My first reaction was to chuckle. I wonder how LastPass will change given the new ownership. We switched over to this at work almost a year ago, after trying to determine a password management strategy for years, and it's worked fairly well, although it hasn't sold me on switching from Keepass for personal use.
I'll be interested in what the Hacker News community thinks about this.
As someone who has never used LogMeIn, could you explain what the problems are? I use LastPass pretty extensively (and was thinking of buying a subscription later this month), but have never used LogMeIn.
LogMeIn used to have a free product that they then took to Premium only. I used to use them extensively until then.
Now they also seem to be notorious for price hikes, although I have no first-hand experience. I'm a LastPass Premium subscriber and have enjoyed using it, but I'm worried about what the future holds now.
My beef with them was when we quit using the 'Pro' product. We were using a feature that let us do software updates and scripting, which was kind of pointless when we could do those things with Windows server or other solutions.
We then went down to the 'Central' version of LogMeIn, as it still provided remote access capabilities (which was all we wanted) and were able to save a bit of money. Well, two months later they billed us the full renewal price of the old product ($2499) and it took us 6 months of back and forth with them to refund that.
Wonder if now is the time to look at alternatives, before the service potentially changes.
I hear a lot of good things about 1Password, which seems to work for my iPhone/MacBook. Anyone know if there's a reasonable option for using it on Windows?
The Windows version runs fine in WINE, alternatively they offer a very cut-down web-based solution called 1Password Anywhere (which I use on my Chromebook).
(There's an official Android client too, which wasn't mentioned above)
The only way to get some (read-only) support in Linux is by syncing the 1Password folder with Dropbox (last time I tried it did not work locally). If you open the webpage that is in that folder via Dropbox, you can log-in and read password.
1Password stores its encrypted data 'offline', so 2FA does not make sense for their product.
Even with LastPass offering 2FA, its just that, authentication, its not used as part of the encryption/decryption process (I did read somewhere it helps with your local cached copy, but it doesn't effect the copy stored on their servers)
If you wanted to use your YubiKey with 1Password, you could set a static password and 'split' your master password (half you remember, the other half is keyed in by the YubiKey)
Just a note - the 1Password Mac app is MILES ahead of the 1Password app. I've been using both for about 3 years now, and the separation is only getting larger. 1Password is smooth, fast, and fluid on Mac OSX. 1Password works, but is none of those on Windows.
There is 1Password Windows Modern Alpha[1] which so far looks very promising. It's still not very suitable for a day to day use though. (Screenshot: click "Getting started" in the forum, then "Windows 10 Store")
These acquisition announcements are always the same, and always get the same sort of comments.
They tell of good fortune for the owners of the thing that has been sold, but never tell the users what's in it for them. And that's usually because there is nothing in it for them.
I can't exactly agree with you. First, lots of acquisitions are good for the user because they often mean backing by a larger entity with deeper pockets, ensuring that the service you use will be around for longer.
Second, why do they owe you anything? Either you are a free user, at which point you don't really have a whole lot of say in what they do with their own company, or you are paying $12 for a stellar password manager, which I would say is definitely worth it.
I am not exactly a fan of LogMeIn, and I do really like LastPass and use it every day, but if they chose to sell their company and cash out, good for them. If the service somehow becomes bad, I will move onto one of many alternatives, though this time probably an open source one.
> Second, why do they owe you anything? Either you are a free user, at which point you don't really have a whole lot of say in what they do with their own company, or you are paying $12 for a stellar password manager, which I would say is definitely worth it.
Because I not only paid US$12,00 to them, but I have also invested time and thought in building habits and procedures based on their service.
If they their service becomes unworthy or cumbersome, or if I have any reason to distrust them, I'll have to look elsewhere, not only costing me time, but also giving me uncertainty and possibly having to choose a new service. And, if I have chosen Lastpass, is because I believe other services are not worth as much.
OK, but why do they owe you anything for the time you chose to spend with their product? In fact by repeatedly using their product you subtract from their bottom line since you are consuming computing and support resources. As far as I see it, $12 buys you a one year LastPass subscription, not a perpetual right to be consulted on any corporate moves they might make. Practically, you probably have a bit more say than a free user would about the product features, but not nearly as much as one of their team members.
In short, while this change to LastPass might not be good for you (or me) in the long run, I don't see why they'd have any responsibility to consult you or me about whether to sell to LogMeIn. We are customers, not shareholders.
In fact by repeatedly using their product you subtract from their bottom line since you are consuming computing and support resources.
