Slashdot Mirror

← Back to Stories (view on slashdot.org)

LogMeIn To Acquire LastPass For $125 Million (lastpass.com)

Posted by Soulskill on from the consolidating-security dept.

An anonymous reader writes: LogMeIn has agreed to acquire LastPass, the popular single-sign-on (SSO) and password management service. Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.

100 comments

  1. Will Use Neither by Anonymous Coward · · Score: 1, Insightful

    LassPass got their ass handed to them in the no-so-distant past. No, thank you. Having a company that collects passwords now marrying a company that handles remote logins. Hmmm... What could go wrong?

    1. Re:Will Use Neither by kullnd · · Score: 2

      Meh, I feel they handled that "breach" pretty well...

      That being said, I fear LogMeIn is going to destroy LastPass.

      --
      +++ATH0 NO CARRIER
    2. Re:Will Use Neither by Gaygirlie · · Score: 4, Insightful

      Having a company that collects passwords

      The quoted part never sat right with me, I've always felt somewhat icky about the idea of giving out all of my passwords to a company-controlled service. I don't know if it is rational to be wary of them or not, I certainly haven't heard of them doing anything nefarious or anything to earn it, but passwords and usernames are just so damn important that I just don't know if I'd want to hand the whole damn treasure-trove out to an unknown 3rd-party. I've always used Keepass 2.x to store my passwords -- the password-database is always in my control, and there are good, open-source apps for Keepass-databases for Windows, Linux, Android et.al.

    3. Re:Will Use Neither by JustAnotherOldGuy · · Score: 1

      Having a company that collects passwords now marrying a company that handles remote logins. Hmmm... What could go wrong?

      Nothing, absolutely nothing could possibly go wrong.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    4. Re:Will Use Neither by Anonymous Coward · · Score: 0

      FOSS != security

    5. Re:Will Use Neither by Anonymous Coward · · Score: 1

      I thought that they were encrypted and that their servers never touch the unencrypted usernames and passwords.

    6. Re:Will Use Neither by Anonymous+Psychopath · · Score: 3, Insightful

      Meh, I feel they handled that "breach" pretty well...

      That being said, I fear LogMeIn is going to destroy LastPass.

      They did handle it well. Preaching to the choir a little bit, but LastPass has always responsibly disclosed threats, usually to their own detriment because most of their customers can't be bothered to understand how security is supposed to work (hint: it should be designed to withstand a breech). The breech only provided worthless data to the attackers. Brute-forcing is hard, and assuming we were all smart enough to change our master passwords, the attackers only got old, useless passwords in return for all their efforts.

      Meanwhile, everyone ran around saying KeePass on Dropbox is far better, because open source is magically more secure (it can be, but that doesn't mean it is), and Dropbox gets compromised almost annually.

      I know I probably sounds like I work there or something, but I'm just a happy user. I hope LogMeIn doesn't fuck it up. I don't really know anything about them.

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

    7. Re:Will Use Neither by Anonymous+Psychopath · · Score: 4, Informative

      Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

    8. Re: Will Use Neither by cyber-vandal · · Score: 1

      Breach*

    9. Re:Will Use Neither by sexconker · · Score: 1

      KeePass IS better. It's far more functional and far more customizable.
      Throwing a KeePass database on Dropbox is secure even if Dropbox exposes the database.

      I find it hilarious that you bitch about people who don't understand that LastPass's breaches meant nothing, yet you go on to imply that Dropbox's breaches are a problem for people using it for KeePass databases.

    10. Re:Will Use Neither by thaylin · · Score: 1

      It is funny. Last pass openly stated they dont know the extent of the data that was take, just that they feel it was not much, yet you think that is handled well?

      --
      When you cant win, ad hominem.
    11. Re:Will Use Neither by jimbo · · Score: 3, Insightful

      Meh, people are so often binary. Unfortunately the world isn't as simple as "A is far better than B". While I prefer the way KeePass handles its data, the various browser plugins handling form data (inserting/extracting) seem much inferior to Lastpass. Using it in a browser is my main use case.

      I really want to use KeePass but it'll need to be a bit smoother in browsers first. I'm sure it will be.

    12. Re:Will Use Neither by sexconker · · Score: 2

      There is no such thing as two-factor encryption for cold data.

      Using a keyfile and a password is the same thing as using a complex password. You just know one and you have the other and you chain them.
      The same for using a password and thumbprint hash. Anyone who has the encrypted data and knows how it's encrypted can feed it the password and hash.
      These are functionally no different than a single complex password - there is nothing "two factor" about it. And in many cases this type of layering can make it much easier for attackers to break ur shit.

      Consider someone using 7-Zip to encrypt their "Secret My Little Pony Costume Design" directory.
      1 layer of encryption using "aj29dn(3nb1A3n+d,c^D" is much better than 4 layers using "aj29d", "n(3nb", "1A3n+", and "d,c^D". The smaller passwords will be cracked almost instantly, and each one gets them 25% of the way to your shit. The full password will take ages to crack and it has to be done all or nothing.

      You only want to layer passwords if your password's entropy exceeds the length (in bits) of the output of your encryption algorithm (or really, length minus one bit).
      It's far more common to increase the number of rounds than it is to layer, but if you suspect an algorithm may be compromised it may make sense to use multiple layers with different algorithms. Layering also makes it easier to slap on plausible deniability and steganography.

