Back in June, in the wake of the Heartbleed bug, I called for some sort of system to allow users to change passwords on a service automatically. My wish has mostly come true.
On Monday, password manager company Dashlane announced a system for automatic changes of passwords. They have a list of sites for which the feature works. At the moment (Wednesday morning) the page has 78 sites.
Then on Tuesday, Lastpass made the same announcement. They claim support for 75 sites.
The timing of the announcements was certainly a bit strange, but in retrospect it's not surprising that more than one company was working on the same thing. Perhaps they just saw what I saw, that there was a need for this feature. The theory with Heartbleed was that so many important sites had been vulnerable for so long that you had to presume that they had been compromised. Once the site updated their OpenSSL, you were to change all your passwords. I doubt many people actually did this.
My proposal was for a standard web API, and I still think that would be the best, most elegant way to do it. The only practical way would be for some large company, like Microsoft or Google, to create the API, commit to supporting it on their own and then give it away to some standards body with no strings attached. Or perhaps if it came from a more platform-agnostic company like Amazon it would be more politically acceptable to software companies.
That's not the approach Dashlane and Lastpass are taking. They are scripting the web interface to the password change, automating the HTTPS transactions where possible and requesting input from the user where necessary, such as if a CAPTCHA is presented. This strikes me as a hack, but it's the right and only way to do it absent some sort of standard. And it would be necessary in any case in order to automate systems that didn't support the standard.
I think this feature is even more exciting when you consider it in the context of a managed enterprise IAM/password management system. Properly administered, this should allow the organization to automatically change everyone's passwords on just about any service. Very cool.
Here's Dashlane's automation process:
Notice that Dashlane hides the actual web session, presenting only a progress indicator and opening a dialog box to ask for any necessary user input.
Lastpass takes a different approach: They open a new browser tab and you can see the entire password change transaction as it happens. Lastpass points out that this ensures that your unencrypted passwords don't leave your system. It's your computer, not theirs, which performs the work. The implication is that Dashlane's does move your passwords to their systems and perform the change from there, but this is not necessarily true..
For now, both companies call the feature beta. Dashlane makes the download for "early access" big and obvious on their home page, whereas Lastpass's "Try Beta Software" page says "Sorry, there is no beta software available at this time."
I have been testing Dashlane for several days and the password change feature seems to work well. I will have a more complete review of Dashlane in the next few days.