LogMeIn To Acquire LastPass For $125 Million (lastpass.com) 100
An anonymous reader writes: LogMeIn has agreed to acquire LastPass, the popular single-sign-on (SSO) and password management service. Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.
Book'em dano (Score:3)
On Hawaii 5-0, Lo Mien is the arch underworld rival of Lo Fat. Log Mein is what I see in my toilet.
Will Use Neither (Score:1, Insightful)
LassPass got their ass handed to them in the no-so-distant past. No, thank you. Having a company that collects passwords now marrying a company that handles remote logins. Hmmm... What could go wrong?
Re: (Score:3)
That being said, I fear LogMeIn is going to destroy LastPass.
Re:Will Use Neither (Score:4, Insightful)
Meh, I feel they handled that "breach" pretty well...
That being said, I fear LogMeIn is going to destroy LastPass.
They did handle it well. Preaching to the choir a little bit, but LastPass has always responsibly disclosed threats, usually to their own detriment because most of their customers can't be bothered to understand how security is supposed to work (hint: it should be designed to withstand a breech). The breech only provided worthless data to the attackers. Brute-forcing is hard, and assuming we were all smart enough to change our master passwords, the attackers only got old, useless passwords in return for all their efforts.
Meanwhile, everyone ran around saying KeePass on Dropbox is far better, because open source is magically more secure (it can be, but that doesn't mean it is), and Dropbox gets compromised almost annually.
I know I probably sounds like I work there or something, but I'm just a happy user. I hope LogMeIn doesn't fuck it up. I don't really know anything about them.
Re: Will Use Neither (Score:2)
Breach*
Re: (Score:2)
Noted
Re: (Score:2)
KeePass IS better. It's far more functional and far more customizable.
Throwing a KeePass database on Dropbox is secure even if Dropbox exposes the database.
I find it hilarious that you bitch about people who don't understand that LastPass's breaches meant nothing, yet you go on to imply that Dropbox's breaches are a problem for people using it for KeePass databases.
Re: (Score:3, Insightful)
Meh, people are so often binary. Unfortunately the world isn't as simple as "A is far better than B". While I prefer the way KeePass handles its data, the various browser plugins handling form data (inserting/extracting) seem much inferior to Lastpass. Using it in a browser is my main use case.
I really want to use KeePass but it'll need to be a bit smoother in browsers first. I'm sure it will be.
Re: (Score:2)
Indeed. This is the reason I use and love RoboForm. It runs on every platform and integrates very well with every major browser.
Re: Will Use Neither (Score:1)
Re: (Score:1)
iPhone: https://itunes.apple.com/us/ap... [apple.com]
Android: https://play.google.com/store/... [google.com]
Windows: https://ninite.com/keepass [ninite.com]
Linux: http://keepass.info/help/v2/se... [keepass.info] - Mono supported
More versions (official and unofficial at: http://keepass.info/download.h... [keepass.info] )
Without Dropbox access to dropbox, you could use others: Onedrive, Google Drive, Box, etc... whats available largely depends on whats allowed (or just not yet blocked yet). Also, options MIGHT be expanded with plugins: http://keepas [keepass.info]
Re: (Score:2)
+KylePass for my macbook.
Re: (Score:2)
What I was trying to point out is that there's no practical difference between unauthorized access to either LastPass or KeePass, meaning that there's no real security advantage either way.
Re: (Score:2)
It is funny. Last pass openly stated they dont know the extent of the data that was take, just that they feel it was not much, yet you think that is handled well?
Re: (Score:2)
It is funny. Last pass openly stated they dont know the extent of the data that was take, just that they feel it was not much, yet you think that is handled well?
"We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."
https://blog.lastpass.com/2015... [lastpass.com]
That looks pretty specific to me.
Comment removed (Score:5, Insightful)
Re: (Score:1)
I thought that they were encrypted and that their servers never touch the unencrypted usernames and passwords.
Re: (Score:1)
Re:Will Use Neither (Score:5, Informative)
Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.
Re: (Score:3)
There is no such thing as two-factor encryption for cold data.
Using a keyfile and a password is the same thing as using a complex password. You just know one and you have the other and you chain them.
The same for using a password and thumbprint hash. Anyone who has the encrypted data and knows how it's encrypted can feed it the password and hash.
These are functionally no different than a single complex password - there is nothing "two factor" about it. And in many cases this type of layering can make it
Re: (Score:1)
There is no such thing as two-factor encryption for cold data.
Using a keyfile and a password is the same thing as using a complex password. You just know one and you have the other and you chain them.
That's the the very definition of 2 factor authentication. The 3 factors are Something you know, Something you have, and Something you are.
