Password vault simplifies Web site security

6/7/2013
BY DAVID POGUE
NEW YORK TIMES
  • CIR-POGUE-COLUMN-6

    Dashlane is a dedicated password memorization program stuffed with features.

    NEW YORK TIMES/STUART GOLDENBERG

    • Dashlane is a dedicated password memorization program stuffed with features.
    Dashlane is a dedicated password memorization program stuffed with features.

    “If you want to avoid having your identity stolen, use long passwords that contain digits, punctuation, and no recognizable words. Make up a different password for every Web site. And change all of your passwords every 30 days.”

    The Dashlane 2.0 security dashboard is not only a time-saver, it works in Safari, Chrome, Explorer, and Firefox.
    The Dashlane 2.0 security dashboard is not only a time-saver, it works in Safari, Chrome, Explorer, and Firefox.

    Have these security pundits ever listened to themselves?

    That advice is clearly unfollowable. I have account names and passwords for 87 Web sites (banks, airlines, blogs, shopping, email, Facebook, Twitter). How is anyone — even a security professional — supposed to memorize 87 long, complex password strings, let alone remember which goes with which Web site?

    So most people use the same password over and over again, and live with the guilt.

    There are solutions. Most Mac and Windows Web browsers offer to memorize passwords for you. But that feature doesn’t work on all Web sites, and is generally of little help when you pick up your phone or tablet. At that point, the only person you’ve locked out of all your online accounts is you.

    The only decent solution is to install a dedicated password memorization program (like Roboform, KeyPass, LastPass, 1Password, and so on). Last week, one of the best was improved: Dashlane, now at 2.0. It’s attractive, effective, loaded with time-saving features, and available for Mac, Windows, iPhone, and Android — and it’s free.

    Installation is quick. Dashlane works in Safari, Chrome, Internet Explorer, and Firefox. It can import password “vaults” from rival programs.

    Dashlane has two primary features. First, yes, it’s a password memorizer. Every time you type your account name and password into a Web page and press enter, Dashlane pops up, offering to memorize that information and fill it in the next time.

    In fact, it also offers to log you in — not just to enter your password, but also to click “log in” for you. In effect, Dashlane has just removed the login blockade entirely. When you go to Facebook, Twitter, or Gmail, you click your bookmark, smile at the briefest flash of the login screen and arrive at the site.

    Because Dashlane is storing and auto-entering your passwords, you’re now free to follow the security experts’ advice. You can make up long, unguessable passwords — a different one for every Web site, because you don’t have to remember any of them. In fact, each time you sign up for a new account, Dashlane offers to make up such a password for you and then, of course, to memorize it.

    Dashlane’s second huge feature is even more amazing. It can also fill in other kinds of Web site forms: your name/address/phone number and even your credit card information.

    When you’re buying something online, and you click into the credit card number box, Dashlane displays pictures of your credit cards: Visa, MasterCard, American Express — even PayPal.

    When you click the one you want to use, Dashlane instantly fills in the long card number, your name, the expiration date, even that accursed security code, in the right boxes. Every time you order something online, you save between 30 seconds and five minutes, depending on whether you have your card information memorized or have to go burrow through your wallet.

    When you make a purchase, Dashlane even offers to store all the details in a digital receipt that you can call up later, along with a screenshot of the Web site where you shopped.

    This feature makes online shopping so frictionless, every dot-com retailer on Earth ought to be promoting Dashlane as if its profits depended on it.

    In fact, Dashlane can fill in all kinds of forms automatically: phone numbers, job titles, tax numbers, and so on. If you’ve ever recorded multiple answers — you have two Twitter accounts, say — two tidy buttons appear beneath the name box, bearing the account names. Click the one you want.

    So far, Dashlane probably seems designed for convenience, and that’s true. Behind the scenes, of course, its ultimate goal is security.

    No system is foolproof. But Dashlane notes that it doesn’t ever see your passwords or your credit card information. They’re all stored on your own computer, encoded by the AES-256 encryption method, an open-source standard approved by the National Security Agency. Your entire Dashlane universe is protected by a master password. It’s intended to prevent a laptop thief from heading online with your missing computer and going on a shopping spree.

    In version 2.0, furthermore, you have the option of using two-factor authentication — fancy lingo for an extra layer of security. To unlock Dashlane, you have to enter your master password and a code that Dashlane texts to your phone. It’s a pain, yes, but it effectively ruins the day of any ne’er-do-well who was hoping to guess or steal your master password.

    Version 2.0 also introduces a convenient security dashboard, which identifies reused and weak passwords. It also eliminates the baffling points system of 1.0, which rewarded you for logging into Web sites.

    There are iPhone and Android phone versions of Dashlane — also free and also fantastic.

    The other big change in Dashlane 2.0 isn’t quite so joyous. True, Dashlane can wirelessly synchronize all your passwords between your computer and phone, so that the phone, too, automatically enters them as you surf. But in 2.0, that feature now costs $20 a year. (It used to be free, and still is if you used earlier versions of Dashlane. The company does urge the earlier Dashlane fan to make a one-time contribution — $40 seems to be its favorite suggestion.)

    An annual fee? Really? That seems a steep charge by a company that, until now, seemed remarkably customer-friendly. Alas, that seems to be the model these days. Dashlane’s archrival LastPass is also free for Mac and Windows computers, and also stores your credit card and other information. But to use LastPass on a phone, you have to pay $12 a year.

    Still, Dashlane is much better looking, better designed, and easier to use.

    It’s not perfect. Each time Dashlane stores a password for you, it also nudges you to put it into a category (email or social media, for instance) and associate it with one of your email addresses. The company says that all of that paperwork is only a convenience — you can click right past it — but it’s still a befuddlement every time.

    Now and then, I found a Web site that Dashlane couldn’t auto-log into, too.

    And Dashlane doesn’t work in the built-in browser on the iPhone. (No password keeper can, Dashlane says, thanks to Apple’s rigid programming rules.) Instead, it offers its own little iPhone browser.

    (The Dashlane app for Android also has its own built-in browser now.) It’s fast, it’s almost exactly like Safari and it auto-fills all the Dashlane-ish stuff, but it’s more trouble to find and open.

    Still, complaining more than briefly about Dashlane’s drawbacks is like grumbling about the taxes when you win the lottery. It saves you infinite time, it’s (mostly) free, and it belongs on your computer and phone.