      Temporal passwords (RSA clocks) require a verification step by an arbiter. These are vulnerable to DoS attacks and MITM attacks, as well as all the usual "LOL HACKED UR DB AND GOT UR SHIT" attacks. Anyone with the seed of your particular authenticator app / dongle can generate those temporary codes and get access from the arbiter.
      These kinds of passwords aren't there to protect the actual stored data, but control access to it. Anyone who gets the data will be able to try to decrypt it as usual.

      For a temporary password to be considered a secondary layer of encryption, the data must be decrypted (temp pw layer only) and reencrypted each time that temporary password changes, AND you must ensure all previous copies of the decrypted AND encrypted data are destroyed (you can't do this if you hand the decrypted file to the user for them to decrypt the inner layer). You generally don't do this for cold data, you do it for live communication across an untrusted channel, such as the itnernet.

    13. Re: Will Use Neither by Anonymous Coward · · Score: 0

      Does Keepass work on linux, iOS, windows phone, and on companies that blocks cloud based storage like dropbox? Does it have two factor authentication?

    14. Re:Will Use Neither by BradleyUffner · · Score: 1

      There is no such thing as two-factor encryption for cold data.

      Using a keyfile and a password is the same thing as using a complex password. You just know one and you have the other and you chain them.

      That's the the very definition of 2 factor authentication. The 3 factors are Something you know, Something you have, and Something you are.

    15. Re: Will Use Neither by wernercd · · Score: 1

      Versions I use:

      iPhone: https://itunes.apple.com/us/ap...
      Android: https://play.google.com/store/...
      Windows: https://ninite.com/keepass
      Linux: http://keepass.info/help/v2/se... - Mono supported

      More versions (official and unofficial at: http://keepass.info/download.h... )

      Without Dropbox access to dropbox, you could use others: Onedrive, Google Drive, Box, etc... whats available largely depends on whats allowed (or just not yet blocked yet). Also, options MIGHT be expanded with plugins: http://keepass.info/plugins.ht...

      Keepass allows plugins... one of which has Two Factor: http://keepass.info/plugins.ht... - I've never used it, so I'll leave it up to you. Other options exist on at the plugins link above.

    16. Re:Will Use Neither by The-Ixian · · Score: 1

      Indeed. This is the reason I use and love RoboForm. It runs on every platform and integrates very well with every major browser.

      --
      My eyes reflect the stars and a smile lights up my face.
    17. Re:Will Use Neither by wernercd · · Score: 1

      Or so the NSA has forced them to lead you to believe... gotta love those "be quiet or be crushed" letters that don't require a judges seal.

    18. Re:Will Use Neither by Anonymous+Psychopath · · Score: 1

      What I was trying to point out is that there's no practical difference between unauthorized access to either LastPass or KeePass, meaning that there's no real security advantage either way.

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

    19. Re:Will Use Neither by Anonymous+Psychopath · · Score: 1

      It is funny. Last pass openly stated they dont know the extent of the data that was take, just that they feel it was not much, yet you think that is handled well?

      "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

      https://blog.lastpass.com/2015...

      That looks pretty specific to me.

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

    20. Re:Will Use Neither by sexconker · · Score: 1

      That "very definition" is used incorrectly by so many people, including you. When you're slapping it into a call to an encryption/decryption function, it's ALL effectively "something you know". A thumbprint hash is just data, so is a keyfile, so is the output of an RSA clock at any time. Security "experts" tried to model this off of physical security principles, but they don't translate over. That doesn't stop them all form parroting "something you know, something you have, and something you are hurr derp", though.

      Something you HAVE and something you ARE need to be verified by some authority that controls access. It's like buying pseudoephedrine at the drug store. They ask for something you HAVE (your driver's license), and they verify it to a reasonable extent. Without an active arbiter, you can only use something you KNOW. Imagine buying pseudoephedrine on Amazon. That something you HAVE becomes something you KNOW because all you can do is type in your driver's license number, state, and expiration date. At the drugstore, they expect a physical card with a photo that looks like you and a magstripe that swipes with valid data. They can also physically see if you look like a tweaker who's got the shakes because they need another hit.

      You can try to use automated arbiters, but they're vulnerable. A thumbprint scanner can be tricked into scanning a fake thumb or someone else's thumb, or it can be bypassed completely if you know the output it gives for your target thumb. A car with a breathalyser can be tricked by having someone else, or a raccoon, blow into it (that story was fake by the way - http://www.inquisitr.com/24605... ). Or, again, if you know what the breathalyser outputs on a good blow you can bypass it entirely.

      You can try to use remote arbiters. A typical example is a security camera and a remote person monitoring and unlocking doors and shit. You can attack the camera, dress up as the target, put a photo of the empty hallway over the camera so that's all it sees, whatever. For an apartment gate/door with an intercom and a "buzz me in" system, you can pretend to be anyone to anyone who can buzz you in, or you can click the button a bunch and make the sound distorted and someone will just fucking buzz you in to make it stop, or you can always attack the gate.

