Cryptography is hard, but psychology can be harder, which password-manager service Dashlane learned firsthand when it tested a new enterprise security tool on its own workforce.
An in-house test last summer of a feature called Credential Risk Detection revealed that many Dashlane employees had neglected to employ Dashlane to manage certain passwords, and not just those for personal use.
“Despite every employee actively using Dashlane internally (we deploy it on Day 1 during employee onboarding), we found a significant number of compromised ‘shadow’ credentials—logins used by employees to access various apps, some corporate and others personal,” Dashlane says in a blog post.
A Dashlane admin page showing insecure logins. (Credit: Dashlane)
“In practice, they’re not all doing it the right way,” Dashlane chief technology officer Frederic Rivain said in a Zoom call on Thursday.
This risk-detection feature, part of Dashlane’s Omnix service for businesses, automatically monitors desktop browser activity on company-managed computers for weak passwords and those compromised in data breaches.
Rivain explained that this software leverages AI to spot login fields and forms in web pages, gauges password complexity in an on-device calculation, and checks for compromises by sending hashes of passwords to the SpyCloud database.
Employers disapproving of employees who don’t use designated password managers is not an IT control-freakery problem. People often reuse passwords–as Dashlane itself reported last fall in a study based on on-device analysis of saved logins–which makes them vulnerable to “credential stuffing” attacks, in which an attacker tries passwords copied from a hacked site on other, high-value logins.
Password managers automatically check for reused passwords in their encrypted vaults of saved logins. And by doing the hard work of generating, remembering and filling in complex passwords, they make it easier for people to use ones that are less vulnerable to cracking.
The whole goal is behavioral change.
But password-manager users forgetting to use those tools is also not a new problem; many of you reading this may be living it right now. Dashlane went to the trouble of documenting this in-house exercise to make more people (as in, potential corporate customers) aware of it.
“We don’t see the data from our customers, so I figured we might as well share our own data,” Rivain said. “The whole goal, really, is behavioral change.”
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Dashlane’s method for making that change happen was sending automated nudges through Slack to alert employees of their oversight and suggest how to fix it. Rivain described that approach as “Showing you what you did wrong on the spot and how to do better.”
Those nudges proved to be persuasive: “Within seven months, we had virtually eliminated all compromised, weak, and reused credentials from our corporate environment,” the post reports.
Emphasis on “virtually”; sloppy habits can resurface, and new employees can bring their own.
“Of course it’s never zero, because it starts again,” Rivain commented.
Recommended by Our Editors
He admitted that he has not bothered to import every old login into his Dashlane account: “I still have a lot of old passwords that I do not use anymore.”
User apathy isn’t the only threat to login security; Rivain observed that AI is making phishing scams increasingly difficult to spot.
“Those emails are becoming way more sophisticated and way more targeted,” he said. “AI allows you to do those at scale and in a much more creative way.”
A password manager won’t autofill a login at the wrong site, but it also won’t stop a user spooked by a phishing scam’s threat of imminent loss of an account from copying and pasting the password from the password manager to the phishing site.
Passkeys, an authentication upgrade that Dashlane has aggressively supported, defeat phishing attempts entirely because they are cryptographically bound to domain names. But the problem with passkeys is not so much user apathy but site apathy: too many companies still don’t support them.
And that, Rivain acknowledged, will take more than several months of nudging to fix. “We can see the traction and the basic momentum,” he said. “But it’s going to be a long journey.”
About Rob Pegoraro
Contributor