Re: (Score:2)
That "very definition" is used incorrectly by so many people, including you. When you're slapping it into a call to an encryption/decryption function, it's ALL effectively "something you know". A thumbprint hash is just data, so is a keyfile, so is the output of an RSA clock at any time. Security "experts" tried to model this off of physical security principles, but they don't translate over. That doesn't stop them all form parroting "something you know, something you have, and something you are hurr de
Re: (Score:1)
It's like buying pseudoephedrine at the drug store. They ask for something you HAVE (your driver's license), and they verify it to a reasonable extent. Without an active arbiter, you can only use something you KNOW. Imagine buying pseudoephedrine on Amazon. That something you HAVE becomes something you KNOW because all you can do is type in your driver's license number, state, and expiration date. At the drugstore, they expect a physical card with a photo that looks like you and a magstripe that swipes with valid data. They can also physically see if you look like a tweaker who's got the shakes because they need another hit.
You are an idiot. You do know that you need to process pseudoephedrine to turn it into meth? That the amount of pseudoephedrine needed to make meth is a lot more than you get at a drugstore? That most "tweakers" are consumers, not producers?
The laws "controlling" pseudoephedrine are nothing but security theater, it is a hassle for consumers yet it has not affected the supply of meth out there. The people making meth buy barrels of the stuff and not at your local drug store.
After saying stupid stuff l
That hardly matters (Score:3)
Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.
That hardly matters. Consider what a password is, it is a way to get into an account. What you really care about is that others can't access your accounts, not that they can't unscramble all of the hashes and find out the perverted strings that you used to create your passwords. So if LastPass ca
Re: (Score:2)
Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.
That hardly matters. Consider what a password is, it is a way to get into an account. What you really care about is that others can't access your accounts, not that they can't unscramble all of the hashes and find out the perverted strings that you used to create your passwords. So if LastPass can be sold to LogMeIn or to the Chinese or to the N.S.A. then they have bought a way to get into your "protected" accounts. It really doesn't matter if they can retrieve the silly little strings that you think protect you or not.
Can you explain how LastPass would be able to retrieve your passwords to do as you suggest, keeping in mind that they lack the ability to decrypt your data without resorting to brute-force?
Re:That hardly matters (Score:5, Insightful)
If LastPass was only a place that you stored an encrypted file that you created yourself and could only give it back to you in encrypted form, then what you say could be argued. The argument might or might not hold up, but it could be argued.
But if you are using LastPass software on your own machine to do the encrypting and the decryption of the passwords and then logging in to sites that you want to be secure, then you have given up control.
If you are too trusting to understand this, replace "LastPass" with "Chinese" or "N.S.A." in the above and read it again.
Re:Will Use Neither (Score:5, Informative)
Without you giving LastPass your master password and access to your two-factor authentication (you are using two-factor, right?), they couldn't tell you even one of your passwords if their lives depended on it.
So they claim, but since you're using black-box software provided by them to access your passwords that's a pretty specious claim. If the current binary that they provided to you doesn't harvest your access keys, the next one very well could (and most certainly would if their lives depended on it).
Marketing claims may provide some hint at utility, but they shouldn't be conflated with an actual measure of security.
Re: (Score:2)
Bingo. Zero knowledge encrypted storage service providers of pretty much any stripe all suffer from the same flaw:
You are trusting them to provide you the software you are entering your decryption keys into when its time to decrypt anything.
How do you that software doesn't send them the keys? You don't.
Even if it doesn't, today, and they send you an udpate, how do you know the update doesn't send them the keys? You don't.
And if you are using a web based service... they don't even have to send you a client u
All your password belong to us (Score:2)
Re: (Score:2)
Having a company that collects passwords now marrying a company that handles remote logins. Hmmm... What could go wrong?
Nothing, absolutely nothing could possibly go wrong.
Get ready for high pricing (Score:3)
I just took a $120 chance and added 10 years to my subscription... Figure they can't jack up my prices for 10 years if I already paid for it. $120 isn't too much to lose if they make the product unusable (which is a possibility with these a**holes).
Re: (Score:3)
In fairness Meldium starts at 20 users for $24/mo.
Not that it matters for me as I've been burned by LogMeIn's user-hostile behaviour in the past. I don't trust them, and I sure as hell won't trust them with my passwords.
Re: (Score:3)
Re: (Score:2)
Meldium's security FAQ [meldium.com] is a joke:
In order to provide app management and automatic login, Meldium must store some of your sensitive information on our servers. For user management, we may store your API keys, your username and password, or an OAuth credential.
A limited set of Meldium employees have access to the secure fleet and the master encryption keys
Due to the architecture of our system, it is technically possible for a Meldium employee to gain access to your secret data. As a matter of corporate policy, this kind of access is forbidden.
I, too, hope LastPass will be able to maintain their passion in the face of LogMeIn's corporate culture, but when it comes to security I will not trust to hope.
Re: (Score:2)
Re:Get ready for high pricing (Score:5, Funny)
It doesn't seem to have worked for logging you into Slashdot, though.
Re: (Score:2)
Hello fellow RF user.
The Everywhere product was a major reduction in price but it then became a subscription. Even still, I am happy to pay for it. It is one of the most used pieces of software I have.