      Something you KNOW is the only thing you can use without an arbiter, because the mere knowledge of that thing is what constitutes valid access.
      Something you ARE and something you HAVE require an arbiter for verification, otherwise the mere knowledge of those things can be used to masquerade/forge the thing that you ARE/HAVE. Automated and remote arbiters are better than nothing, but their automation/remote nature make them less able to verify the ARE/HAVE to the same degree an active and present arbiter can.

      The most common "two factor" authentication systems in place are RSA clocks and one-time passwords sent via SMS.
      No one verifies that you have and own that dongle with seed XYZ or that the specified phone number belongs to you. They verify that you know the code the dongle output or that you know the code they send you. Knowing either isn't very hard, and you can attack on either end.

      RSA clocks: Attack the database that has the seeds and generate your own valid codes willy nilly. Steal the dongle. The easiest, however, is to pwn the target's device / MITM the target's network connection. When they're doing shit intercept the code and use it in your own attack (they all have pretty wide validity windows to account for clock skew, time for users to type it in, latency and processing time, etc.) This is why many places now require you two input two separate codes to disable the dongle - a victim will typically not provide 2 codes within a short time span. Of course this is pointless as the attacker can spoof a message to the victim s

    21. Re:Will Use Neither by chihowa · · Score: 4, Informative

      Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.

      So they claim, but since you're using black-box software provided by them to access your passwords that's a pretty specious claim. If the current binary that they provided to you doesn't harvest your access keys, the next one very well could (and most certainly would if their lives depended on it).

      Marketing claims may provide some hint at utility, but they shouldn't be conflated with an actual measure of security.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    22. Re: Will Use Neither by Anonymous+Psychopath · · Score: 1

      Noted

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

    23. Re: Will Use Neither by Anonymous Coward · · Score: 0

      Or you can set up your own cloud via OwnCloud. That way, you control the server with your files. That's something that Raspberry Pi can do, IIRC.

    24. Re:Will Use Neither by vux984 · · Score: 1

      Bingo. Zero knowledge encrypted storage service providers of pretty much any stripe all suffer from the same flaw:

      You are trusting them to provide you the software you are entering your decryption keys into when its time to decrypt anything.

      How do you that software doesn't send them the keys? You don't.
      Even if it doesn't, today, and they send you an udpate, how do you know the update doesn't send them the keys? You don't.

      And if you are using a web based service... they don't even have to send you a client update; you get the latest 'client' pushed from the website automatically every time you login. Did you audit all that javascript to make sure it wasn't sending your key up? Did you compare the javascript served to you today to the javascript you audited yesterday?

      It fundamentally requires that you trust them not to steal your keys, and that you continue to trust them each time you visit their site / or update the client.

      Your best solution to achieve real security is to use one provider for storage (doesn't really matter who...dropbox or google or use the NSA directly if you like), and do the encryption and key management yourself; ideally using audited open source code.

      Nothing is perfect, even this. And I could go on and on about how to further mitigate risks to your client side solution. But its a lot better than simply trusting your storage provider.

    25. Re:Will Use Neither by Anonymous Coward · · Score: 0

      Two Factor authentication is not about making it harder to brute force attack, it's about making it harder to compromise the password itself (i.e. through social engineering). Even if you fall for a social engineering attack and hand them your "something you know", they still need to lift your fingerprint from something, or get your physical keyfile to completely compromise it via this vector. It's about raising that bar for compromising the user side as opposed to brute forcing it.

      Though as a bonus the "something you have" or "something you are" can be turned into a really complex 'password' so that it's easy to remember/use, but produces a 'password' which is much harder to brute force than anything you could memorize. You are correct that at the end of the day it all boils down to effectively "something you know" but the point behind this is that it is NOT trivial to figure out the "something you know" without the "something you have", or successfully performing a much more complicated attack on the system. Attacking the database which houses the seeds for an RSA key (or physically stealing the RSA key, or MITM the network so you can steal the key after it was entered) AND convincing someone to hand over their known password is much more challenging than just having to get someone to hand over their password.

    26. Re: Will Use Neither by TechyImmigrant · · Score: 1

      +KylePass for my macbook.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    27. Re: Will Use Neither by Redbehrend · · Score: 1

      I enjoy roboform, they say everything is encrypted client side so even if there was a breach they wouldn't have viable info. I think the only thing they use credentials for is licensing a basic profile and sync.

    28. Re: Will Use Neither by Anonymous Coward · · Score: 0

      KeePass is free and open source. It will work on anything you want it to.

    29. Re: Will Use Neither by Anonymous Coward · · Score: 0

      Just go look.

    30. Re: Will Use Neither by Anonymous Coward · · Score: 0

      Can it auto-fill game launcher logins? Can it auto-fill Android app logins, both as in-app fields and browser-based? Can it automatically detect address and/or credit card and/or bank routing fields and appropriately fill those automatically? Nope. LastPass is vastly more capable than any alternative. LogMeIn better not fuck it up.

    31. Re:Will Use Neither by el_chicano · · Score: 1

      It's like buying pseudoephedrine at the drug store. They ask for something you HAVE (your driver's license), and they verify it to a reasonable extent. Without an active arbiter, you can only use something you KNOW. Imagine buying pseudoephedrine on Amazon. That something you HAVE becomes something you KNOW because all you can do is type in your driver's license number, state, and expiration date. At the drugstore, they expect a physical card with a photo that looks like you and a magstripe that swipes with valid data. They can also physically see if you look like a tweaker who's got the shakes because they need another hit.

