LastPass is a password manager program that enables you to create unique, random passwords for every site that you visit. It also has many other features that make it an attractive choice in the growing password manager marketplace.
But the news this week that LastPass was purchased by LogMeIn caused quite a stir on social networks, and equally lively commentary from security professionals.
Well known security expert, Troy Hunt, has kindly created a full set of step-by-step instructions for those wishing to migrate from LastPass to 1Password.
But I feel that the question that needs to be addressed is – should we jump the LastPass ship, or hold?
The entire controversy seems to be one of trust, and the problem is that the trust level of LogMeIn has been tarnished to the point that anything associated with it is considered equally untrustworthy.
However, in defense of LastPass, perhaps we are being too quick to judge.
On the Security Now show, Steve Gibson and Leo LaPorte interviewed Joe Siegrist, the founder and CEO of LastPass.
Gibson has been a long-time supporter of LastPass, and has spent considerable time explaining why LastPass is his preferred password manager.
Siegrist explained that the LastPass team will remain unchanged and that he will remain at the helm. He stated that the only thing that will change with LastPass is the amount of resources available to further develop and improve the product.
Of course, any jaded victim of corporate mergers will listen to Joe Siegrist’s words with heightened suspicion. Will LastPass be able to maintain its integrity while operating in the orbit of LogMeIn? Is he just parroting “corporate speak” while he waits to cash in on his creation?
I am reminded of a quote attributed to Benjamin Franklin:
“It takes many good deeds to build a good reputation, and only one bad one to lose it.”
In the history of LastPass, they have been open and honest, even during security incidents that would have other corporations scrambling for cover. Their good deeds have earned them a solid reputation.
I am holding on to the confidence the acquisition of LastPass by LogMeIn could serve to improve the LogMeIn operation. This could be one of those instances where the child can teach the parent how to be a better person.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
10 comments on “Opinion: Maybe you shouldn’t junk LastPass just yet”
Zoho Vault offers free subscription to LastPass users.
For Individuals – Free Forever
For Businesses – Free for a year
Sound advice from everyone mentioned above, but as Leo Laporte states in that "Security Now" show, Lastpass holds his "keys to the kingdom", which is the case for most users. That includes bank account pins, Bitcoin wallet passwords and private PGP keys. We have to take the cautionary approach.
For me that has been to leave my LastPass vault in place for now, but to learn how to use other products. As an Ubuntu desktop user with several laptops, that has meant going open source. KeePass has been endorsed on Security now, and there is plenty of decumentation. I exported my LastPass vault as a CSV file and imported it into Keepass2. To synch the database I used Dropbox but with a belts and braces approach. I have used ENCF to create an encrypted folder in Dropbox, then put my KeePass (also encrypted) DB in there. Five days on and it is working really well. To create autofill functionality in Chromium and Firefox I installed plugins. I Googled the Ubuntu instructions and soon worked it out.
I've removed the LastPass browser plugin for now and will try my new setup. If it fails to deliver I'll be forced back to LastPass, but my concern is that the LastPass rock solid TNO (Trust No One) encryption could be compromised at any time by a future plugin update, and I wouldn't know.
I agree with Steve Gibson who described Joe Siegrist as the "canary in the coal mine". If he leaves LastPass we should assume that something significant is going to change it for the worse. A corporate gagging clause will of course prevent him saying more, but that won't matter.
FUD. People in a panic without any facts. Right now sticking with Lastpass as they are one of the few that supports all of the computing platforms I use on a daily basis.
Steve Gibson is a charlatan. You should really know this because it is 100% true. His 'invention' (and 'implementation' of) SYN cookies for instance (and his implementation is completely broken and yet he claimed after all his 'research' that he never heard of SYN cookies before. More lies).
Then there is the fact he was owned by a 13 year old (I think it was a 13 year old – can't recall). Then there is the fact his website claims things that aren't true or are fabricated (and/or misleading)
In short: anything Steve Gibson says about security is immediately highly suspect.
