Hey everyone! I’m Frederic Rivain, the Chief Technology Officer at Dashlane, Ask Me Anything!
Hey everyone! I’m Frederic Rivain, the Chief Technology Officer at Dashlane since 2015. I help lead our engineering teams and drive efficiency to offer the best experience. Before Dashlane, I was involved in the Gaming, Gambling, and eCommerce industries. Cybersecurity is a passionate subject for me, and that is one of the key reasons I joined Dashlane, to help be part of the forefront of innovation.
Proof Photo: https://imgur.com/a/SnaxIxO
At Dashlane, we help keep all your passwords, payments, and personal info safe in one place, that only you have access to so that you can securely and instantly use them anytime. We have never been breached, and this is due to our zero-knowledge system and strong encryption we have in place.
I’m looking forward to chating with all of you and answering questions on cybersecurity, a passwordless future, best practices for keeping your data safe, Dashlane, and what innovations are on the way. Feel free to also ask anything else, like French boxing and trail running, my other hobbies.
Ask me anything!
Update: 1/26 5:00 PM
Thanks for all the questions! I hope you enjoyed the AMA. I have to head out for now but I'll be answering more questions tomorrow. In the meantime, come and check out our subreddit r/Dashlane.
Update: 1/27 12:00 PM
Thank you all for the questions. It was great sharing my thoughts and ideas with the community. I'll talk with you all soon on r/Dashlane.
For more information about Dashlane: https://www.dashlane.com/
You are kind of right. As a CTO, I always feel a bit nervous about those slogans. But as a password manager we are already a target.
Never say never. We do hope that we will not be breached in the future and we are working hard to prevent that. But nobody's perfect and 100% security does not exist. So far so good, let's keep it that way. 🤞
Would you not feel more secure adopting a 'secret key' type addition to the user chosen master password so if your storage was ever breached then you're not just relying on the strengths of an end users password?
I would but then you put the effort on the user to manage that additional secret key. It is always a question of security vs convenience. But we are always looking at ways to optimize that equation and maximize both sides.
I was disappointed in your decision to discontinue the desktop app, could you explain why you made that decision?
It was a tough decision. Our desktop apps were our first apps built for Dashlane in C++. They became bloated with tech debt and security risks, hard to maintain and evolve.
At the same time, our customers were active almost only in the browser on desktop.
With limited resources, we decided to focus our efforts on the browser extension and make it the best possible experience for our customers.
I could feel the difference and as a dev myself I understand the amount of technical debt and additional maintenance this creates for any feature.
However, would a standalone webapp based version be possible? (like Electron or any other wrapper).
Similarly to how MacOS still has a desktop version because it happens to be able to run iOS apps. (At least from what I read in a blogpost, I"m not a mac user).
Indeed, we are leveraging the technology called Catalyst to provide our iOS app running on macOS. That comes almost for free, thanks to the Apple ecosystem.
Before deciding to sunset our desktop apps, we had actually explored Electron and other wrapper technology. But none of those are ideal, as regards performance, security, cost of maintenance,...
One cheat if you want to reproduce a native app behavior is to create a desktop shortcut to the web app
New to DashLane and so far it's working fairly well for me. Issues that make DashLane a chore. Are the following in the roadmap and could we expect these enhancements soon?
1) Custom categories - need to be able to better sort out based on our own system of organization
2) Autofill - need to be able to turn off the annoying prompts to save additional fields on a website. Doing so on an individual site basis is annoying. Would like a "for all sites" option.
3) Delete - could we have an archive option for some sites that are no longer active or we no longer user but don't want to delete yet?
None of these are showstoppers but would make the experience better.
Happy to hear you are happy overall and thank you for the feedback.
- Custom categories: this is one of the steps towards having folders of passwords, so one of our top priorities and probably an iteration we will launch first. So I can't promise anything, but coming soon.
- Autofill: interesting feedback. Let me share with our Autofill team. We are always looking at ways to give users more control on Autofill behaviors, without making it too complex.
- Archive option: good idea. I actually have the same issue personnally. I have a lot of old accounts I would like to keep but are no longer really active. Same. I'll discuss with the team.