      You are an idiot. You do know that you need to process pseudoephedrine to turn it into meth? That the amount of pseudoephedrine needed to make meth is a lot more than you get at a drugstore? That most "tweakers" are consumers, not producers?

      The laws "controlling" pseudoephedrine are nothing but security theater, it is a hassle for consumers yet it has not affected the supply of meth out there. The people making meth buy barrels of the stuff and not at your local drug store.

      After saying stupid stuff like that it is very easy to discount any "computer security" knowledge you claim to have. You should have just stuck with a car analogy and have people think you are a moron rather than saying shit like this and proving it to the the world.

      --
      A man who wants nothing is invincible
    32. Re: Will Use Neither by Anonymous Coward · · Score: 0

      Waaaaaaahhhhhhhh! Something is different.

  2. Get ready for high pricing by kullnd · · Score: 2

    They are talking about combining it with the Meldium product? Look at the pricing on that. It starts at 24/month

    I just took a $120 chance and added 10 years to my subscription... Figure they can't jack up my prices for 10 years if I already paid for it. $120 isn't too much to lose if they make the product unusable (which is a possibility with these a**holes).

    --
    +++ATH0 NO CARRIER
    1. Re:Get ready for high pricing by pushing-robot · · Score: 2

      In fairness Meldium starts at 20 users for $24/mo.

      Not that it matters for me as I've been burned by LogMeIn's user-hostile behaviour in the past. I don't trust them, and I sure as hell won't trust them with my passwords.

      --
      How can I believe you when you tell me what I don't want to hear?
    2. Re:Get ready for high pricing by Anonymous Coward · · Score: 0

      jacked prices or stripped features coming for lastpass.. it wouldn't be the first time lmi pulled that shit after acquiring a product.

    3. Re:Get ready for high pricing by kullnd · · Score: 2

      I don't trust them LogMeIn in the least, but I trust the methods used by LastPass with my passwords. I only hope they do not make changes to the architecture that makes Lastpass the trustworthy platform that it is today.

      --
      +++ATH0 NO CARRIER
    4. Re:Get ready for high pricing by Anonymous Coward · · Score: 0

      I've been using Roboform for years. I have the everywhere product, thumbdrive, computer, etc.. It works well, but I think its a little pricey at $20/yr. Then again, I have 500 distinct passwords.

    5. Re:Get ready for high pricing by Shatrat · · Score: 5, Funny

      It doesn't seem to have worked for logging you into Slashdot, though.

      --
      09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
    6. Re:Get ready for high pricing by pushing-robot · · Score: 1

      Meldium's security FAQ is a joke:

      In order to provide app management and automatic login, Meldium must store some of your sensitive information on our servers. For user management, we may store your API keys, your username and password, or an OAuth credential.

      A limited set of Meldium employees have access to the secure fleet and the master encryption keys

      Due to the architecture of our system, it is technically possible for a Meldium employee to gain access to your secret data. As a matter of corporate policy, this kind of access is forbidden.

      I, too, hope LastPass will be able to maintain their passion in the face of LogMeIn's corporate culture, but when it comes to security I will not trust to hope.

      --
      How can I believe you when you tell me what I don't want to hear?
    7. Re:Get ready for high pricing by kullnd · · Score: 1

      I would consider them having "master keys" to be unacceptable. I really hope this is a feature they side with the LastPass methods on.

      --
      +++ATH0 NO CARRIER
    8. Re:Get ready for high pricing by The-Ixian · · Score: 1

      Hello fellow RF user.

      The Everywhere product was a major reduction in price but it then became a subscription. Even still, I am happy to pay for it. It is one of the most used pieces of software I have.

      --
      My eyes reflect the stars and a smile lights up my face.
    9. Re:Get ready for high pricing by Anonymous Coward · · Score: 0

      LastPass is a mediocre product. Their terrible UI is 10 years out of date, and there are plenty of alternatives. Why would you plunk down for another 10 years?

    10. Re:Get ready for high pricing by Anonymous Coward · · Score: 0

      LMI is not above editing plans and removing features in a version you've already paid for. Read some of the BBB complaints.

    11. Re:Get ready for high pricing by FredyFerry · · Score: 1

      I feel pretty happy now with Sticky Password for $19.99 per year

  3. Passwords passed around by rodrigoandrade · · Score: 1

    I used one of these passwords services back in the day. Coincidentally, the one I used (Xmarks, which started as a browser plug-in) was later acquired by Last Pass, which's being acquired by another company.

    I wonder if my passwords would be safe during all these M&A's when the buyer eventually turns out to be a little less than ethical (what if it gets bought out by a Chinese company?), not to mention all the technical possibilities of data leak while integrating all the infrastructure.

    1. Re:Passwords passed around by Overzeetop · · Score: 1

      If they're unsafe it's too late now. Putting your passwords in a cloud service is like putting nude pictures online. Nobody may want to look at them, but they're out there forever, and somebody has them backed up somewhere.

