Pando

Dashlane announces an "Oh shit!" button to help consumers respond to the next Heartbleed

By Nathaniel Mott , written on December 9, 2014

From The News Desk

Dashlane has announced a new tool that will allow consumers to reset their passwords for some 75 major websites -- including Facebook, Google, and Amazon -- with a single click. It's currently available as a beta product through the company's desktop software, and it's expected to make the jump to Dashlane's mobile applications at some point in the future.

I've wanted something like this since Heartbleed, the infamous security vulnerability that rocked the Internet when it was revealed earlier this year, left an estimated two-thirds of the Internet insecure. As I wrote in a post advising readers to change all their passwords:

While there are various tools that can generate strong passwords and keep them in sync across multiple platforms, there isn’t an “Oh shit!” button that can automatically reset all of those passwords when something like this happens. It’s up to you to remember all of the websites you’ve visited, the passwords you used for those sites, and to create new passwords that anyone knowing your old ones won’t be able to guess.
So the idea of having a tool like this available to automatically update all my passwords whenever a website is compromised -- and it seems like that's happening increasingly often -- is a welcome one. But that doesn't mean Dashlane is a panacea for all our security woes any more than encrypted communications tools or anonymous Web browsing tools are.

The main issue for which Dashlane will receive criticism is the company's inability to check to see if websites have patched the security vulnerability that prompted a consumer to hit their "Oh shit!" button. I was rightly criticized for the post I quoted above because I failed to mention the futility of updating a password for a site that remains vulnerable to attack.

A Dashlane spokesperson says that in the event of another widespread vulnerability like Heartbleed it will probably advise users to change important passwords right away, just to ensure they weren't repeated across multiple sites, and then update them again in a few weeks when most major companies will have successfully patched their vulnerabilities.

"Obviously that's something we can't control," the spokesperson said in response to a question about Dashlane checking to see if a website is secure before it lets someone update their password. "We can't go to 500 million websites and say, oh, have you patched yet?"

Another question commonly asked of security companies is whether or not their tools have been audited by independent parties. Many paranoiacs -- which, in this age of constant surveillance and increasing digital threats, is a term of endearment -- want security tools to be completely open source so anyone can examine their code. Failing that, outside groups brought in to examine the code from an independent position are the second-best option.

Here's Dashlane chief executive Emmanuel Schalit's response to a question concerning the company's security tools and whether or not it's asked others to examine its software:

“Our client applications and servers’ infrastructure have gone through multiple third party audits and penetration testing. This testing is performed on a regular basis and comes in addition to the central element of our security architecture - that we do not have access to our users personal data.”

I'm excited about Dashlane's new tool, and its plan to introduce a feature that automatically changes passwords at set intervals, despite any concerns. Consumers are the weakest part of their digital security efforts. We rely on simple passwords that can be easily figured out, we repeat those passwords across multiple sites, and we share passwords with each other.

Removing us from the equation by automatically updating passwords without our input or knowledge is a good way to address that problem -- so long as you trust Dashlane to keep those passwords secure and can remember the "master password" that allows you to log in to the service, at least. That's the trade-off required to finally get to this "Oh shit!" button.

[Illustration by Brad Jonas for Pando]