I don't understand the point you're trying to make here. Their product is SaaS; by definition to use the product requires consuming their computing resources--that's what they're selling! Unless you're honestly of the mentality that companies have moral standing to tell you to eff-off once they have your money. But I don't think you are, so please clarify.
To answer your question, LastPass's popularity is largely due to word-of-mouth. People used LastPass because they liked it, they liked its ease of use, they liked what they perceived to be the honest nature of the company. Because people like the average user on HN, who are likely the "Tech guy" for all of their immediate friends and family, tell their families to use LastPass and help them set it up. When you piss off the guys who evangelized your product, you're not just losing his business; you're potentially losing the business of everyone whom they recommended it to.
Case in point, I convinced my girlfriend to start using it (she fortunately got 6 months for free via a student email and hence will suffer no monetary loss if we decide to switch) and was considering telling my family about it, but now I'm having second thoughts. And considering this is, again, a subscription model, the "Haha, we already have your money!" model only works for one year. The projected revenue based on the expectation of renewals, however, goes out the window.
My point is simply that LastPass has no responsibility to you and me to not ruin their product by selling to someone that might. If we were shareholders it'd be different, but as users we have very little say, and I think that's for the most part a good thing. Imagine if you had to treat all your users as shareholders.
Of course this sale to LogMeIn might mean the end of LastPass as a reliable and easy to use password manager. Of course it might cause you and me to spend time looking for an alternative solution, setting it up, etc. I am saying that none of that is LastPass's team's problem and I don't think that even a paid subscription for their service buys us the right to be consulted on their corporate strategy.
This really rubs me the wrong way. Do not like the idea of my password manager bouncing around owners. Or infrastructure changes that new owners often push on the acquired company.
If there's one business I REALLY do not want to be moving about, and I want as little churn as possible for, it's a password manager.
The thing I liked about LastPass was that it seemed like the highly geeky, less startupy approach to password managers, more likely to be run for the long-term, less likely to be at risk of an acquisition.
What Open Source one was a convenient or as feature complete? Serious I love LastPass and I use it for everything BUT my banking. I just install the plugin on any device or open the webpage and I am all set with all my passwords.
I don't know what features you like or find important. But you have to consider the licensing model as a feature when choosing your software. What happens if the software is sold or no longer maintained?
For me, I use a plaintext file in a Truecrypt archive because I'm a massive dweeb.
I don't use Windows and that exploit isn't relevant to my use-case anyway (requires an evil local user). I'll move to another encryption program sometime, but it hasn't been a priority.
You should be using VeraCrypt (https://veracrypt.codeplex.com/) rather than TrueCrypt. The authors of TrueCrypt even said to stop using it when they stopped maintaining it.
Yeah, I should. But Arch doesn't provide packages for it yet and there's no realistic attack vector against my usage of TrueCrypt, so meh. It's good enough until Arch starts shipping packages.
I used Lastpass for random web passwords (everything except banking/shopping) but moved to 1Password, mainly because they could sync between desktop and mobile without using the cloud.
Pretty key to have high quality mobile apps. Another big use case is having my teams be able to share passwords.
Highly useful to be able to have access groups like "team" (everyone, things like Zendesk) "team-secure" (stuff with CC's, like Amazon), "dev" (general dev accounts), and "dev-secure" (compose.io access and the like).
Makes it way faster to onboard new folks, and when people leave, to cleanly strip access and change passwords.
The open source tools don't solve for those kinds of use cases, as far as I know. Just "I have one computer, and want to store my passwords on that one computer."
Sure, but now you're trusting your entire infrastructure to a black box which can be passed around to anyone with enough money. There are trade-offs, and you have to consider everything when comparing features, including the license.
Also, no way I would do anything important on my phone. These things seem to be about as secure as sieves.
We're looking for the exact same thing, mobile apps and team management.
I've yet to find any open source software that does team management. Even multiple open source tools that work together to create this functionality would be great.
Right now it's mostly for us and other mitro escapees to continue using it so we didn't bother with the site design or the mobile apps.
The exact feature you mention would be the first one to be done if we decide to monetize it though ! It would say opensource as well.
You could easily store KeePass database files on a network share. Create one file per access group, for instance. KeePass works pretty well with multiple database files (it has a simple tabbed interface when you do so and you can do things like color code the icons in the tabs). You can use network share permissions to make the database files read-only to particular users and KeePass will do the right thing with read-only files (mark it as read-only in the UI and disallow editing actions).
Dropbox runs a binary on your machine; that's enough to suspect them. Stick with an open source password manager and an open sync service (S3 plus a script? Or a third party client like Arq).