      It depends on whether they ever had the keys to unlock them or they were all locally encrypted (barring the whole "they lied and stored your password anyway" tin foil hat argument).

      --
      Is it just my observation, or are there way too many stupid people in the world?
  4. Wah wah... by jeremiahstanley · · Score: 1

    Damn, I like the free version of LastPass... a lot. I do not like any of the services that LogMeIn offers (I've run the office account).

    Sooooo /. hivemind... are there any alternatives to LastPass out there?
    Any strong words re: https://www.dashlane.com/passw... ?

    --
    Hire me...
    1. Re:Wah wah... by Nemyst · · Score: 3, Informative

      The alternatives I hear most about seem to be 1Password and KeePass.

    2. Re:Wah wah... by I'm+just+joshin · · Score: 3, Informative

      I use KeePass (http://keepass.info) or a compatible app and keep my data file synced in OwnCloud. Using Dropbox instead worked fine too.

    3. Re:Wah wah... by Dr_Barnowl · · Score: 1

      +1 for a local password safe program and Dropbox.

      Password Safe 3 for me : you can get compatible programs for Windows, and Android, and Linux (I use the eponymous apps for Windows and Android and Pasaffe on Linux).

      Open source, and you control your own encryption key.

    4. Re:Wah wah... by DaTrueDave · · Score: 1

      Do either of those generate strong passwords, track password changes, and keep encrypted form fills?

    5. Re:Wah wah... by Mike+Van+Pelt · · Score: 1

      Before I went to LastPass, I tried first pwsafe, then KeePass. pwsafe (at the time) wasn't cross-platform enough, but I liked it enough better than KeePass that I was in the process of moving everything back to pwsafe, and just using it from a windows virtual box on Mac and Linux. Then I read a tear-down report on LastPass by a professional paranoid that convinced me that it was plenty secure enough, switched to it, and I've liked it best of all.

      I sure hope Logmein doesn't ruin it.... (crossing fingers, toes, and eyes.)

      Now, Android support is a non-negotiable, as is the automatic syncing across all devices that use it. I see that KeePass now has multiple Android versions, so OK on that score. Saving the DB on Dropbox or equivalent... maybe that could be workable, but I don't see it being nearly as automatically transparent as LastPass's syncing.

      Waiting to see how this shakes out...

    6. Re:Wah wah... by gstoddart · · Score: 3, Informative

      Second keepass as I've used it for work for several years.

      Copy around your own encrypted database. Don't entrust some damned service with your passwords.

      There's several variations on this kind of thing. No subscription, and nobody else has your passwords.

      It's also got a really nice feature where it can put your password into the paste buffer for only 10 seconds or so, and then it disappears.

      Using a web-based service to track your passwords seems more dangerous than useful to me.

      --
      Lost at C:>. Found at C.
    7. Re:Wah wah... by Anonymous Coward · · Score: 2, Informative

      KeePass meets all 3 of those requirements.

    8. Re:Wah wah... by Anonymous Coward · · Score: 0

      +1 for Keepass+OwnCloud. On mobile devices you can keep things synced via its webdav support - Keepass2Android on Androids and KyPass on iOS support it natively.

    9. Re:Wah wah... by kullnd · · Score: 1

      Lastpass doesn't "have my passwords" any more than DropBox has your passwords if that's where you store your encrypted data.

      Just pointing that out...

      --
      +++ATH0 NO CARRIER
    10. Re:Wah wah... by DiSKiLLeR · · Score: 1

      I love keepass and used it for many years. But the biggest problem is its pretty much Windows only as its written in .Net.

      it worked - terribly - under Linux and was almost useless. And I never managed to get it to run under OS X. :(

      --
      You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
    11. Re:Wah wah... by Opyros · · Score: 3, Informative

      The Unix port is called KeePassX, and it works quite well under Linux, MacOS, the BSDs, etc.

    12. Re:Wah wah... by mhkohne · · Score: 1

      With regards to syncing via Dropbox:
      It's not quite as spiffy as having the passwords stored on the far end of the wire, but I use DropSync on my Android devices, and I keep it's 'sync on change' feature activated (whenever a file changes locally, it gets pushed to the Dropbox ASAP), and then run the Dropbox client on windows boxes and it's been great. You will have some lags between Android devices (DropSync has a timer to control how often it checks for stuff to download), but Windows is pretty much instant, as the Dropbox client is always in contact.

      One big advantage to using the replication rather than keeping everything remote is that if I hit a spot and my phone can't get a net connection, I've still got all this stuff stored locally, so I'm not out of commission just because I'm out of contact.

      --
      A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
    13. Re:Wah wah... by Anonymous Coward · · Score: 0

      If lastpass captures the submitted credentials, they could decrypt and store all your passwords stored in it with no indication it had happened. With dropbox, you don't run the same risk unless they're running a keylogger, which is more difficult than intercepting credentials.

      I once set up logging to address a problem on a secured site we were running and only realized as it was running that I had unintentionally just given myself visibility to every username and password as it was being used. I turned it off and shredded the log files, but there is no guarantee someone running LastPass couldn't do the same intentionally. In fact, you don't have any way to prove they haven't already been doing that for the last year.

