Security analysis of Dashlane

A security analysis was performed in May 2016:

• Security Analysis of Dashlane by Paolo Gentili, Sarah Shader, Richard Yip, Brandon Zeng

That analysis attempts to look for largely the same types of vulnerabilities as the Li et al. paper cited in the question. They looked for XSS attacks, but found none. They were also able to bypass Dashlane's device authentication feature. Overall, they found Dashlane to be quite secure.

They analyzed Dashlane version 4.1.1. Dashlane has since been updated to version 4.6.8.

Anything that stores your password on an online server outside of your control is to be considered insecure; there is no valid reason for your entire password collection to leave your home network.

The software your online password manager service (doesn't only apply to Dashlane) uses is most likely closed source, you know nothing about their security procedures nor if your passwords are really encrypted or just sitting in a passwords.txt file.

Second, their encryption - let's assume they use industry standard crypto that isn't flawed, and the key is your password hashed with a computationally expensive hash to prevent bruteforce... looks great, right ? But what if a rogue sysadmin, developer or attacker gained access to the server ? While he can't directly decrypt the database, he can modify the code that handles logging in to capture your password and wait for you to log in. Also, you may not be a high-profile target and no attacker would waste his time compromising you, but here the attacker instead aims to compromise the entire password manager service to get the passes for all users, not just you.

Then, there's law enforcement, they can almost always force the company to disclose your passwords; if the databases are encrypted they'll probably use the approach stated above and wait for you to log in. While passwords for most online services aren't of much value since law enforcement can also force them to disclose your data, passwords for services in other countries (where L.A. has no authority) or your servers/encrypted drives are very valuable for them.

Now compare that to a Keepass database stored locally on a possibly encrypted hard drive, where an attacker should either physically steal the machine (and then bruteforce eventual disk encryption and the database's password), alter it (add a keylogger and wait for you to log in and decrypt the pass DB), or remotely compromise it which isn't worth his time if you aren't a high profile target and is often difficult.