When you guys get hacked like all the other password managers, will you cover it up like they did, or admit it and take a job in Wendy’s parking lot?
We don’t have a Wendy’s in France 😊 But jokes aside, we do everything we can to prevent our servers getting breached - but if we do get breached, we have a plan in place to communicate with our users and the public with transparency. We call it the Code Red Plan. We rehearse and review it regularly, so we make sure we can react the right way. Security incidents are stressful times, so you need to be prepared. You can't improvise on the moment.
Can you give a high level overview of what the plan entails? I understand you can't divulge all info, but a general overview, I think would help.
High-level, the plan goes over:
- a detailed step by step approach of what we should do if we identify a security incident, depending on the type of incident
- list who should be involved internally and externally
- clarify rules of communication with customers but also with institutions depending on territories and regulations
What's your pitch to why I would pick Dashlane over Bitwarden?
My CTO pitch is probably not going to be the same as our Sales & Marketing pitch.
I love what Kyle, Btiwarden's CTO and his team, are doing. I like that they chose to be open-source from the start, and I think this is the right approach for transparency, that's why we have started working on being open source at Dashlane as well. See my answer here.
Now, of course, I love Dashlane better. I love how we have always in mind to make the user experience as smooth and simple as possible, so my parents can use Dashlane. That's not easy for a security product like ours.
I love the performance and accuracy of our autofill. I think we have one of the best, if not the best in the market. Thats' the magic of a password manager: you never have to bother about filling forms manually anymore.
I love that we think beyond passwords and offer you everything required to help you with your digital hygiene: password health score, dark web monitoring...
Try both and let me know your thoughts. At the end of the day, what matters is that you use a password manager, whether it is Dashlane or Bitwarden (but of course, pick Dashlane 😁).
How often do you get confused with Rivian the car company?
Rarely, but the Americans I work with sometimes make the typo in my name.
The public has learned a lot about LastPass faults lately. I have two questions stemming from this.
- Which fields and values in Dashlane client password vaults are unencrypted? LastPass would confirm this only after their major compromise but independent researchers discovered thia long before.
- Do you have enough defense in depth controls as well as active monitoring, alerting, and incident response resources to identify malicious access to both the vaults themselves and the encryption keys used for Dashlane client vaults?
Hi, thank you for sending the first question :-)
- All user data in your Dashlane vault is encrypted. But to be even more precise, we do not encrypt timestamps associated to vault transactions.
- We hope so. You can find more details about everything we do in that recent blog post: https://blog.dashlane.com/how-dashlane-protects-your-data/ It is never enough and we are always trying to improve. We only store encrypted vaults on our servers, not the encryption keys.
Have you considered open sourcing the rest of your stack?
It seems you’ve just uploaded the mobile apps to GitHub or am I mis-reading this?
For something so critical to my life and safety I really do want to read the source code.
We indeed just made the source code of Android and iOS apps publicly available on Github. We are going to announce this more broadly and publicly in the next few days.
Next we would like to do the same for our web extension code, but we are going through a massive refactor due to Google Chrome MV3. So this is planned for later.
Eventually, we would like to be able to be fully open-source but this will require another level of internal organization.
what's the work culture at dashlane like, and what does it take to get into dashlane without an engineering degree?
My biased answer is that Dashlane is a great place to work. I have been working there for more than 7 years and I love it.
We have shared a lot of our culture and practices on our blog. Here are a few fun examples:
Degrees and education requirements are not mandatory to be hired as a Dashlane engineer. We have hired people from very diverse backgrounds with either no degrees or degrees on totally different subjects than computer science or engineering.
We also have an internal program, where someone can become an engineer. We recently had a member of our customer support team join our engineering team. He was looking for a different career, so he started learning coding and teaching himself about computer science, he "interned" in the engineering team and eventually met the requirements to join as a junior software engineer.
Oh wow! Dashlane!! I actually use Dashlane!!! This is like my third password app too, after hating my first two, and now I finally have this one which I like. Hashtag notspon, I SWEAR, it’s just nice to find a small AMA that’s actually relevant to my life for once.