      Keyloggers are a bit more difficult to install, but that doesn't mean that installing DropBox can't be also installing a keylogger. Any closed source software you install has that potential, so you have to be careful who you trust. Even open source software you don't compile yourself has that potential. Even open source software you compile yourself using code you wrote yourself with a compiler you didn't write yourself has that potential.

      It always boils down to trust unless you build your own computer from components you build from scratch and program it with software you review and compile yourself from a compiler you build yourself... and as far as I can tell that's never been done. Even then it probably boils down to trust because who can trust themselves to build all that and not make a mistake some other bright individual might be able to exploit?

    14. Re:Wah wah... by Anonymous Coward · · Score: 0

      Yes.

    15. Re:Wah wah... by Anonymous Coward · · Score: 0

      Dashlane is another... I haev used Keepass as well, but Dash is much more polished.

    16. Re:Wah wah... by Mousit · · Score: 1

      KeePass is free and open source, and easy to use. Its interface is fairly basic, but it gets the job done. It can generate strong passwords, it has a password strength checker, some fairly decent management and organization options, etc. It's aimed primarily at Windows but it can function in Linux and BSD (including OS X) under Mono, and fully supports this. We use this at my workplace and it serves its purpose.

      However, I personally am a fan (and long-time user) of 1Password, which is my vault of choice. It's got a highly polished and very easy to use interface, very active development, it's cross-platform Windows, OS X, iOS, and Android. It has plug-ins for all the major web browsers. It supports a range of features KeePass lacks, and also some third party support (like DropBox, for keeping your vault synced over all devices). It's also got a good community--I've found a few bugs myself, and the developers were very accessible and responsive to my posts in their 1P forum they have available for such things. The only downside with 1P, of course, is that it is not free nor is it open source (though the schema and design of their vault file format is fully open and documented, and has been audited in the past). However, I think it is worth its price, and I'm happily a paid user.

    17. Re:Wah wah... by Mike+Van+Pelt · · Score: 1

      LastPass keeps a local copy of the encrypted password DB, so if it can't connect, it will use the local copy. Though, really, if you don't have a network connection, what are you going to do with the password? For me, the main feature there was, if lastpass.com were to go away forever without warning, or get acquired by someone truly evil, I've still got all my passwords.

    18. Re:Wah wah... by Anonymous Coward · · Score: 0

      Damn, I like the free version of LastPass... a lot. I do not like any of the services that LogMeIn offers (I've run the office account).

      Sooooo /. hivemind... are there any alternatives to LastPass out there? Any strong words re: https://www.dashlane.com/passw... ?

      I use Sticky Password by Lamantine Software, a Czech company. It uses a locally encrypted data base with option for additionally encrypted sync to other devices. However I also keep my Keepass database fully up to date just in case they do something to piss me off. My main complaint about Sticky is their lack of a decent manual, not good enough for a security program.

      https://www.stickypassword.com/

    19. Re:Wah wah... by Anonymous Coward · · Score: 0

      Second keepass as I've used it for work for several years.

      It's also got a really nice feature where it can put your password into the paste buffer for only 10 seconds or so, and then it disappears.

      Using a web-based service to track your passwords seems more dangerous than useful to me.

      I prefer to use obfuscated auto-type on KeePass instead of the paste buffer. If you're using Firefox there's also the KeeFox addon which works most of the time, but not quite as well as the auto-fill functions on most of the paid PW programs.

    20. Re:Wah wah... by Anonymous Coward · · Score: 0

      Second keepass as I've used it for work for several years.

      Thirded. I keep mine inside of a truecrypt / veracrypt partition. If somebody can compromise two strong passwords to get to my password vault that means my system OR myself with a $5 wrench is owned already.

    21. Re:Wah wah... by FredyFerry · · Score: 1

      Or Sticky Password is a good one too

  5. Book'em dano by goombah99 · · Score: 2

    On Hawaii 5-0, Lo Mien is the arch underworld rival of Lo Fat. Log Mein is what I see in my toilet.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  6. 15 million in payments to "key" employees. by Anonymous Coward · · Score: 0

    Read that as 15 million in golden parachutes. Your rank and file software engineer that did all of the real work won't get shit.

  7. Unfortunate Acquisition by Anonymous Coward · · Score: 0

    I was a free user of LogMeIn and was burned by their decision to offer no warning or grace period when they decided to discontinue free service. I am a happy LastPass customer, but I will now be looking around for other password alternatives.

  8. Oh great by JustAnotherOldGuy · · Score: 1

    Now ALL your passwords can be compromised in one hack.

    Say "hello" to progress!

    --
    Just cruising through this digital world at 33 1/3 rpm...
  9. Disappointed and concerned by Anonymous Coward · · Score: 0

    I'm a LastPass user and I trusted LastPass. It didn't occur to me that they would sell out for what I assume makes them rich. I am only vaguely familiar with LogMeIn. I don't know much about their company values, but so far what I'm reading is not good. I'm very concerned how this will affect my privacy and password security.

  10. This just in! by Anonymous Coward · · Score: 1

    LastPass Free will no longer be available and instead move entirely to a monthly subscription service for only $15 a month. Oh Premium was $12 a year? No worry! Our professional customer support that you'll never need more than make up for this 1500% increase in price!

