LastPass changes
-
Security Now 529: Joe Siegrist of LastPass
https://www.grc.com/sn/sn-529.htm
JOE: Well, I mean, I understand that people fear change, honestly. And change is a reality, though. We have to deal with it ourselves here at LastPass, too. Like every app is changing. The landscape is changing. How identity is evolving is changing. And when we look around and try to understand where to take this forward, certainly having more resources was a key to being able to kind of dominate the space. And that's what we want to do. We want to keep making the product better, and we want to increase the amount of people working on this, increase the amount of resources that we have to make the product better.
And I know people are kind of fearing that something is fundamentally going to change. But I'm here to say that that's not going to happen. I'm here to continue working on this, to keep pushing forward the vision that I've been working on for the last seven and a half years. I'm not just going to allow that to change. I really want to keep pushing it forward. And I really saw this as kind of the next step. I think, you know, a lot of the people that are complaining are very vocal because something that they had for free was taken away, and people don't like that.
Leo: I'm going to disagree with you, Joe. That's not the issue.
JOE: Oh, yeah?
Leo: The issue is LogMeIn, and I think a lot of people burned by LogMeIn in the past, by what LogMeIn did to Hamachi, what they did to their free product, I think there's a real feeling that LogMeIn is not going to be a good custodian of the great legacy that you've created with LastPass. Have they given you any assurances that you'll have autonomy, and you'll be able to continue to operate as you have in the past?
JOE: Yeah, absolutely. Just today the incoming CEO, Bill Wagner, was here, telling me that, look, you have the ability to say no. It's your vision. It's your team. We're putting resources behind that to drive it forward. And this is the largest acquisition by LogMeIn by more than six times; right? So they are going to naturally have to treat this differently than some of those other products.
And Hamachi is an interesting thing that you brought up because I was talking about that today as a product I used to use, and one that I think should be brought back and could really have a new life breathed into it when you consider you can tie it into some of the other initiatives that we have with identity and have it folded in, potentially, as an additional product. But I think just the size and scale and scope makes that different. And the people behind it, like this office is staying, all the people here are staying, everybody that was part of LastPass is coming onboard. -
oh yeah that's a good reason to get rid of it. I do not trust LMI at all.
-
@anonymous said:
@JaredBusch Why do you want to replace it?
Because I do not trust their new owners. Simple as that.
I have been a LastPass Premium subscriber since 2009 when I got a smart phone.
-
While I don't trust LMI to leave the free product free - I have no reason not to trust their paid product - other than they might increase the price.
I consider this more or less a non issue, since I'm not a free user.
-
interesting... FireFox had an update to LP waiting for me to restart the browser...
-
@Dashrender Yup, version 4 was just released
-
@Dashrender said:
While I don't trust LMI to leave the free product free - I have no reason not to trust their paid product - other than they might increase the price.
I consider this more or less a non issue, since I'm not a free user.
I don't trust their integrity. And that, simply, means I can't trust them. It's not about free being free.
-
@Dashrender said:
I consider this more or less a non issue, since I'm not a free user.
I don't understand how that makes a difference. If you can't trust them, you can't trust them. It's about trusting that they stick to their agreements
Like their agreements not to decrypt your data, they agreement to take backups, their agreement to your privacy, etc.
-
@scottalanmiller said:
@Dashrender said:
I consider this more or less a non issue, since I'm not a free user.
I don't understand how that makes a difference. If you can't trust them, you can't trust them. It's about trusting that they stick to their agreements
Like their agreements not to decrypt your data, they agreement to take backups, their agreement to your privacy, etc.
I don't consider this situation on par with Lenovo. Did they tell us LMI would be free forever, then take it back? yeah. Does that rise to the level of Lenovo's breaking of the public trust, not in my mind.
-
El Reg just did a piece on the new changes:
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
I consider this more or less a non issue, since I'm not a free user.
I don't understand how that makes a difference. If you can't trust them, you can't trust them. It's about trusting that they stick to their agreements
Like their agreements not to decrypt your data, they agreement to take backups, their agreement to your privacy, etc.
I don't consider this situation on par with Lenovo. Did they tell us LMI would be free forever, then take it back? yeah. Does that rise to the level of Lenovo's breaking of the public trust, not in my mind.
Why would it have to even approach the same level? Loss of trust is loss of trust. LMI, every day, decides to keep breaking the trust. Is it the same as having tried to steal data? Not at all. Can we trust them? Clearly not. No one suggested a similar level and I'm unclear why you feel it would need to be that bad before you would not hand over your passwords to someone that lies to you and treats you badly.
-
I switched over to Dashlane after LastPass' LMI acquisition and have been evaluating them since. I really like their interface and how easy it is to use, though having their program start with Windows took getting used to.
They provide easy ways to import data from other password managers - exporting my LastPass passwords was easy, and there's an option to import KeePass data as well which I have yet to try. They also have apps for iOS and Android so you can access your passwords on mobile if you'd like. Their browser plugins also seem to be a little more seamless than LastPass' IMO.
I ended up buying Dashlane Premium with no regrets so far. At this point I'm grateful for LMI's acquisition as it gave me the chance to evaluate other options
-
I've heard good things about Dashlane too.
-
I am still using keepass (for about 10 years). I use a master password and a key file. I have the encrypted DB file synced across all my systems and mobile devices using dropbox. Being that it is encrypted prior to being synced and stored "in the cloud", does this present a problem?
-
@WingCreative said:
I switched over to Dashlane after LastPass' LMI acquisition and have been evaluating them since. I really like their interface and how easy it is to use, though having their program start with Windows took getting used to.
They provide easy ways to import data from other password managers - exporting my LastPass passwords was easy, and there's an option to import KeePass data as well which I have yet to try. They also have apps for iOS and Android so you can access your passwords on mobile if you'd like. Their browser plugins also seem to be a little more seamless than LastPass' IMO.
I ended up buying Dashlane Premium with no regrets so far. At this point I'm grateful for LMI's acquisition as it gave me the chance to evaluate other options
Dashlane is more than 3 times the cost of LastPass though.
-
@wrx7m said:
I am still using keepass (for about 10 years). I use a master password and a key file. I have the encrypted DB file synced across all my systems and mobile devices using dropbox. Being that it is encrypted prior to being synced and stored "in the cloud", does this present a problem?
That is not any different than how Dashlan or LastPass work at a general level.
-
Right, but presumably, there is less risk associated with me having the control over decryption capability, would that be correct or am I missing something?
-
@wrx7m said:
Right, but presumably, there is less risk associated with me having the control over decryption capability, would that be correct or am I missing something?
Why do you think you have more control. Lastpass also does all encryption locally before sending any data to LP. Only an encrypted blob is sent to LP.
If you're on a computer that's never used LP before, the javascript that's in the page does local checking/verifying of your username/password before the blob is downloaded to you, and once it's there, it's decrypted only locally.
-
@Dashrender I thought it was managed on the back end on their site. Guess not. That's why I asked.
-
@wrx7m said:
@Dashrender I thought it was managed on the back end on their site. Guess not. That's why I asked.
Nah - only reason I trust it was because they, LP, never had/have access to your data.