I suppose I’d like to ask, will there ever be somewhat better support for entering a custom username instead of just an email when generating a new login? When I generate a login it always asks for my email first, and I have to delete the @[site] before the username field pops up. This can be annoying, especially for sites that don’t accept emails as usernames.
Thank you for the nice feedback. Happy that you like Dashlane.
Interesting feedback about usernames vs emails when registering on a new site. In theory, our autofill engine should recognize the difference and suggest a proper username. If you have specific examples, please share those and we can look into it with the team. Do you konw that you can also self-correct yourself if Dashlane got it wrong See Autofill fields using the right-click menu
We are working hard on all our platforms in parallel. The web is as much a priority as mobile. One specific challenge for the browser extension in the past year has been the requirement to refactor it to be ready for Chrome MV3. This is a massive project for us, mandated by changes imposed by Google on Chrome, and unfortunately in the meantime we can't invest so much in real value for our customers. But I am optimistic we will catch up, once we are past MV3.
In your opinion, how familiar should a high-level tech leader be with the fundamental tech of the product (i.e. cryptography, product architecture, SRE stuff, DX) versus focusing on management and general tech goals and direction? Do you ever code or read code at Dashlane?
Hi, you have a lot of different flavors of tech leaders and a lot of different needs from organizations, but I think a common requirement is your curiosity and passion in tech, so yes it is important to understand the fundamental tech behind your product.
I actually have an unusual background as a CTO because I never was a software developer (I mean not long enough so I feel I can say that I was). I do not code today for Dashlane.
Another important characteristic for CTOs is their ability to bridge between tech and business: build a technology vision that supports the product and business strategy, interact with stakeholders and be the internal and external tech figure of the company.
If I describe my days at a high-level:
- ~40% is people: making sure we hire, onboard, develop, manage our team so they are happy and can do their best for our product and our customers
- ~40% is "operations": building the engineering machine so it can deliver efficiently. It's about processess, organization structure, strategy and delivery.
- ~20% is tech: this is actually the smallest part of my time, because I have a great team that I trust to do this better than I do. So what matters is that I bring the vision, challenge our tech decisions and make sure we keep improving our technology.
I ADORE you're auto-change feature, for passwords. Why are there so few websites that can use this? Also, will you ever have a feature that changes and updates our passwords automatically on a set schedule?
I loved that feature too, but it was really hard to maintain and scale. Web sites are all different and change all the time, so being able to reliably change passwords was extremely complex. That's why it never left the beta status, and we decided to stop investing into it.
It may come back one day, but it is not on our roadmap any time soon.
Do the greatest cyber-based threats to Dashlane come from government-backed entities, non-state actors (organized criminal groups), or individuals?
We assume attacks can come from anywhere, including government-backed entities. But sorry we don't have yet exciting informations about three-letter agency or foreign intelligence trying.
Do you undergo independent third-party compliance audits like ISO 27001, SOC 2, etc? Curious what your thoughts are on these
We have been SOC2 for many years now.
Personnaly I have mixed feelings about compliance audits.
On the one hand, it's good practice to refer to industry standards and best practices. It challenges you to improve your internal organization and review how you do things regularly.
On the other hand, you need to spend a lot of time for those. It's hard when you have limited resources. And they are definitely not a guarantee that you can't be breached and that you are doing everything perfectly.
Bottom-line, done well, there is still more value and upside in doing those than not. We are actually considering working on ISO in addition to SOC 2 in the future.
What’s your median bug bounty payout amount? And what is a ballpark for the maximum you’ve paid out? Of the publicly disclosed bounty payouts, the average is very low.
The median stat is not available on hackerone. The biggest recently was around $1,500. We have very few high severity reports, and no critical yet. We accept a lot of low impact bugs that are lowering the average payout. We want to attract more and more researchers on our bug bounty, it's a very effective way to detect and fix even the tiniest issues before they can become a threat. We increase the payouts regularly. The details for anyone wanting to contribute are here : https://hackerone.com/dashlane
Where can we find your warrant canary?
We don't have one. It's important to note that we don't have decryption keys, so even though we can be subpoenaed, it does not really matter. We can never provide information about what's in the user's vault.
