Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Businesses Security The Almighty Buck IT News

LogMeIn To Acquire LastPass For $125 Million (lastpass.com) 100

An anonymous reader writes: LogMeIn has agreed to acquire LastPass, the popular single-sign-on (SSO) and password management service. Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.
This discussion has been archived. No new comments can be posted.

LogMeIn To Acquire LastPass For $125 Million

Comments Filter:
  • Will Use Neither (Score:1, Insightful)

    by Anonymous Coward

    LassPass got their ass handed to them in the no-so-distant past. No, thank you. Having a company that collects passwords now marrying a company that handles remote logins. Hmmm... What could go wrong?

    • by kullnd ( 760403 )
      Meh, I feel they handled that "breach" pretty well...

      That being said, I fear LogMeIn is going to destroy LastPass.
      • by Anonymous Psychopath ( 18031 ) on Friday October 09, 2015 @12:48PM (#50694483) Homepage

        Meh, I feel they handled that "breach" pretty well...

        That being said, I fear LogMeIn is going to destroy LastPass.

        They did handle it well. Preaching to the choir a little bit, but LastPass has always responsibly disclosed threats, usually to their own detriment because most of their customers can't be bothered to understand how security is supposed to work (hint: it should be designed to withstand a breech). The breech only provided worthless data to the attackers. Brute-forcing is hard, and assuming we were all smart enough to change our master passwords, the attackers only got old, useless passwords in return for all their efforts.

        Meanwhile, everyone ran around saying KeePass on Dropbox is far better, because open source is magically more secure (it can be, but that doesn't mean it is), and Dropbox gets compromised almost annually.

        I know I probably sounds like I work there or something, but I'm just a happy user. I hope LogMeIn doesn't fuck it up. I don't really know anything about them.

        • KeePass IS better. It's far more functional and far more customizable.
          Throwing a KeePass database on Dropbox is secure even if Dropbox exposes the database.

          I find it hilarious that you bitch about people who don't understand that LastPass's breaches meant nothing, yet you go on to imply that Dropbox's breaches are a problem for people using it for KeePass databases.

          • Re: (Score:3, Insightful)

            by jimbo ( 1370 )

            Meh, people are so often binary. Unfortunately the world isn't as simple as "A is far better than B". While I prefer the way KeePass handles its data, the various browser plugins handling form data (inserting/extracting) seem much inferior to Lastpass. Using it in a browser is my main use case.

            I really want to use KeePass but it'll need to be a bit smoother in browsers first. I'm sure it will be.

            • Indeed. This is the reason I use and love RoboForm. It runs on every platform and integrates very well with every major browser.

              • I enjoy roboform, they say everything is encrypted client side so even if there was a breach they wouldn't have viable info. I think the only thing they use credentials for is licensing a basic profile and sync.
          • What I was trying to point out is that there's no practical difference between unauthorized access to either LastPass or KeePass, meaning that there's no real security advantage either way.

        • by thaylin ( 555395 )

          It is funny. Last pass openly stated they dont know the extent of the data that was take, just that they feel it was not much, yet you think that is handled well?

          • It is funny. Last pass openly stated they dont know the extent of the data that was take, just that they feel it was not much, yet you think that is handled well?

            "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

            https://blog.lastpass.com/2015... [lastpass.com]

            That looks pretty specific to me.

    • by Gaygirlie ( 1657131 ) <gaygirlie@hotmBA ... com minus author> on Friday October 09, 2015 @11:42AM (#50693927) Homepage

      Having a company that collects passwords

      The quoted part never sat right with me, I've always felt somewhat icky about the idea of giving out all of my passwords to a company-controlled service. I don't know if it is rational to be wary of them or not, I certainly haven't heard of them doing anything nefarious or anything to earn it, but passwords and usernames are just so damn important that I just don't know if I'd want to hand the whole damn treasure-trove out to an unknown 3rd-party. I've always used Keepass 2.x to store my passwords -- the password-database is always in my control, and there are good, open-source apps for Keepass-databases for Windows, Linux, Android et.al.