Yeah, with Dropbox software running on your machine, you not only have to trust them not to snoop on you, you have to trust their non-auditable code to be ~perfect~ against exploitation by others.
Unless you actually read through and understand your open source alternative line by line you aren't really running anything safer
Of course there is the argument that since it's open source it's safe since someone has "audited" it, but many times that's not true.
And even then unless you spend a lot of time trying to break it so you understand it completely you are way better off just writing your own solution, but that takes time and effort
I just save+sync passwords in Firefox and use a strong master password. I (usually) only need to paste the password from Keepass once unless I elect to not save it (such as with financial logins).
> does it work on ios?
Google seems to return lots of results for iOS Keepass apps. You'll want to vet them on your own. I use KeePassDroid on Android and like it well enough.
I tend to use all 3 of the browsers for slightly different things so having plugins would be ideal but I suppose I could slum it with copy/paste as long as I follow the password/login route to reduce the chance a password gets exposed.
I forgot about my nexus tablet but android is the other thing to have a look into.
With KeePass I haven't felt the need for a browser plugin: Ctrl+C, Ctrl+V is easy enough for my tastes. Plus, in Windows the "auto fill" works more often than not (reducing things to just Ctrl+V in KeePass).
There are multiple KeePass clients on iOS and just about all of them support things like Dropbox sync.
Browser plugins saving me from having to copy/paste are a huge win in my opinion. Prevents me from accidentally copy/pasting things and makes for really nice login behavior.
I'm not affiliated with Dashlane in any manner but I thought I'd chime in with my experience as a user. I used to use LastPass but lost a bit of confidence in them when they asked users to reset their master password [1] when an anomaly was found present in network traffic from one of their DBs. Prior to this I was looking at open source alternatives but the syncing and add-ons for each browser (which made logging in and generating passwords easier offered by Dashlane) really caught my attention. These features aren't unique to Dashlane, I'm sure. New sign-ups reap the benefits of premium features for a month or so, then you could send an invite to a friend and accrue 6 free months of premium service when they sign up (which is what I did) for free. They also offer a public password generator [2] page. They support the major browsers (Safari, Chrome, Firefox). Dashlane also has a "security dashboard" which keeps track of password expiration, reuse, and weak password usage, with a base analysis score that gets presented to you when action on a site is required. If you want something for offline use and that is hardware based, I'd recommend checking out the Mooltipass [3]. I hope this helps.
I used Dashlane at a previous company. It felt like a much buggier LastPass. I avoided it to the extent possible. Most of the problems seemed to be the usual non-standard HTML / Javascript hijinks breaking things but LastPass was pretty good at dealing with that whereas Dashlane seemed to get confused much more often. They may have improved since then. This was about a year ago.
I switched everyone from Lastpass to Dashlane some time ago. From my perspective it works better everywhere except Linux (where it doesn't exist). We currently use it across Windows/OSX/IOS.
It is more expensive than Lastpass, but this news suggests Lastpass was underpriced for a long time.
Dashlane treats passwords shared with you as second-class - you can't access shared passwords in their web app. So I would avoid Dashlane if you're seeking a solution for your team.
After reading the article (and then reading it again) I'm not left feeling confident that this is in any way positive for me as a LastPass Premium and Xmarks customer.
In particular the vague line about, "As we become part of the LogMeIn family over the next several months, we’ll be releasing updates to LastPass, introducing new features..." To me, LastPass is feature complete. So either I'm going to have a mind blowing, I never knew I needed that, moment, or more likely some sort of bloated crap is going to get shoe horned into LastPass.
LogMeIn purchased, and absolutely ruined, Hamachi back in 2006. That program was the perfect lightweight virtual LAN client in existence with all the necessary features. Within months of acquisition, Hamachi had several "updates" and became bloated beyond recognition, slow, buggy, and downright unreliable. I have the worst taste in my mouth from what LogMeIn did to a perfectly working product and won't use anything they offer because of it.
Also does a lot of other things, and is evolving into a full-fledged SDN layer. If you don't want to use the pretty GUI they give you to create/manage networks you can run your own 'network controller' -- see READMEs in GitHub.
This is true, but my first reaction was as a LastPass customer not as an observer of the company.
I also agree with colinplamondon's comment "The thing I liked about LastPass was that it seemed like the highly geeky, less startupy approach to password managers, more likely to be run for the long-term, less likely to be at risk of an acquisition."
So the thought of them seeking an exit never crossed my mind.
