Password managers shouldn’t be a burden for users - interview

As 2021 comes to an end, misconceptions about what makes a secure password persist, with users underestimating the dangers of reusing or only slightly changing utilized passwords. Password managers provide a viable solution to that problem, but users worry about their utility and safety.

Password managers are great tools to help you store complex passwords in one place without having to remember them. By using military-grade encryption, they avert brute force attacks, and by employing zero-knowledge architecture, prevent both cybercriminals and themselves from viewing your data. Furthermore, companies providing password managers often monitor the dark web for compromised passwords, and will alert you if yours was among them.

Today, there are many enterprises providing such services, but some certainly stand out. As such, Dashlane - operating since 2012 - offers protection across all data vectors, including passwords and sensitive information. You can learn more about their offers for companies and individuals here.

Mantas Sasnauskas, the Senior Security Researcher at CyberNews, spoke with Stan Kocken, lead architect at Dashlane, to learn more about common password habits, the importance of password managers, and Dashlane’s techniques in monitoring the dark web for leaked data.

From your experience, what is the number one mistake that people make when they are coming up with passwords, or maybe the top three?

Yeah. The top three would be a good one because I think it is not only one issue. It's a collision of at least two. The one which everyone knows is the very simple - password, obviously. A simple password is something your hacker or just a bad friend can just guess very easily. And the other one will be about reusing passwords, and this one is less known by not techy people. But actually, in my mind, it's the most dangerous one. Because when the website is hacked, the hacker will get a login and password. And the first thing they will try to do is check that password on other websites, on Gmail, on Facebook, on everything. And in most cases, it would just work. So for both solutions, the best advice is just to use a unique and complex password for each service, a different one for each service. And that's where you need something like a password manager, like Dashlane - so you don't have to remember all of them because it's impossible.

You have some people who are using a password and believe they are secure, because they are using a variation of this password. For example, cat123fb for Facebook and cat123tw for Twitter. So it's a slight improvement, but hackers will figure it out very quickly, and they will break it anyway.

Dark web and hacker forums are hotspots for exchanging stolen credentials. So how is Dashlane monitoring those dark web forums for leaked data? And do you have any kind of technology that you use to collect that data?

Yes. So, dark web monitoring works in two steps. First, you need to collect the data, as you mentioned. And then determine how to export it to the user. To collect the data, we are partnering with SpyCloud, which is a company specializing in this. They work with us to collect that data, which they then transmit to Dashlane, so we don't have to transmit any information about the users. Once we have the data, we carefully filter the terabytes of data that we have, find the right information of the right users, and export it.

Even Dashlane employees can't view users' master passwords because encryption is involved, right? So, could you explain where the passwords are stored and how is it different from cloud-based services? How can users know that you don't see their passwords, and how are they protected?

Yeah. I can explain that very simply, though obviously, security is the number one priority for Dashlane, on top of other features. Dashlane employees cannot see users’ master passwords. Nor can they see any of the passwords the user puts in their vault. On most websites where you enter your login and password, this password is sent to the server. The server will check that you are legit, and it will simply give you access if that's the case. At Dashlane, we never do this. The password is never sent to the server. It's really used only locally. We use it as a key to encrypt your vault, and this vault itself is encrypted locally. So no one can see it because the key is your master password that only you know. That's what makes us secure by design.

Speaking of you, how long have you been working in the InfoSec field?

In the password manager field, it has been six years now.

How has the industry advanced in your eyes from when you first started six years ago?

I think it's mostly about the people who are using password managers. Six years ago, they were people who understand technology and security companies. And now it's all kinds of people, all types of companies are using password managers, and understand the need of them. That’s a big change.

The password manager market is ever innovating and evolving. Dashlane has even incorporated some other security tools into the mix, right? Like from a VPN to anonymize users' online traffic, to identity theft protection. What do you think is the next milestone for password managers in general?

Indeed, we can add more features, but I think the most important thing is to make password managers just easier to use. We don’t want to be a burden for the user. We want to be a time saver. So that's why at Dashlane, we auto-fill passwords like nowhere else. It is secure, but it's also so much more time-efficient.

And another example is how to effectively implement two-factor authentication - something simple that used to be unapproachable for users. So we try to make it so simple that everyone can use [those features.]

I think some people don’t think that an account might be compromised if they use a very weak password or even a simply weak password. Even, probably, a strong-ish password can be compromised. And they only think about it when their account is breached, which is too late.

Yeah. And that's what we do at Dashlane, right? When you enter your password, we tell you: you feel that this password is strong, but it's not that strong because it's using your birth date. We know it's breached. We know it's reused. We try to display it all to you and say: “hey, this is why it’s not secure, and this is how you change it.” We try to educate people at the same time.