      • by Anonymous Coward

        I thought that they were encrypted and that their servers never touch the unencrypted usernames and passwords.

        • Or so the NSA has forced them to lead you to believe... gotta love those "be quiet or be crushed" letters that don't require a judges seal.
      • Re:Will Use Neither (Score:5, Informative)

        by Anonymous Psychopath ( 18031 ) on Friday October 09, 2015 @12:54PM (#50694523) Homepage

        Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.

        • There is no such thing as two-factor encryption for cold data.

          Using a keyfile and a password is the same thing as using a complex password. You just know one and you have the other and you chain them.
          The same for using a password and thumbprint hash. Anyone who has the encrypted data and knows how it's encrypted can feed it the password and hash.
          These are functionally no different than a single complex password - there is nothing "two factor" about it. And in many cases this type of layering can make it

          • There is no such thing as two-factor encryption for cold data.

            Using a keyfile and a password is the same thing as using a complex password. You just know one and you have the other and you chain them.

            That's the the very definition of 2 factor authentication. The 3 factors are Something you know, Something you have, and Something you are.

            • That "very definition" is used incorrectly by so many people, including you. When you're slapping it into a call to an encryption/decryption function, it's ALL effectively "something you know". A thumbprint hash is just data, so is a keyfile, so is the output of an RSA clock at any time. Security "experts" tried to model this off of physical security principles, but they don't translate over. That doesn't stop them all form parroting "something you know, something you have, and something you are hurr de

              • It's like buying pseudoephedrine at the drug store. They ask for something you HAVE (your driver's license), and they verify it to a reasonable extent. Without an active arbiter, you can only use something you KNOW. Imagine buying pseudoephedrine on Amazon. That something you HAVE becomes something you KNOW because all you can do is type in your driver's license number, state, and expiration date. At the drugstore, they expect a physical card with a photo that looks like you and a magstripe that swipes with valid data. They can also physically see if you look like a tweaker who's got the shakes because they need another hit.

                You are an idiot. You do know that you need to process pseudoephedrine to turn it into meth? That the amount of pseudoephedrine needed to make meth is a lot more than you get at a drugstore? That most "tweakers" are consumers, not producers?

                The laws "controlling" pseudoephedrine are nothing but security theater, it is a hassle for consumers yet it has not affected the supply of meth out there. The people making meth buy barrels of the stuff and not at your local drug store.

                After saying stupid stuff l

        • Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.

          That hardly matters. Consider what a password is, it is a way to get into an account. What you really care about is that others can't access your accounts, not that they can't unscramble all of the hashes and find out the perverted strings that you used to create your passwords. So if LastPass ca

          • Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.

            That hardly matters. Consider what a password is, it is a way to get into an account. What you really care about is that others can't access your accounts, not that they can't unscramble all of the hashes and find out the perverted strings that you used to create your passwords. So if LastPass can be sold to LogMeIn or to the Chinese or to the N.S.A. then they have bought a way to get into your "protected" accounts. It really doesn't matter if they can retrieve the silly little strings that you think protect you or not.

            Can you explain how LastPass would be able to retrieve your passwords to do as you suggest, keeping in mind that they lack the ability to decrypt your data without resorting to brute-force?

            • by frovingslosh ( 582462 ) on Friday October 09, 2015 @08:54PM (#50697109)

              If LastPass was only a place that you stored an encrypted file that you created yourself and could only give it back to you in encrypted form, then what you say could be argued. The argument might or might not hold up, but it could be argued.

              But if you are using LastPass software on your own machine to do the encrypting and the decryption of the passwords and then logging in to sites that you want to be secure, then you have given up control.

              If you are too trusting to understand this, replace "LastPass" with "Chinese" or "N.S.A." in the above and read it again.

        • Re:Will Use Neither (Score:5, Informative)

          by chihowa ( 366380 ) on Friday October 09, 2015 @03:11PM (#50695521)

          Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.

          So they claim, but since you're using black-box software provided by them to access your passwords that's a pretty specious claim. If the current binary that they provided to you doesn't harvest your access keys, the next one very well could (and most certainly would if their lives depended on it).