And I think at some point the customers are going to figure out that the startup merry-go-round is and never was intended for their benefit. Over time it's going to get harder for new startups to attract customers because people will realize that flashy new product offerings aren't likely to stick around (in a form that we actually want) for long.
And since "exit" has come to mean 50%+ chance that customers will be screwed over it also means that in the future having a decentralized product will be KEY to actually get investor money - there's only so many times this get-customers-screw-customers round-about can spin before it gets uninteresting from a capital gain standpoint.
I'm not so sure. It's also possible the it will always work, and what happens is you lose the early, informed users, and gain new users who are more moved by marketing.
Logmein is still in business, and buying companies. At first blush it seems like they'd be a good company to have a stake in.
One option I've been meaning to look, but haven't had a reason to because of LastPass is Encryptr [https://encryptr.org/], but now I might need to. They have Android and Linux support, but not browser plugin I think. Also, it comes from the same people as SpiderOak...
This actually sounds like a smart deal for LogMeIn. Purchase price is $110mm of cash with a $15mm earn-out-- seems reasonable considering LastPass has millions of users and is a pretty sticky service (I've been a premium user for the last couple of years, mostly to be able to use their iPhone app).
Honestly if you're a security / privacy company, can you please just not get acquired? You can't 'transfer' your customers' trust to a third party like you transfer cash.
Using open source and not having to trust someone would be nice, but at a certain point I would rather not be running my own security-critical infrastructure for personal stuff (if I can avoid it). I only have so much time.
logmein has almost ruined my current favorite password manager Meldium. After they acquired it the service has become gradually to the point it does not work on half the sites stored in it. This week I finally decided to start migrating to LastPass (a few clients use it and it appeared a more dependable alternate). Guess will continue my search for alternates.
One of the reasons I chose 1Password over LastPass is because you can choose where to store your data (iCloud, Folder on your System, Dropbox). I don't think you should trust your passwords to any company.
Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.
Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.
That's funny. The LogMeIn employees have a financial stake in making sure that people DON'T exit en masse after the acquisition. I wonder why?
I would caution, then, that any interviews given by any staffer to the effect of "LastPass is not changing, your data is perfectly safe with LogMeIn, the prices will not skyrocket, etc." over the next few months should be taken with a grain of salt, since they quite literally have $15 million riding on you not leaving.
As opposed to any other acquisition (excl. acquihires) where the company doesn't have any incentive to keep customers at all and therefore everything they say must be completely true?
That's a whole lot to infer from that. Holding a significant portion of the sale in escrow pending retention, legal requirements, and other issues is pretty standard practice.
Well, export your data ASAP. At least if shit happens you won't lose it all. Would be funny if LMI spent 120MM just to have a product everyone leaves. lol.
I don't know why this guy is being downvoted. I, too, am now looking for a new password manager. All I need one is that does local decrypting only, supports Chrome and Firefox, and can do Android as well.
Be civil. Don't say things you wouldn't say in a face-to-face conversation. Avoid gratuitous negativity.
gratuitous- uncalled for; lacking good reason; unwarranted.
I feel that my comment falls into what I consider a fair statement about the severity of the situation. They have my passwords and could easily hike up their rates. This change may add features I didn't know I wanted, but thus far I'm happy with the way LastPass has been operating and I don't want a change.
Just based on the bad things everyone else is saying about them, I have to do some research and see if they are a good or crap company. They just have a lot of power regarding my passwords, and they are an unknown to me, but , in the other thread they were seriously disliked.
LogMeIn is used by those phone scammers who ring up and say "We have detected a Windows Virus on your machine and are here to help". They then convince the mark to let them start a session, then surreptitiously download data from their machine using a back channel. (LogMeIn lets you share screens, but also access the filesystem in another panel and the other side can't see).
When you complain to LogMeIn and give them the details of the scammer, they couldn't give a rat's arse and just ignore you. Those kind of ethics do not belong with the owners of a password vault.
I know the popular thing is to blame LogMeIn, but it would be very expensive to chase down the scammers. And, law enforcement is very likely to not give a shit, too. So, if the did what you said, likely it would be wasted effort.
"Thank you for the information, we will investigate/confirm, cancel their account, put them on a watchlist" would have done. I'm not after prison time, I'm after LogMeIn not allowing their service to be used by identifiable criminals.
I'm in the same awkward position. I've been a LastPass evangelist for years now. How can I abruptly switch to 1Password or whatever's most comparable to LastPass? The selling point I would make of, "Hey, this company exists solely to provide security to the world. They're passionate about using strong passwords and do everything in their power to ensure their service is both friendly and secure." wasn't just a talking point, but one of the primary reasons I ever used them in the first place.