    1. Re:This just in! by Anonymous Coward · · Score: 0

      Next up, to address the fairness disparity between grandfathered Premium users paying $12 a year and Free users paying $15 a month, Premium users will now be paying $30 a month. Now everyone will be happy.

  11. Just another product now by wh1pp3t · · Score: 1

    I liked(ed) LastPass a lot. But my problem is that it is now another product. When it was its own company, LP put 100% behind the one flagship product. Now, LP is "another" product and will receive resources based on value to the owner.

  12. Password Schemes password schmemes. by Anonymous Coward · · Score: 1

    Yes.
    It is called a Simple or Complex and Unique Long Password System, or SCULPS for short. (patent pending, pls no steal)

    Take a sentence, a quote if you will. Take out important word(s), replace it with something unique to you.
    Now, take away the spaces and replace the spaces with a number unique to you. (so1something2like3this4)
    Congrats, you already have a password better than LastPass passwords and just as random, and will NEVER be brute-forced with any brute-forcing library as long as you are alive and the sentence is at least 5 reasonably average sized words with a number that isn't 1234 or pi.

    Now comes the unique part, if you want to add extra security by preventing same-password-use-itis.
    easy route: You can go the easy route and use any random word assigned to a website. This is easier, but it is also easier to forget since it isn't based ON the name. Example words could be a funny person related to the website, or someone well-known and loved/hated (apk ).
    Or it could be some funny word people have come up with and use, or something you have come up with.
    harder route: Take your service / website name, condense it to 2 character groups of letters based on major components of the word or something similar, just make it smaller. (Facebook = fabo, slashdot = sldo, google = goog)
    You can, if you want to, use the full name, but I wouldn't.
    Now you can add a number on the end of that. Say, the same condensed name encoded using the standard phone number grid.
    Harderer route: As above, now split the alphabet in to groups. Say, A-G, H-M, N-S, T-Z. Arrange that in to 2x2 grid.
    On top axis, add letters. On left axis, add numbers. Recreate your (condensed) service name based on the axes in whatever direction you prefer.
    All left then all top (xxxx,yyyy), left-top left-top (xy,xy,xy,xy) etc., or whatever you want.
    You could even be some mad-man and try to use a grid cell for each separate number and letter. (punctuation as well, but as you know, some password schemes are awful and don't allow them)

    So, using the above on hardest:
    Mary Had A Little Lamb Little Lamb -> Mary Had A Massive Phone Massive Phone
    Remove spacers and replace with number: 3.14159 (skipping point) -> Mary3Had1A4Massive1Phone5Massive9Phone
    Gridify it: Slashdot (SLDO), with 01 and GP on the axis, 1001GPGG.
    Mary3Had1A4Massive1Phone5Massive9Phone1001GPGG.
    I think that is right. Should be. I am eating so I might have made a mistake.

    There are various other ways you can do stuff with this, making it simpler or harder to fit your needs.
    You could make the sentence as long as you can be bothered to make it. (as long as it isn't one of those pesky limited password length crap services, automatically tells you their server-side DB is probably unsecure as hell)
    You can go as low as high with the grid separation as you are capable of remembering. For the love of god don't forget this part, use the phone number grid if you aren't confident enough, or similar grid-ified system.
    You could even go full paranoia, requiring you to actually sketch down your grid scheme for things you actually consider super ultra turbo secure, like bank information or something.
    You could even go Captain Paranoid and write an equation that spits out your password number, or grid, or similar.
    This is Slashdot damn it, the more pointlessly complex and paranoia-fuelled, the better!
    Of course, another thing you could do is use this system to encrypt your lastpass passwords and become the King of Paranoialand.

    warning: will not work for people with low imagination or memory skills. Any attempt to use this will lead to blackholes and doom. DON'T DO IT.

  13. KeePass vs LastPass by irrational_design · · Score: 1

    For those who have experience with both KeePass and LastPass (ideally on an iOS and OSX) how do they compare? Is KeePass as tightly integrated into the browsers in both ecosystems as LastPass is?

  14. Sucks. by Anonymous Coward · · Score: 0

    This supremely sucks. LogMeIn is trash. LastPass is now trash. Just spent months convincing management to switch to LastPass only to have this happen. Why dammit? WHY!?

  15. All your password belong to us by frovingslosh · · Score: 1

    What a nice story about how all the passwords that were entrusted to LastPass are being sold to LogMeIn. Of course, there will be less fanfare when the story is " NSA To Acquire LogMeIn For $200 Million ". Or maybe that already happened.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  16. That hardly matters by frovingslosh · · Score: 2

    Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.

    That hardly matters. Consider what a password is, it is a way to get into an account. What you really care about is that others can't access your accounts, not that they can't unscramble all of the hashes and find out the perverted strings that you used to create your passwords. So if LastPass can be sold to LogMeIn or to the Chinese or to the N.S.A. then they have bought a way to get into your "protected" accounts. It really doesn't matter if they can retrieve the silly little strings that you think protect you or not.

    --
    I'm an American. I love this country and the freedoms that we used to have.
    1. Re:That hardly matters by Anonymous+Psychopath · · Score: 1

      Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.