When password folders and custom password fields features are coming to Dashlane?
We are actively working on folders, it is one of our top priorities...but we want to make sure we do it right and it's a big one, so we are going to iterate and ship incremental changes. So stay tuned.
On custom password fields, we are still early in our exploration of how we do it. One of the challenges is autofilling those custom fields accurately on web sites.
What is your favorite part of your job?
I like this question. 😊
There are actually 2 aspects of my job that I feel really rewarding:
- the first one is when my team members grow and I can see how they have matured while working together
- the second one is when we find smart out-of-the-box ways to solve customer problems.
1.- What's your favorite color? 2.- Do you have plans to use ChatGPT?
We asked ChatGPT 😊 and this is what it said:
Does Dashlane have plans to use ChatGPT?
I am not aware of any plans for Dashlane to use ChatGPT specifically. Dashlane is a password manager company and ChatGPT is a language model, so it is unclear how they would be used together. However, it is possible that Dashlane may be exploring ways to integrate natural language processing technologies like ChatGPT into their products or services in the future.
More seriously, we already use a lot of machine learning in our Autofill engine, so there are definitely opportunities for us to leverage ChatGPT and similar tech in our product in the future.
And my favourite color is green.
Is it realistic to think that a determined opponent would not be able to break the vault with enough resources doing a brute force attack on the master password should an encrypted vault be stolen?
With a master password of sufficient entropy (is 24 bytes enough?), do you do anything extra to make this an even larger problem for a determined attack should they get a copy of the vault.
Having spent days changing every account/password and 2FA because the encrypted vaults were stolen, I am looking to mitigate from doing this every again which is where this question is originating from.
We have progressively increased encryption protection for all customers. Our current defence against brute force attacks is our use of Argon2d (https://www.password-hashing.net/). It’s designed to protect against ASICs, FPGAs and GPUs so the cost of cracking would be very high even for a small number of tries. With our current configuration it is equivalent to 1.6M rounds of PBKD2. Also, if you configure your Dashlane account with 2FA with a specific option, we encrypt the vault additionally with another key which has a much higher level of entropy. This is described in our white-paper if you’re interested in all the details.
We’re also looking to improve this further in the future. One example is that we are exploring the implications of post-quantum cryptography: https://blog.dashlane.com/preparing-for-the-quantum-world/
24 bytes of entropy means "192 bits of entropy" It's largely above any known computing power even without derivation. What matters is to have a long, complex, as random as possible master password.
What level of experience do you look for when hiring entry level cybersecurity analysts?
Well, we actually haven't historically hired anyone entry level on our security team, because we do look for people with a strong security background and experience already in place. We would have to think about it with Cyril, Dashlane CISO, the day we want to do that.
How severe a security mistake is using the 'sign in with Google' option vs a traditional username/password? Or is that what Google is doing on the users' behalf? I'm a Dashlane user from way back (when the whole thing was free, in fact), but sometimes the simplicity of just hitting one button is overwhelming. ;)
There are 2 questions here:
- do you want to put all your eggs in the same basket? The issue with centralized identity provider such as "sign in with Google" or "Login with Facebook" is that they become massive targets and the day they are breached as it happened for Facebook, it is really bad.
- do you trust Google, whose business is based on user's data?
Even if it's an imperfect solution having unique complex passwords for each web site minimizes your exposure in case of a breach. Also having the choice to use alternative independent solutions such as Dashlane does matter to me.
Hi Frederic, I use Google’s password manager and I have never considered using LastPass or Dashlane since Google’s password manager is free. Am I making a big mistake or is this fine?
It's not a mistake but a choice.
Using Google Password Manager is easy. It's there, it's free. But you have limited functionnality, no customer support, you're locked in the Google ecosystem, you have to trust Google whose business model is data and advertisement.
A third-party independent solution like Dashlane requires a bit more effort to set up, but then you have a solution that works everywhere, with a rich feature set that we improve all the time, you pay for it but you know we won't sell your data.
What efforts are being made to improve browser extension functionality? Love Dashlane in general, but misdetection of fields and lack of detection of valid fields has been a problem forever.
