

Review my startup: Automate registration, sign-in and checkout. - hyyypr

Dashlane is an app for both Mac and PC: the idea is to have a very secure app where you can store all sorts of data (addresses, phone numbers, credit cards, passwords, etc) and browser plugins that allow you to use this data without having to type it in. Our concept is further described in this video here: https://www.dashlane.com/en/epiphany<p>Several key points about our security:<p>- Each Dashlane user has a master password, solely used to encrypt data locally and another key for each device used for authentication against Dashlane’s servers<p>- The Master password is derived using more than 10,000 PBKDF2 rounds with a 32 bytes random salt to produce the encryption key used to encrypt user’s data locally. Encryption algorithm used is AES-256 (CBC mode).<p>- Neither the Master Password nor any derivative of it is ever sent to or stored on our servers, nor locally on your computer. When synchronized, personal data are sent encrypted to our servers.<p>If you are interested in details about our security, here's a white paper that explains in technical words exactly what we do:
 https://www.dashlane.com/download/Security-Whitepaper-Final-Nov-2011.pdf<p>Anyway, I would love to have HNers testing our product, so I have 300 invites for those who would be interested: https://www.dashlane.com/hackernews.<p>Please let me know what you think about it, the Dashlane team and me would be happy to talk with you.
======
dahawi
So what happens if I lose / don't remember my Master password ? If it's used
to encrypt my data I suppose you can't reset it ?

~~~
hyyypr
Hey !

We have chosen a strong security architecture, so we have no way of decrypting
your data. If you loose your password, you're screwed. :)

~~~
dawson
I implemented a similar architecture, but within three weeks
<http://i.imgur.com/hfoyz.png> :)

~~~
Lenad
How are encrypted the users' master passwords ? (because "one key to to
encrypt them all" is a bit dangerous, isnt it?)

~~~
dawson
Some more information here <http://goo.gl/YlFkQ> but no, each data-key
(master) is unique to each user and stored outside of the application and
network in an encrypted store, also all PID is encrypted and non-associative.
Of course, I would prefer if users didn't want a restore option, however,
usability sometimes trumps security :) Lost your password == lost all your
data, just doesn't cut it with users IRL (I found).

------
juliennakache
Interesting guys. I've been waiting for something similar for a long time now.
Quick question though: how do you map all my information to the input fields
in each form. Do you kind of "crowdsource" it the first time a user comes
across a new form and manually fill it in?

~~~
hyyypr
Hey,

Good question. Actually we have a technology that analyses semantically the
webpage and determines the meaning of each elements.

Basically it's a bottom-up approach, we first try to guess the meaning of an
element; then we take one step back and try to find contextual information
that helps us refine the meaning.

We thought about the crowdsourcing approach, but it requires that the few
first users have a shitty experience (because Dashlane isn't working as
expected on these sites). That's why we prefered a more generic approach.

~~~
juliennakache
You could have manually take care of the most popular websites.

But it makes sense. Though, how do you deal with false positive ?

~~~
hyyypr
Yes we thought of that too, but the list of the most popular websites can be
long, and the frequency at which these websites changes can also be high. So
it's nearly a fulltime job.

We prefer to rely on our semantic backend, but if we implement a crowdsourced
method, I think it would be more to spare computing power than for the quality
of our results (which are already quite impressive).

------
landhar
Do you guys plan on keeping this service free? If yes, how do you plan to
monetize the service? By mantaining such high standards in terms of security
of the data, I assume that you're giving up on aggregating behavioural data
that could be very valuable for advertisers.

~~~
alexfogel
Hi,

Now we are focusing on adoption, but since we will have a huge impact on
conversion rates during checkout for ecommerce sites, we are convinced we can
add enough value for merchants to generate revenue when we have critical mass.

In the future we may add premium features keeping most part of the service
free for our users.

------
carver
I am a happy Roboform user, and haven't heard anything that entices me to
switch. Anything you want to add?

~~~
alexfogel
Hi,

Roboform and others passwords manager such as Lastpass were already available
when we decided to launch. I would say that the ambition of Dashlane is
different. Dashlane is not about just about password but we try to offer a new
experience on the web where there is no need to switch between keyboard and
mouse all the time. We have worked a lot on the user experience and everything
has been designed to be simple and convenient.

Dashlane is also very different when it comes to online shopping. not only
does Dashlane make check-out much simpler but in addition Dashlane gives a
global history of every purchase in the app with many details. We really want
to be the simplest solution to manage personal data. Feel free to have a look
to our demo videos if you want more information:
<https://www.dashlane.com/en/tour#clicktopay>