Re: (Score:1)
Passwords passed around (Score:1)
I wonder if my passwords would be safe during all these M&A's when the buyer eventually turns out to be a little less than ethical (what if it gets bought out by a Chinese company?), not to mention all the technical possibilities of data leak while integrating all the infrastructure.
Re: (Score:2)
If they're unsafe it's too late now. Putting your passwords in a cloud service is like putting nude pictures online. Nobody may want to look at them, but they're out there forever, and somebody has them backed up somewhere.
It depends on whether they ever had the keys to unlock them or they were all locally encrypted (barring the whole "they lied and stored your password anyway" tin foil hat argument).
Wah wah... (Score:2)
Damn, I like the free version of LastPass... a lot. I do not like any of the services that LogMeIn offers (I've run the office account).
Sooooo /. hivemind... are there any alternatives to LastPass out there?
Any strong words re: https://www.dashlane.com/passw... [dashlane.com] ?
Re:Wah wah... (Score:4, Informative)
Re: (Score:2)
Do either of those generate strong passwords, track password changes, and keep encrypted form fills?
Re: (Score:2, Informative)
KeePass meets all 3 of those requirements.
Re: (Score:1)
Re:Wah wah... (Score:4, Informative)
I use KeePass (http://keepass.info) or a compatible app and keep my data file synced in OwnCloud. Using Dropbox instead worked fine too.
Re: (Score:2)
+1 for a local password safe program and Dropbox.
Password Safe 3 for me : you can get compatible programs for Windows, and Android, and Linux (I use the eponymous apps for Windows and Android and Pasaffe on Linux).
Open source, and you control your own encryption key.
Re: (Score:2)
Before I went to LastPass, I tried first pwsafe, then KeePass. pwsafe (at the time) wasn't cross-platform enough, but I liked it enough better than KeePass that I was in the process of moving everything back to pwsafe, and just using it from a windows virtual box on Mac and Linux. Then I read a tear-down report on LastPass by a professional paranoid that convinced me that it was plenty secure enough, switched to it, and I've liked it best of all.
I sure hope Logmein doesn't ruin it.... (crossing fingers, t
Re: (Score:2)
With regards to syncing via Dropbox:
It's not quite as spiffy as having the passwords stored on the far end of the wire, but I use DropSync on my Android devices, and I keep it's 'sync on change' feature activated (whenever a file changes locally, it gets pushed to the Dropbox ASAP), and then run the Dropbox client on windows boxes and it's been great. You will have some lags between Android devices (DropSync has a timer to control how often it checks for stuff to download), but Windows is pretty much instan
Re: (Score:2)
Re:Wah wah... (Score:4, Informative)
Second keepass as I've used it for work for several years.
Copy around your own encrypted database. Don't entrust some damned service with your passwords.
There's several variations on this kind of thing. No subscription, and nobody else has your passwords.
It's also got a really nice feature where it can put your password into the paste buffer for only 10 seconds or so, and then it disappears.
Using a web-based service to track your passwords seems more dangerous than useful to me.
Re: (Score:2)
Just pointing that out...
Re: (Score:2)
I love keepass and used it for many years. But the biggest problem is its pretty much Windows only as its written in .Net.
it worked - terribly - under Linux and was almost useless. And I never managed to get it to run under OS X. :(
Re:Wah wah... (Score:4, Informative)
Password Schemes password schmemes. (Score:1)
Yes.
It is called a Simple or Complex and Unique Long Password System, or SCULPS for short. (patent pending, pls no steal)
Take a sentence, a quote if you will. Take out important word(s), replace it with something unique to you.
Now, take away the spaces and replace the spaces with a number unique to you. (so1something2like3this4)
Congrats, you already have a password better than LastPass passwords and just as random, and will NEVER be brute-forced with any brute-forcing library as long as you are alive an
Re: (Score:2)
However, I personally am a fan (and long-time user) of 1Password [agilebits.com], which is my vault of choi
Oh great (Score:2)
Now ALL your passwords can be compromised in one hack.
Say "hello" to progress!
This just in! (Score:1)
LastPass Free will no longer be available and instead move entirely to a monthly subscription service for only $15 a month. Oh Premium was $12 a year? No worry! Our professional customer support that you'll never need more than make up for this 1500% increase in price!
Just another product now (Score:2)
KeePass vs LastPass (Score:2)
For those who have experience with both KeePass and LastPass (ideally on an iOS and OSX) how do they compare? Is KeePass as tightly integrated into the browsers in both ecosystems as LastPass is?
Re: (Score:2)
Re: (Score:2)
I just checked and I have 228 passwords in my lastpass account. All of them are random strings of numbers, letters, and symbols. Less than 1% of them have less than 30 characters (due to lame restrictions imposed by certain websites that only allow short passwords). Your 32 passwords are probably used on more than one site. None of mine are duplicated. You may not want it, but you really do need a password manager.
Great news (Score:1)
Alternatives (Score:1)
Re: Alternatives (Score:1)