We work hard to continuously improve our browser extension and in particular our autofill engine, which is such a critical part of the experience.
Despite our investment and the use of machine-learning, it remains very complex to have 100% accuracy on analyzing all the web sites and pages, considering how each site is built differently, with different languages, with different semantic.
Whenever you have a specific web site that does not work, don't hesitate to raise the issue through our customer support. This feedback allows us to be better and better.
Also you can use Autofill fields using the right-click menu to self-correct it for you in the meantime.
We have never been breached, and this is due to our zero-knowledge system and strong encryption we have in place.
Can you go over what your zero-knowledge system is? What makes your encryption so strong and is it possible for it to be breached?
I encourage you to read our security white-paper
The short version of it is all encryption happens locally on your device, we never see the encryption keys. In all cases, we aim to make sure that the only person who can access the user data is the user.
Any plans to become FedRAMP certified?
Is your SDLC documented publicly? How do you ensure developers use good practices, not in the code they produce but in their day to day work?
We don't plan to become FedRAMP certified in the near future, but that's something we may consider longer-term.
Our SDLC is not available publicly, but I like the idea of sharing it externally. I'll think about it. We do share a lot of our practices and what we do in the Dashlane engineering team on our blog: https://blog.dashlane.com/category/engineering/
We continuously try to improve developer practices, challenging how we do things and aiming for better quality, reliability and efficiency. Few examples: just today, we made our mobile source code available. In the past few months, we have invested into more automation to be able to update our web extensions every week, and that's not a small feat when you know how the chrome store submission process work. We use DORA metrics as a way to monitor our practices and always try to do better.
What's your go-to soup recipe?
I am not a big soup person. My parents fed me too much soup when I was a kid. It was mixed vegetables (carrots, potatoes, leek, etc.) that were mashed together (potage). I actually prefer to have the vegetables, not mashed, in the broth. This is an example: https://www.zeste.ca/recettes/bouillon-de-legumes
What do you do differently from other password managers, like one that was hacked recently?
I actually tried to answer in that blog article: https://blog.dashlane.com/how-dashlane-protects-your-data/
It's not easy as a CTO to address that question because you want to show what you do well obviously, while being humble and realistic about the fact that security incidents can happen to anybody, as well as respectful about those who have suffered breaches.
Feel free to read and let me know if you have follow-up questions.
How important is continual training to you for your devs and engineers?
Continuous training and learning is critical to any engineering team. This is vital for engineers to stay up-to-date and adapt to a fast-moving tech world. I wrote about the importance of continuous learning a few years back. The content is a bit old, but still relevant: https://blog.dashlane.com/culture-of-continuous-learning/ (enjoy the old Dashlane branding and log 😉).
We have a lot of different practices to foster that spirit in the Dashlane engineering team: weekly mini trainings, internal tech summit, attending conferences and meetups...
Do you use any specific product analytics tools?
Because of the type of product we are, we actually don't rely on SaaS third-party product analytics tools. We have a custom logging infrastructure feeding our datalake. We host our own instance of Tableau to visualize and analyze the data.
WebAuthn support is built into more devices than ever. Do you anticipate adoption among average users in the future?
How does a company like Dashlane stand to benefit or lose from adoption of WebAuthn and FIDO2?
I definitely anticipate WebAuthn and FIDO2 to become the underlying tech for the future of online authentication. I am excited to see the progress around passkeys. Dashlane is an active member of the FIDO Alliance, and we can see that there is an alignment of planets (and organization) to find solution to get rid of passwords, which let's be honest are a pain.
We were the first password manager to support passkeys and we are very bullish about a passwordless future.
It's going to take time but the transition is starting.
This is going to be a specific question. Can you please fix your mobile app's autofill with the bank of America app on Android? It's never worked for me.
We are aware of that issue. As far as I remember, this was due to Bank of America preventing us from properly associating the app to the credential. But let me check with the team and get back to you.
Do you guys plan on improving your testing procedures and or release process in the near future?
You guys pushed an update to the Chrome Extension just before major US holiday season, this left many users DOWN. The issue as not even acknowledged on your status page until Jan 2 a full week after being reported and acknowledged on reddit. The explanation was "it passed automated testing so we let it fly".
