Slashdot Mirror
LogMeIn To Acquire LastPass For $125 Million (lastpass.com)
An anonymous reader writes: LogMeIn has agreed to acquire LastPass, the popular single-sign-on (SSO) and password management service. Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.
They are talking about combining it with the Meldium product? Look at the pricing on that. It starts at 24/month
I just took a $120 chance and added 10 years to my subscription... Figure they can't jack up my prices for 10 years if I already paid for it. $120 isn't too much to lose if they make the product unusable (which is a possibility with these a**holes).
+++ATH0 NO CARRIER
Meh, I feel they handled that "breach" pretty well...
That being said, I fear LogMeIn is going to destroy LastPass.
+++ATH0 NO CARRIER
Having a company that collects passwords
The quoted part never sat right with me, I've always felt somewhat icky about the idea of giving out all of my passwords to a company-controlled service. I don't know if it is rational to be wary of them or not, I certainly haven't heard of them doing anything nefarious or anything to earn it, but passwords and usernames are just so damn important that I just don't know if I'd want to hand the whole damn treasure-trove out to an unknown 3rd-party. I've always used Keepass 2.x to store my passwords -- the password-database is always in my control, and there are good, open-source apps for Keepass-databases for Windows, Linux, Android et.al.
The alternatives I hear most about seem to be 1Password and KeePass.
I use KeePass (http://keepass.info) or a compatible app and keep my data file synced in OwnCloud. Using Dropbox instead worked fine too.
On Hawaii 5-0, Lo Mien is the arch underworld rival of Lo Fat. Log Mein is what I see in my toilet.
Some drink at the fountain of knowledge. Others just gargle.
Second keepass as I've used it for work for several years.
Copy around your own encrypted database. Don't entrust some damned service with your passwords.
There's several variations on this kind of thing. No subscription, and nobody else has your passwords.
It's also got a really nice feature where it can put your password into the paste buffer for only 10 seconds or so, and then it disappears.
Using a web-based service to track your passwords seems more dangerous than useful to me.
Lost at C:>. Found at C.
KeePass meets all 3 of those requirements.
Meh, I feel they handled that "breach" pretty well...
That being said, I fear LogMeIn is going to destroy LastPass.
They did handle it well. Preaching to the choir a little bit, but LastPass has always responsibly disclosed threats, usually to their own detriment because most of their customers can't be bothered to understand how security is supposed to work (hint: it should be designed to withstand a breech). The breech only provided worthless data to the attackers. Brute-forcing is hard, and assuming we were all smart enough to change our master passwords, the attackers only got old, useless passwords in return for all their efforts.
Meanwhile, everyone ran around saying KeePass on Dropbox is far better, because open source is magically more secure (it can be, but that doesn't mean it is), and Dropbox gets compromised almost annually.
I know I probably sounds like I work there or something, but I'm just a happy user. I hope LogMeIn doesn't fuck it up. I don't really know anything about them.
Eagles may soar, but weasels don't get sucked into jet engines.
Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.
Eagles may soar, but weasels don't get sucked into jet engines.
Meh, people are so often binary. Unfortunately the world isn't as simple as "A is far better than B". While I prefer the way KeePass handles its data, the various browser plugins handling form data (inserting/extracting) seem much inferior to Lastpass. Using it in a browser is my main use case.
I really want to use KeePass but it'll need to be a bit smoother in browsers first. I'm sure it will be.
There is no such thing as two-factor encryption for cold data.
Using a keyfile and a password is the same thing as using a complex password. You just know one and you have the other and you chain them.
The same for using a password and thumbprint hash. Anyone who has the encrypted data and knows how it's encrypted can feed it the password and hash.
These are functionally no different than a single complex password - there is nothing "two factor" about it. And in many cases this type of layering can make it much easier for attackers to break ur shit.
Consider someone using 7-Zip to encrypt their "Secret My Little Pony Costume Design" directory.
1 layer of encryption using "aj29dn(3nb1A3n+d,c^D" is much better than 4 layers using "aj29d", "n(3nb", "1A3n+", and "d,c^D". The smaller passwords will be cracked almost instantly, and each one gets them 25% of the way to your shit. The full password will take ages to crack and it has to be done all or nothing.
You only want to layer passwords if your password's entropy exceeds the length (in bits) of the output of your encryption algorithm (or really, length minus one bit).
It's far more common to increase the number of rounds than it is to layer, but if you suspect an algorithm may be compromised it may make sense to use multiple layers with different algorithms. Layering also makes it easier to slap on plausible deniability and steganography.
Temporal passwords (RSA clocks) require a verification step by an arbiter. These are vulnerable to DoS attacks and MITM attacks, as well as all the usual "LOL HACKED UR DB AND GOT UR SHIT" attacks. Anyone with the seed of your particular authenticator app / dongle can generate those temporary codes and get access from the arbiter.
These kinds of passwords aren't there to protect the actual stored data, but control access to it. Anyone who gets the data will be able to try to decrypt it as usual.
For a temporary password to be considered a secondary layer of encryption, the data must be decrypted (temp pw layer only) and reencrypted each time that temporary password changes, AND you must ensure all previous copies of the decrypted AND encrypted data are destroyed (you can't do this if you hand the decrypted file to the user for them to decrypt the inner layer). You generally don't do this for cold data, you do it for live communication across an untrusted channel, such as the itnernet.
The Unix port is called KeePassX, and it works quite well under Linux, MacOS, the BSDs, etc.
Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.
That hardly matters. Consider what a password is, it is a way to get into an account. What you really care about is that others can't access your accounts, not that they can't unscramble all of the hashes and find out the perverted strings that you used to create your passwords. So if LastPass can be sold to LogMeIn or to the Chinese or to the N.S.A. then they have bought a way to get into your "protected" accounts. It really doesn't matter if they can retrieve the silly little strings that you think protect you or not.
I'm an American. I love this country and the freedoms that we used to have.
Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.
So they claim, but since you're using black-box software provided by them to access your passwords that's a pretty specious claim. If the current binary that they provided to you doesn't harvest your access keys, the next one very well could (and most certainly would if their lives depended on it).
Marketing claims may provide some hint at utility, but they shouldn't be conflated with an actual measure of security.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.