure the security of your data.
Steps that Dashlane takes to safeguard our infrastructure
- Dashlane is proudly hosted on Amazon AWS, one of the most respected and secure cloud hosting solutions on the market.
- All of our products are audited regularly and by different security auditors.
- Our servers are regularly investigated for any trace of suspicious activity, and our infrastructure is regularly scanned for any vulnerability.
Here are things you can do to take control of your data security, and for which Dashlane can help:
With Dashlane, you have the tool you need to create strong passwords for your accounts, so make sure to use it to randomly generate strong, unique passwords for each of your accounts.
Regularly visit your Identity Dashboard and use the information provided there to keep your data secure. The dashboard keeps you abreast of changes in your Password Health Score and is where you can always find security alerts affecting you. Deal with your compromised or weak passwords in the Password Health feature, and be sure to take action whenever you are notified of a breach.
Visit the Security section of our Help Center for more information on protecting your accounts.
If you have more questions on Dashlane’s security or want to go through our technical Security White Paper, please visit dashlane.com/security.
What happens if my phone is lost or stolen with all my Dashlane data?
Because only you know your Master Password or the 4-digit PIN code you set up on our iOS and Android mobile apps, no one else can access your data if your phone or computer is lost or stolen.
Your data is always encrypted on your device. For this reason, only you can access it with your Master Password.
For added security, you can remotely disable Dashlane on any device by signing in to your account on the web app, clicking My Account in the bottom left corner of the page, and then Manage Logins.
Note that the Dashlane web app is not available on Internet Explorer. To access the web app, please use Chrome, Firefox, or Edge.
From there, you will be able to disable your device by clicking the little cross next to it and selecting De-authorize. Any access to your data from this device will then be denied.
Can someone steal my Master Password when I'm using a public WiFi network?
No. Your Master Password is never stored or sent over the Internet.
How it works
Your Master Password is used locally to decrypt your data. Dashlane then uses several layers of security to authenticate your devices and only provides you with your (encrypted) data on those devices.
So how does Dashlane know it's you if it doesn't know your Master Password? In a word, it's thanks to the magic of cryptography.
When you first enter your Master Password, a User Device Key is generated locally that is encrypted with a key derived from your Master Password. This is what is stored on Dashlane's servers and is associated with your account.
So what happens when you add another device to your account? Simply put, you must first authenticate it with Dashlane. Your device sends a request to Dashlane. Dashlane sends you a one-time password by email or SMS. The new device creates a new User Device Key locally, just as it did on your first device, and combines this with the one-time password, before sending this to Dashlane.
So once you're authenticated on this new device, and only then, Dashlane will send your encrypted data to the new device. Keep in mind that this data is still not accessible! You still need to enter your Master Password for the data to be decrypted locally on your device.
Dashlane Premium users can use the Dashlane VPN for additional security when on unsecured networks such as free WiFi hotspots. For more information, see What is VPN protection and what is it for?
What would happen if Dashlane’s servers were hacked?
If a hacker gained access to our servers despite all our security measures, any user data they would find there is encrypted with uniquely salted keys based on their Master Password.
And of course, only you know your Master Password. It is never stored on our servers, so it cannot be stolen from there.
Check out our page on security for a detailed explanation.
Can a Dashlane employee access my data?
No. No Dashlane employee can get hold of your Master Password and access your data.
How to modify your cryptography settings
To access this setting, open the Tools menu (on Windows) or Dashlane menu (on macOS) > Preferences > Security > Advanced Settings. If needed, click on the small lock icon and enter your Master Password. Under Key derivation function, you will be able to choose from three methods:
- Argon2d (Recommended): This password derivation function is state-of-the-art and is recommended if your company doesn’t need to meet specific compliance policies. We use 3 iterations, 32 MB memory cost, and 2 parallels tasks.
- PBKDF2 200,000: This password derivation function complies with NIST recommendations. It can, however, be slow on old devices. We use 200,000 iterations of PBKDF2 with SHA256.
- PBKDF2 10,204: This password derivation function is compatible with old versions of Dashlane.
After choosing your new method, finalize the change and re-encryption by clicking Continue.