          Marketing claims may provide some hint at utility, but they shouldn't be conflated with an actual measure of security.

          • by vux984 ( 928602 )

            Bingo. Zero knowledge encrypted storage service providers of pretty much any stripe all suffer from the same flaw:

            You are trusting them to provide you the software you are entering your decryption keys into when its time to decrypt anything.

            How do you that software doesn't send them the keys? You don't.
            Even if it doesn't, today, and they send you an udpate, how do you know the update doesn't send them the keys? You don't.

            And if you are using a web based service... they don't even have to send you a client u

      • What a nice story about how all the passwords that were entrusted to LastPass are being sold to LogMeIn. Of course, there will be less fanfare when the story is " NSA To Acquire LogMeIn For $200 Million ". Or maybe that already happened.
    • Having a company that collects passwords now marrying a company that handles remote logins. Hmmm... What could go wrong?

      Nothing, absolutely nothing could possibly go wrong.

  • by kullnd ( 760403 ) on Friday October 09, 2015 @11:32AM (#50693845)
    They are talking about combining it with the Meldium product? Look at the pricing on that. It starts at 24/month

    I just took a $120 chance and added 10 years to my subscription... Figure they can't jack up my prices for 10 years if I already paid for it. $120 isn't too much to lose if they make the product unusable (which is a possibility with these a**holes).
    • In fairness Meldium starts at 20 users for $24/mo.

      Not that it matters for me as I've been burned by LogMeIn's user-hostile behaviour in the past. I don't trust them, and I sure as hell won't trust them with my passwords.

      • by kullnd ( 760403 )
        I don't trust them LogMeIn in the least, but I trust the methods used by LastPass with my passwords. I only hope they do not make changes to the architecture that makes Lastpass the trustworthy platform that it is today.
        • Meldium's security FAQ [meldium.com] is a joke:

          In order to provide app management and automatic login, Meldium must store some of your sensitive information on our servers. For user management, we may store your API keys, your username and password, or an OAuth credential.

          A limited set of Meldium employees have access to the secure fleet and the master encryption keys

          Due to the architecture of our system, it is technically possible for a Meldium employee to gain access to your secret data. As a matter of corporate policy, this kind of access is forbidden.

          I, too, hope LastPass will be able to maintain their passion in the face of LogMeIn's corporate culture, but when it comes to security I will not trust to hope.

          • by kullnd ( 760403 )
            I would consider them having "master keys" to be unacceptable. I really hope this is a feature they side with the LastPass methods on.
    • I feel pretty happy now with Sticky Password for $19.99 per year
  • I used one of these passwords services back in the day. Coincidentally, the one I used (Xmarks, which started as a browser plug-in) was later acquired by Last Pass, which's being acquired by another company.

    I wonder if my passwords would be safe during all these M&A's when the buyer eventually turns out to be a little less than ethical (what if it gets bought out by a Chinese company?), not to mention all the technical possibilities of data leak while integrating all the infrastructure.
    • If they're unsafe it's too late now. Putting your passwords in a cloud service is like putting nude pictures online. Nobody may want to look at them, but they're out there forever, and somebody has them backed up somewhere.

      It depends on whether they ever had the keys to unlock them or they were all locally encrypted (barring the whole "they lied and stored your password anyway" tin foil hat argument).

  • Damn, I like the free version of LastPass... a lot. I do not like any of the services that LogMeIn offers (I've run the office account).

    Sooooo /. hivemind... are there any alternatives to LastPass out there?
    Any strong words re: https://www.dashlane.com/passw... [dashlane.com] ?

    • Re:Wah wah... (Score:4, Informative)

      by Nemyst ( 1383049 ) on Friday October 09, 2015 @11:43AM (#50693935) Homepage
      The alternatives I hear most about seem to be 1Password and KeePass.
    • Re:Wah wah... (Score:4, Informative)

      by I'm just joshin ( 633449 ) on Friday October 09, 2015 @11:44AM (#50693939)

      I use KeePass (http://keepass.info) or a compatible app and keep my data file synced in OwnCloud. Using Dropbox instead worked fine too.