      That hardly matters. Consider what a password is, it is a way to get into an account. What you really care about is that others can't access your accounts, not that they can't unscramble all of the hashes and find out the perverted strings that you used to create your passwords. So if LastPass can be sold to LogMeIn or to the Chinese or to the N.S.A. then they have bought a way to get into your "protected" accounts. It really doesn't matter if they can retrieve the silly little strings that you think protect you or not.

      Can you explain how LastPass would be able to retrieve your passwords to do as you suggest, keeping in mind that they lack the ability to decrypt your data without resorting to brute-force?

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

    2. Re:That hardly matters by Anonymous Coward · · Score: 0

      They don't. There's no reason for them to have to decrypt the vault, just that it be decrypted. The correct way to do it would be to encrypt and decrypt it on the client side with encrypted bits being sent to the client.

      The relevant question about sites like Lastpass is whether or not you can trust them to actually be doing everything on the client side and whether or not the software is secure.

    3. Re:That hardly matters by frovingslosh · · Score: 4, Insightful

      If LastPass was only a place that you stored an encrypted file that you created yourself and could only give it back to you in encrypted form, then what you say could be argued. The argument might or might not hold up, but it could be argued.

      But if you are using LastPass software on your own machine to do the encrypting and the decryption of the passwords and then logging in to sites that you want to be secure, then you have given up control.

      If you are too trusting to understand this, replace "LastPass" with "Chinese" or "N.S.A." in the above and read it again.

      --
      I'm an American. I love this country and the freedoms that we used to have.
  17. Worth WHAT? by Anonymous Coward · · Score: 0

    How can a product or service that maintains peoples passwords possibly be worth 110 million dollars? How many people are using any paid services from them other then some enterprises?
    All it would take is some integration of a similar function in an OS and a cloud piece and that $110 is wiped out in one year. MySpace all over again.
       

    1. Re:Worth WHAT? by Anonymous Coward · · Score: 0

      Indeed. I've been in IT for just about 20 years. I have more passwords in my head than the average person, currently about 32. I can easily remember them all. I neither want nor need the likes of LastPass, KeePass, any of them.

    2. Re:Worth WHAT? by reve_etrange · · Score: 1

      Unfortunately, your passwords are weak. Good managers like LastPass, KeePass, etc. allow all of those passwords to be 30-character random strings using all symbol types.

      --
      .: Semper Absurda :.
    3. Re:Worth WHAT? by irrational_design · · Score: 1

      I just checked and I have 228 passwords in my lastpass account. All of them are random strings of numbers, letters, and symbols. Less than 1% of them have less than 30 characters (due to lame restrictions imposed by certain websites that only allow short passwords). Your 32 passwords are probably used on more than one site. None of mine are duplicated. You may not want it, but you really do need a password manager.

  18. Re:Ooohhh I like! by Anonymous Coward · · Score: 0

    No, log meln. But I'm partial to kindling meln myself.

  19. Who'd use them anyway for anything important? by Anonymous Coward · · Score: 0

    There's a stupidly high amount of noise vs signal here but I suppose it's worth an attempt.

    Don't use online 'password keepers'. That's just stupid. Really.

    If you care about your information and/or privacy and want to keep it safe use strong encryption in travel and rest and don't trust anything you don't immediately control. Granted that if you're living in a 1st or 2nd world country these days that's almost nothing. Continuing...

    Rotate at least 12 digit complex passwords/passphrases enough. Use programs like PasswordSafe or KeePass if you're going to sneaker. Rotate the passwords even more often if you're going to cloud the already seriously encrypted db.

    Yubikeys are your friend if you have any resources to enable network services securely. Keyfiles on trusted devices for trusted devices are another option obviously.

    Meh - this is getting lots more complex than 'give all my passwords away' that anyone using some services are doing already, so adieu!

  20. layers upon layers by Anonymous Coward · · Score: 0

    I like the way LastPass stores your data in an encrypted blob that is decrypted at the client side.
    I have a ridiculously tough passphrase seeded with noise, so I don't expect anyone other than nation states to be able to crack it.
    My KeePass data is stored on a Veracrypted USB volume.

    Satisfied with both methods so far. If LastPass gets expensive I can fall back on KeePass. I just like being able to sync without dropping the blobs into my general use cloud services.

  21. Bastards! by Anonymous Coward · · Score: 0

    LastPass was successful because of our money, and our trust! They took that money and trust and plan to sell it. We should demand that they do not merge with LogMeIn. Write them letters, send them emails, tweet at them. Send the message; we are the reason you are successful, Don't Sell Us Out! #LastPassDontSellOut

  22. Great news by FredyFerry · · Score: 1

    Good news there are still other alternatives like Sticky Password (http://www.stickypassword.com) or Roboform.

  23. Alternatives by Anonymous Coward · · Score: 0

    "Intuitive Password" online password manager is one of the alternatives. Easy-to-use and the best user interface ever!

    1. Re: Alternatives by DavidJones8462 · · Score: 1

      Intuitive Password: www.intuitivepassword.com

  24. Alternatives by DavidJones8462 · · Score: 1

    I use Intuitive Password online password manager. It's a web-based password manager and your data is securely stored in the datacenter. With Intuitive Password, you can easily access your data at any time, any where. It works on all devices without installation.