It does, from a technical aspect, yes.
Where SaaS providers have a problem is with the legal aspect. Here's a good example, and I'll apply it to here in the US (check local laws/regulations for similar laws in your home country).
True, hashes mean that the SaaS provider can't even read or decrypt those hashes to reveal your passwords. That is a good thing. But let's again ask the question: Does the password - let alone the password hash - at the SaaS provider belong to you, or to the SaaS provider? According to the Facebook rule*, it belongs to the SaaS provider.
*Facebook went to court over the question of if Facebook owns any data that a user has and uploads to their platform. The courts agreed, so currently the law states that the person/business/entity who is in physical possession of that data is the owner of that data.
So as it has been judged that the SaaS provider owns the passwords and password hashes that are in their physical possession, they can do whatever they please with those passwords and hashes. Legally, they could delete them, sell them, whatever they want with them, as they are the owners of it. Granted, they have entered a legal contract with the customer that binds them to what they can do with that data, but the situation exists. However, when that contract is terminated, the SaaS provider is still in legal ownership of that data, to do with it whatever they please. So while they may not be able to decrypt that hash, they would still have some entry (read: metadata) into where that password may be applied; so who says they couldn't try to use that username and password at the site in question, to gain access to whatever is there, after the contract with the user has ended? Again, those issues still abound.
Now, take ownership of that data, and apply it to any investigation of the user. In the US, our 4th Amendment to our Constitution protects us from any illegal searches and seizures, by making sure that the government requires a warrant to get hold of our possessions. Well, as proven above, we don't own the passwords we store at a SaaS provider; the provider does. As they would be 3rd party to that investigation, a warrant to get your data from that provider would NOT be required, circumventing that user's 4th Amendment rights. It can simply be handed over with a subpoena. Making it worse, a subpoena does not have to be asked for by the police; any Clerk of the Court could write up their own subpoena, and ask a judge to sign off on it. The problem with that: every lawyer is a Clerk of the Court.
So let's apply this to a decent hypothetical example. a person who lives in the US named Fred is being investigated by the police for fraud. Fred uses Dashlane for his online provider to store his passwords. Through a subpoena (banks are a 3rd party), they get access to his bank account, and discover high figure transactions from the place reporting fraud activity leaving his account and going to another account that is online only, as well as a monthly transaction for Dashlane.
The Authorities subpoena Dashlane for his vault, and get it (again, 3rd party). The authorities then either on their own, or asking Fred for his password to his vault, obtain that password, get access to the vault, find the bank account that is the destination of those high figure transactions, and see that it is in the same amounts that were claimed from the original fraud complaint, tying Fred to the entire crime.
Yes, Fred then waived his 5th Amendment right when he provided them with the password, but you can see where having your passwords stored at a SaaS provider can cause a person to not be protected by all of their rights granted to them by law. Sacrificing those rights for the sake of convenience is the question that needs to be asked, and if it is worth it. People can say "well, I have nothing to hide!", but that is a poor excuse because if that situation exists for one person, it would exist for every person, regardless of if they have anything to hide or not.
BL.
strongboxsafe.com
