Slashdot Mirror
LogMeIn To Acquire LastPass For $125 Million (lastpass.com)
An anonymous reader writes: LogMeIn has agreed to acquire LastPass, the popular single-sign-on (SSO) and password management service. Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.
Having a company that collects passwords
The quoted part never sat right with me, I've always felt somewhat icky about the idea of giving out all of my passwords to a company-controlled service. I don't know if it is rational to be wary of them or not, I certainly haven't heard of them doing anything nefarious or anything to earn it, but passwords and usernames are just so damn important that I just don't know if I'd want to hand the whole damn treasure-trove out to an unknown 3rd-party. I've always used Keepass 2.x to store my passwords -- the password-database is always in my control, and there are good, open-source apps for Keepass-databases for Windows, Linux, Android et.al.
The alternatives I hear most about seem to be 1Password and KeePass.
I use KeePass (http://keepass.info) or a compatible app and keep my data file synced in OwnCloud. Using Dropbox instead worked fine too.
Second keepass as I've used it for work for several years.
Copy around your own encrypted database. Don't entrust some damned service with your passwords.
There's several variations on this kind of thing. No subscription, and nobody else has your passwords.
It's also got a really nice feature where it can put your password into the paste buffer for only 10 seconds or so, and then it disappears.
Using a web-based service to track your passwords seems more dangerous than useful to me.
Lost at C:>. Found at C.
Meh, I feel they handled that "breach" pretty well...
That being said, I fear LogMeIn is going to destroy LastPass.
They did handle it well. Preaching to the choir a little bit, but LastPass has always responsibly disclosed threats, usually to their own detriment because most of their customers can't be bothered to understand how security is supposed to work (hint: it should be designed to withstand a breech). The breech only provided worthless data to the attackers. Brute-forcing is hard, and assuming we were all smart enough to change our master passwords, the attackers only got old, useless passwords in return for all their efforts.
Meanwhile, everyone ran around saying KeePass on Dropbox is far better, because open source is magically more secure (it can be, but that doesn't mean it is), and Dropbox gets compromised almost annually.
I know I probably sounds like I work there or something, but I'm just a happy user. I hope LogMeIn doesn't fuck it up. I don't really know anything about them.
Eagles may soar, but weasels don't get sucked into jet engines.
Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.
Eagles may soar, but weasels don't get sucked into jet engines.
It doesn't seem to have worked for logging you into Slashdot, though.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Meh, people are so often binary. Unfortunately the world isn't as simple as "A is far better than B". While I prefer the way KeePass handles its data, the various browser plugins handling form data (inserting/extracting) seem much inferior to Lastpass. Using it in a browser is my main use case.
I really want to use KeePass but it'll need to be a bit smoother in browsers first. I'm sure it will be.
The Unix port is called KeePassX, and it works quite well under Linux, MacOS, the BSDs, etc.
Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.
So they claim, but since you're using black-box software provided by them to access your passwords that's a pretty specious claim. If the current binary that they provided to you doesn't harvest your access keys, the next one very well could (and most certainly would if their lives depended on it).
Marketing claims may provide some hint at utility, but they shouldn't be conflated with an actual measure of security.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
If LastPass was only a place that you stored an encrypted file that you created yourself and could only give it back to you in encrypted form, then what you say could be argued. The argument might or might not hold up, but it could be argued.
But if you are using LastPass software on your own machine to do the encrypting and the decryption of the passwords and then logging in to sites that you want to be secure, then you have given up control.
If you are too trusting to understand this, replace "LastPass" with "Chinese" or "N.S.A." in the above and read it again.
I'm an American. I love this country and the freedoms that we used to have.