      • +1 for a local password safe program and Dropbox.

        Password Safe 3 for me : you can get compatible programs for Windows, and Android, and Linux (I use the eponymous apps for Windows and Android and Pasaffe on Linux).

        Open source, and you control your own encryption key.

      • Before I went to LastPass, I tried first pwsafe, then KeePass. pwsafe (at the time) wasn't cross-platform enough, but I liked it enough better than KeePass that I was in the process of moving everything back to pwsafe, and just using it from a windows virtual box on Mac and Linux. Then I read a tear-down report on LastPass by a professional paranoid that convinced me that it was plenty secure enough, switched to it, and I've liked it best of all.

        I sure hope Logmein doesn't ruin it.... (crossing fingers, t

        • by mhkohne ( 3854 )

          With regards to syncing via Dropbox:
          It's not quite as spiffy as having the passwords stored on the far end of the wire, but I use DropSync on my Android devices, and I keep it's 'sync on change' feature activated (whenever a file changes locally, it gets pushed to the Dropbox ASAP), and then run the Dropbox client on windows boxes and it's been great. You will have some lags between Android devices (DropSync has a timer to control how often it checks for stuff to download), but Windows is pretty much instan

          • LastPass keeps a local copy of the encrypted password DB, so if it can't connect, it will use the local copy. Though, really, if you don't have a network connection, what are you going to do with the password? For me, the main feature there was, if lastpass.com were to go away forever without warning, or get acquired by someone truly evil, I've still got all my passwords.
      • Re:Wah wah... (Score:4, Informative)

        by gstoddart ( 321705 ) on Friday October 09, 2015 @12:12PM (#50694133) Homepage

        Second keepass as I've used it for work for several years.

        Copy around your own encrypted database. Don't entrust some damned service with your passwords.

        There's several variations on this kind of thing. No subscription, and nobody else has your passwords.

        It's also got a really nice feature where it can put your password into the paste buffer for only 10 seconds or so, and then it disappears.

        Using a web-based service to track your passwords seems more dangerous than useful to me.

    • by Anonymous Coward

      Yes.
      It is called a Simple or Complex and Unique Long Password System, or SCULPS for short. (patent pending, pls no steal)

      Take a sentence, a quote if you will. Take out important word(s), replace it with something unique to you.
      Now, take away the spaces and replace the spaces with a number unique to you. (so1something2like3this4)
      Congrats, you already have a password better than LastPass passwords and just as random, and will NEVER be brute-forced with any brute-forcing library as long as you are alive an

    • by Mousit ( 646085 )
      KeePass [keepass.info] is free and open source, and easy to use. Its interface is fairly basic, but it gets the job done. It can generate strong passwords, it has a password strength checker, some fairly decent management and organization options, etc. It's aimed primarily at Windows but it can function in Linux and BSD (including OS X) under Mono, and fully supports this. We use this at my workplace and it serves its purpose.

      However, I personally am a fan (and long-time user) of 1Password [agilebits.com], which is my vault of choi
  • Now ALL your passwords can be compromised in one hack.

    Say "hello" to progress!

  • by Anonymous Coward

    LastPass Free will no longer be available and instead move entirely to a monthly subscription service for only $15 a month. Oh Premium was $12 a year? No worry! Our professional customer support that you'll never need more than make up for this 1500% increase in price!

  • I liked(ed) LastPass a lot. But my problem is that it is now another product. When it was its own company, LP put 100% behind the one flagship product. Now, LP is "another" product and will receive resources based on value to the owner.
  • For those who have experience with both KeePass and LastPass (ideally on an iOS and OSX) how do they compare? Is KeePass as tightly integrated into the browsers in both ecosystems as LastPass is?

  • Good news there are still other alternatives like Sticky Password (http://www.stickypassword.com) or Roboform.
  • I use Intuitive Password online password manager. It's a web-based password manager and your data is securely stored in the datacenter. With Intuitive Password, you can easily access your data at any time, any where. It works on all devices without installation.

Heuristics are bug ridden by definition. If they didn't have bugs, then they'd be algorithms.

Working...