Edit: If you need sources here, try: http://web.archive.org/web/20070622061544/http://www.grcsucks.com/ (they refer to other sites too).
I've learned masses from Steve Gibson. I've learned nothing from coyote. Having a "sucks" website is a badge of honour which Steve I'm sure wears with pride. Great guy, great pod casts.
I'm a long time subscriber to LastPass Premium, and I love the convenience and the resilience they've shown to real-world hacking attempts. I was very dismayed when this merger was announced. I'm not jumping immediately, but I am definitely changing managers and deleting my store when my subscription is up, because I want a cross-platform solution and refuse to pay a dime to LogMeIn for any of their products. As Troy Hunt has shown numerous times, LogMeIn remote access programs are used extensively by "tech support" scammers, and LogMeIn won't make even the simplest changes to warn customers, which could really help to mitigate this scourge. As much as I believe in LastPass and in Joe himself, now that he's running a subsidiary of a larger corporation, he's ultimately not the person setting LastPass' direction any longer, no matter what verbal assurances he's been given. I really don't see him sticking around long term when he finally comes to realize that. I'm sorry, but based on LogMeIn's history, hoping Joe can "change the system from the inside" is just naive.
The news of the sale to Logmein hit me in the gut. Also JJoe Siegrist comment that it was vocal minority that were the ones who were poo pooing the buyout by Logmein also hit me in the gut. I experienced the antics of Logmein albeit only on the free version of their Logmein and also Hamachi. I did not like others suffer from Logmein implementing price increases after price increases of their remote control products automatically charged to their credit cards. Nor did I have to deal with their CSRs whom you have to phone in order to cancel one's account and listen to a speil of trying to keep you as a customer when you just want to close your account. There is no way of cancelling your Logmein account via the website apparently.
Joe saying things will remain the same sounds is the same line that other LP staff is mentioning numerous times in their forums. The problem is that unless these terms are written in the purchase agreement then anything can happen. Does LP or Logmein have any legal obiligation to give us warning if in fact they are about to change the way in which the cloud portion of LP operates? What if they change the way the encryption is done or other programming that may have an effect on the security of our stored passwords? Does LMI have to notifiy all of their accounts of the upcoming changes? In otherwords who is minding the hen house?
Saying that one will leave if Joe leaves LP is fine and well but if that indeed happens that may be an indication that things had been brewing for a while and it got so bad that Joe just threw up his hands and said that was enough. By then the damage may have been done months ago. How are we to know? There is not security audit being performed on the software.
I also seen that the other security software that LMI purchased a while back, I had heard that with that product actually holds the master keys. Can anyone confirm whether in fact this is the case because I can see Logmein merging the two product lines to reduce costs.
The purchase of Logmein has a clause in which $15m is to be paid to key Lastpass personnel if they meet certain milestones and retention rates. Why is the retention rate in there? I would of thought that if eveything remained the same that the LP custimers would not have any reason to leave LP.
Based on the above items I will no longer recommend LastPass to clients or friends. Like a couple of others here I am evaluating alternatives to LastPass as well.
Why is the retention rate in there?… perhaps, instead of the conspiracy theory DoubtingThomas suggests, it's a bonus for turning around the LogMeIn bad reputation and spinning it back to positive feelings.
I work in the venture industry. Retention requirements aren't unusual when companies are acquired…will often look like: 1/3 equity, 1/3 cash, 1/3 earn out (also paid in cash and dependent on specific performance).
I like Siegrist. He'll have to head the ship for my own personal use to continue at the very least, but I'm going to hold back from recommending LP for the time being, too. LogMeIn may have been a 'good deal' financially, but I agree with the sentiment they were a poor choice of partner. I'd like to think LP could've held out for better.
On the upside, when Siegrist leaves, I'll be watching his next next move. He built this ship, and he seems likely to do it again.
Yeah but Gibson also said Truecrypt was still safe after the author abandoned it and warned everyone that it wasn't. Turns out Gibson was wrong because Truecrypt was recently found unsafe with some major problems.