The Dashlane two-step
YubiKey isn't always reliable
By Harold Glicken
When it comes to cyber safety, a second line of defense could make the difference between being hacked and surfing safely, especially if all it takes is a unique password and an inexpensive device called the YubiKey to keep consumers and businesses safe.
I’ve begun using the YubiKey, a slimmed-down thumb drive to complement my password program, Dashlane, which I use to manage all my sign-ons, user names and unique passwords.
First, a word about passwords:
If you’re among the millions of Americans who are victims of identity fraud, one reason you’ve been targeted is because the passwords you use are ridiculously easy to hack. Anyone who uses “password1234” for all the websites he visits is asking for trouble. Without a second line of defense you’re toast.
A typical first line of defense is Dashlane, a password program I’ve been using for several years. Dashlane will generate passwords like “^%$3&0)(+” that are nearly impossible to hack. It also will keep track of the passwords you already use – but it will warn you that “password1234” will open you up to the kind of grief that will keep you on the phone for hours, probably days, trying to straighten out your financial and other accounts. If you’re wondering why Amazon is sending you receipts for stuff you didn’t order or receive, and the charges are showing up on your credit card statement, you’ve been hacked. Change your password, and do it quickly. In fact, let Dashlane do it for you. And let it generate new, unique passwords every week for all the websites you use.
You’re probably wondering how in the world you can remember a password like “^%$3&0)(+”. Not to worry. When you launch Dashlane, you enter a master password that only you know. If you forget that password, you’re in deep trouble, because even the folks at Dashlane can’t get retrieve it for you.
Dashlane records your passwords as you go along. It will remember your user name and password for Amazon, your bank and just about any other website. After that, you need only click on an impala icon at the top of your screen, scroll down to Amazon, for example, and it enters your user name and password and signs you in to the site. Dashlane can enter your credit card information – but only if you give it your master password – and fills out the blanks, such as name and address, in forms.
Dashlane can be installed and passwords synced on your Windows PC, Mac, phone and tablet. Each time you call up the program, you have to enter the master password, and each time a new device is activated you’ll get a code by email that will unlock the account. That’s enough to discourage most hackers, but, like any other security program, it’s not foolproof.
If you’re convinced that Dashlane is for you, there’s still the issue of the master password – what if it gets hacked?
The solution is two-factor authentication, a nerdy term that means you have a second level of security. That’s where YubiKey comes in.
Dashlane has partnered with Yubico, which manufactures a collection of USB keys that can be programmed easily to act as a second line of security defense. You can’t launch Dashlane or any other program or website without your master password and the YubiKey.
If you don’t want to pay between $18 and $50 for a YubiKey, you also can download a free Google or similar authentication app for your phone and generate numerical pass codes to sign on to Dashlane. But I like the key -- when it works, which in my tests didn't always happen.
The YubiKey is about the size of a very thin thumb drive. It plugs into a USB slot on a PC or Mac, and when I leave my desk, I log out of Dashlane and take the key with me. Even if someone knows my master password, they can’t launch the program without the YubiKey. When I return to my desk, I type the master password, insert the YubiKey, tap on it, and Dashlane launches.
But after writing my initial review, I encountered problems with the YubiKey, and despite several sessions with tech support, the key still is flaky. A tech said they are working on the problem I'm having, but even a workaround Dashlane sent me didn't solve the problem. I recommend using the phone app authenticator instead.
To get a free authenticator, go to your phone’s app store and search for “authenticator.” After scanning a bar code that Dashlane and other programs provide, the Google authenticator generates a series of numbers that essentially do the same thing as the YubiKey does – unlock Dashlane or other programs and websites.
The company says YubiKeys work with dozens of other programs and websites, including Facebook, Google, Symantec, Dropbox and other password programs such as KeePass. Dashlane has both free and paid versions; the latter has many more features. It costs $40 a year, and is well worth it. The YubiKey also is supposed to work with Android phones; an Apple version is in the works. Tech support is by email Questions are answered promptly. Solutions are another matter.