Dashlane Publishes Password Manager Source Code

The password manager provider Dashlane has made the surprising announcement that the source code for its mobile app has been released on GitHub, in what the company claims is the first step in a push to make its platform more transparent. The source code for both its Android and iOS apps has now been published on GitHub, along with the code for its Mac and Apple Watch apps, with the code for the web extension due to similarly be published at some point in the future.

Initially, the source code has been released for auditing purposes only, which will allow anyone to check the code for errors and see how the password manager works under the hood; although the company has not yet taken the step to permit the public to re-use the code in their own applications, and contributions t the code are not currently being accepted.

Dashlane said it is considering accepting contributions from third parties directly in GitHub, which will allow the open source community to participate in the development of its password manager. The source code has been released under the Creative Commons Attribution-NonCommercial 4.0 license, which means the code can be used by others for non-commercial purposes, although Dashlane says that some elements of the code have not been made public. “you won’t be able to build your very own Dashlane with this code -we’re sharing the recipe, but we had to leave out a few of the ingredients that make it our own,” explained Dashlane.

Dashlane says the decision to open up its code provides several benefits, arguably the most important of which is to build trust through transparency. Publishing the code will allow anyone to discover more about the algorithms used and the logic behind the password manager, and will allow coders to peruse the code to search for possible vulnerabilities and participate in its bug bounty program.

“We also believe in a more open digital world in which developers can easily participate and connect with each other. This is our contribution to this ambition and another step in that direction,” said Dashlane. “There’s also an internal side benefit to sharing our code base publicly: it forces our engineering team to level up on the quality of the code, to make it cleaner, and to ensure it’s readable. We would not want to share code we cannot be proud of, even though all code includes some level of tech debt and legacy content.”

Dashlane was founded in 2009 and developed a password manager that its customers can use to generate strong passwords, store them securely in an encrypted vault, and autofill them when they are needed. While initially targeting the consumer market, Dashlane launched a business-focused solution in 2016. The password manager has proven popular, helped by a free tier for personal use that provides many of the features of the premium version, albeit only on one device. The password manager has also proven popular with businesses, with the company now amassing more than 20,000 business customers worldwide, including Pepsico, Wayfair, BainCapital, and ClickUp.

Over the past few months, password managers have come under increasing scrutiny following a messy data breach at LastPass that at first was reported as a breach of its developer environment, but later turned out to be much more extensive, with an undisclosed number of customers’ encrypted password vaults stolen. More recently, security researchers reported on a ‘vulnerability’ in the KeePass Password manager, which allows the entire password database of a user to be exported in plaintext, although the vulnerability is disputed by KeePass, which refuses to fix it, saying that it is not a vulnerability.

There have also been reports of password manager users being targeted. First came Norton LifeLock, with the announcement that customers’ accounts had been accessed by unauthorized individuals, not through a breach but a credential stuffing campaign. Then Bitwarden announced that its customers were being targeted through malicious adverts. These two campaigns have nothing to do with the security of the password managers, as no data breaches occurred. They do demonstrate that password manager users need to still follow password management best practices and be wary of scams. Bitwarden is a Dashlane competitor that is already open source. The company takes great pride in transparency, and the security benefits of having its source code open and available to be checked by anyone. This, along with the data breach at LastPass, may have been a factor in the decision of Dashlane to release its source code.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news