Seems improved testing procedures and absolutely better comms of known issues are in order.
I want to apologize for this incident. Indeed, it happened at the worst of time, we took too long to clearly identify it and to fix it. It has triggered a big post mortem internally so we can do better in the future.
To give a bit more context about what happened here:
- We are migrating the Dashlane extension from Manifest v2 to Manifest v3, which is a requirement from Google Chrome.
- For such a rich extension like Dashlane, this is a massive effort.
- In Manifest v2, the extension uses a 'background page' to allow the different pieces of the Dashlane extension to exist together. The background page is actually a hidden web-page, and Dashlane is using it to keep your data in memory after loading it from the disk.
- In MV3, we no longer have a background page, but instead a service worker that is started when needed, and terminated shortly after. We had to include a retry mechanism to revive that service worker in certain situations. This mechanism was the culprit and generated a memory leak that would degrade performance over time.
- We missed that through our testing because that code is not yet active (we are still running in MV2 mode) but it impacted the extension nevertheless.
We will share more details publicly as part of our post mortem. We have progress to make in communicating with our customers about production incidents.
I'm an admin of our Dashlane for Business plan and I find the admin console and abilities to be a little lacking. Are there any plans to change improve the Admin experience?
I have a bunch of questions, so I apologize in advance...
What's the logic behind requiring users to accept group invites? Only admins can manage group membership, so it seems strange to have this extra step.
I also find it weird that, as a user, I can't find members part of my same business plan, unless I've shared a password with them already or they're in my contacts. There should be a way, even with an admin toggled setting, to allow discovery.
Why can't admins initiate password resets? I have some people in my company who are less tech savvy and being able to have more control as an admin would help their user experience.
Why does the web-app on Chrome (haven't looked at other browsers for the moment) have a chrome-extension URI, versus being something like app.dashlane.com?
Are there any plans to introduce different user types, instead of just Admins and Members? I'd love to be able to have different roles and permission groups to be able to allow managers to manage the members of specific password groups, for example, without having access to the whole admin console.
Can you guys add a way to change the default behaviour of the settings when adding a new password, or at least allow bulk editing? I loathe the autologin feature and hate that it's enabled by default.
What's the deal with the Friends & Family dashboard? It lacks any kind of administration ability...
Lots of questions 😊. Let me give it a try and I may ask other Dashlaners to complement my answers.
- This is part of the setup flow of sharing. You can find the security details in our white-paper. We want the recipient of the sharing whether it is 1 to 1 sharing or being added to a group to sign their acceptance using their private key in the background. If you don't do that, you create various attack scenarios around sharing.
- I agree that we should improve the way you discover other employees so it's easier to share.
- We require the employee to initiate the process for account recovery to avoid the situation where a rogue admin would do it to get access to the employee vault. Considering employees can also store personal data in their vault, this felt an important security measure for us. I am curious to understand however why employees find it difficult to start the process since they just have to click "Forgot password".
- Because it is actually an extension and not a web app. You will have noticed that if you try to access to app.dashlane.com we will redirect you automatically to the extension if it is installed. The extension context is sandboxed and way more secure than the web app, which you should only access as a fall back. More details here.
- Yes, this is one of our short-term priorities. We actually plan to start with an admin role to manage groups. We are still in the early phase of development on that feature, so I don't want to announce any date, but stay tuned for more news on the topic.
- Thank you for the feedback. We have different plans to improve the autofill experience and how users can configure this to their preference. u/tinautofill who is a colleague that works with the autofill team can maybe tell you more about it.
- Indeed. Prioritization choice... we actually get very little request about that dashboard, so we are putting our efforts on the top needs from our customers. But I definitely agree this dashboard deserves some love.
I hope those help.
We use Dashlane and enjoy it. What is the proper way to submit enhancement requests?
I am happy to hear it.
You can submit ideas and feature request here: https://support.dashlane.com/hc/en-us/requests/new
Looking forward to those.
Aren't y'all at least a little bit nervous about having the slogan "Never been breached?" Just one incident and you'll need a new slogan...
View HistoryShare Link