What is Password Changer and how does it work?
Password Changer is a new feature for Dashlane 3 on Windows, Mac OS X and iOS (Android support will be coming soon!).
Note that Password Changer is neither available on Windows XP nor on Mac OS X Snow Leopard (10.6).
What is Password Changer and how does it work?
How it works
Password Changer can automatically change the passwords for your sites from inside the application. It works by logging in directly to these sites then generating a strong and unique randomly generated password for you and changing the password the site on your behalf.
Everything is done automatically by Dashlane in the background. You will only see the Dashlane window showing the status of each password change and confirmations that your passwords were successfully changed.
Dashlane can also detect two-factor authentications and security questions and allow you to authenticate within Dashlane. If a site requires additional information to change your password, Password Changer will prompt you for it during the password change process.
How we protect your data
Your passwords are always generated locally by the Dashlane application, and they are always transmitted securely or encrypted when updating your passwords on Web sites. All information transmitted to Web pages (including security questions and Two-Factor Authentication codes if required by a site) is done securely, just like if you were logging into individual websites yourself and changing passwords manually.
Only you know your passwords. They are only saved in your Dashlane account, which is protected using your master password and secure AES-256 encryption. No one has access to your data in your Dashlane account except you - not even us at Dashlane!
On which sites it works
Dashlane works for now on a limited number of sites. The full list is available here. However, we designed our technology and architecture to scale, and we are rapidly and continuously adding more sites!
When hovering over one of your credentials for a website, click on the more icon on the right and then choose Auto-change password.
If you have Web sites on which Dashlane doesn't offer to use Password Changer, you can click here and check on this page if that site is supported. If a site is not in that list, you will be able to send us a request using this page. We'll add it to our to-do list as soon as possible! We are currently working on a list of sites that we have already planned to support in the future. Thank you very much for your patience!
Advanced users section
How it works – advanced users
To change a password for a particular website, the Dashlane application generates a new strong password and encrypts both the current password and the new password with a unique private key, just like our Secure Sharing or Emergency features already work in Dashlane.
Then the application on your computer sends both encrypted passwords to Dashlane's servers. This is done using secure WebSockets – actually WebSockets over SSL/TLS – for maximum security and also prevent any Man-in-The-Middle attacks.
Then our servers try to log in to the targeted Web site and change your password with the newly generated one. This is done using either a headless browser (i.e. a web browser without a graphical user interface) or a call to an API if the Website offers one.
At the end of the operation, our server simply notifies the user with the result: in case of success, the application updates the current password locally with the new password which was previously generated.
How we protect your data – advanced users
The servers that are used by Password Changer are separated from the rest of the Dashlane's server infrastructure. We use dedicated instances and distinct security groups.
Additionally, any sensitive information on our servers (e.g. logins and passwords when signing to sites) is only used temporarily in Random Access Memory. Random Access Memory is a volatile type of memory used as a working space and constantly overwritten with other data – their state is also lost or reset when power is removed from the system. All information is removed from Random Access Memory right after our servers send the result back to the application, which is 45 seconds in average to change a password, or after five minutes if our servers cannot reach your application anymore and confirm that the password was changed during the process. This information is never stored on our servers.
Your account data is stored on Dashlane’s servers if you have a Premium account and Sync enabled and it is always encrypted locally using an encryption key based on your master password, which only you know and is unknown to us at Dashlane. The information stored on Dashlane’s servers is unreadable to us, and we cannot use it to sign in to your accounts. No password information resulting from the password change is ever stored on Dashlane’s servers.