I'm happy for the LastPass team that they were able to profit off their hard work, but I'm leery of what this means, not only for the hundreds of my passwords and notes LastPass has in its vault, but what sorts of "features" LogMeIn will want to forcibly integrate into the product--and then charge 50x my lowly $1 a month contribution.
Logmein has a great tech organization and certainly hasn't ruined meldium since they bought it. I think they've made a couple boneheaded moves around enterprise pricing that people have pointed out here, but expect they'll take good care of it.
What gets me down about this is the trust I had for the service LastPass provided. I appreciated their open and pre-emptive communication. They were willing to dive into the details of a possible issue and explain everything about it.
Congrats to LastPass team for a successful exit :)
I understand why the users might have concerns with "LogMeIn", but well one should've expected (at least on this forum) that this is going to happen.
I know this isn't the most popular comment.
But, what the heck, be happy for the LastPass team, they've worked their ass off. That's what this forum is for, isn't it ?
We(hackers) are all in the same boat.
I don't think anybody is unhappy for the LastPass team. Many of us use LastPass though and so we are nervous about the future of something we trust and use. I don't trust LogMeIn like I trusted LastPass and so now I have to contemplate finding a new solution to a problem that I thought was solved.
So hooray to the LastPass team and condolences to the LastPass customers.
Yeah, I can understand the press release being first because LogMeIn is publically traded, but the delay is weird. I just got an email from LastPass now (as a premium member).
I got an email, and then saw this post on HN...and then backed up and deleted my account. Wasn't going to renew anyways, just happened to be perfect timing.
Congrats to Bob and Joe and LastPass team. I'm a former LastPass employee and will be forever empresses by their work ethicc that I saw. They definitely deserve it.
This is pretty terrible news. It would have been need to see LastPass get acquired by a company like AWS but LogMeIn doesn't really have the reputation required to ask people to trust them with all their passwords.
Also, the valuation also seems low to me. Maybe LastPass was having trouble generating recurring revenue. It seems like going public would be a better route for security companies but maybe the revenue wasn't there for an IPO.
I've had a paid subscription for years and used their enterprise service for 2 different startups. Hopefully the service doesn't start to suck. I'm already scouting alternatives.
We were in a similar situation a few months ago when Mitro announced that they were shutting down their service.
Mitro's owner being really nice, they open-sourced the browser extensions, server and mobile applications so we used them to run our own: https://passopolis.com/
We plan to keep the code open-source and we're working hard at the moment to introduce the organisation feature useful for start-ups. We plan to make the organisation feature a premium service so we can justify running and improving Passopolis for as long as it stays useful.
LogMeIn has many years of experience securing their remote management software, something that has incredible potential for malicious activity. They seem like a good candidate for keeping LastPass secure, based on their reputation from a technical standpoint.
442 comments
[ 3.2 ms ] story [ 323 ms ] threadMy first reaction was to chuckle. I wonder how LastPass will change given the new ownership. We switched over to this at work almost a year ago, after trying to determine a password management strategy for years, and it's worked fairly well, although it hasn't sold me on switching from Keepass for personal use.
I'll be interested in what the Hacker News community thinks about this.
For everyone else, I hope they don't butcher the free version like they did with LogMeIn.
Now they also seem to be notorious for price hikes, although I have no first-hand experience. I'm a LastPass Premium subscriber and have enjoyed using it, but I'm worried about what the future holds now.
We then went down to the 'Central' version of LogMeIn, as it still provided remote access capabilities (which was all we wanted) and were able to save a bit of money. Well, two months later they billed us the full renewal price of the old product ($2499) and it took us 6 months of back and forth with them to refund that.
I hear a lot of good things about 1Password, which seems to work for my iPhone/MacBook. Anyone know if there's a reasonable option for using it on Windows?
https://agilebits.com/onepassword/windows
https://agilebits.com/onepassword/extensions/
(There's an official Android client too, which wasn't mentioned above)
Even with LastPass offering 2FA, its just that, authentication, its not used as part of the encryption/decryption process (I did read somewhere it helps with your local cached copy, but it doesn't effect the copy stored on their servers)
If you wanted to use your YubiKey with 1Password, you could set a static password and 'split' your master password (half you remember, the other half is keyed in by the YubiKey)
Why doesn't makes sense in a mobile device?
> Even with LastPass offering 2FA, its just that, authentication,
Like Touchid
They also have bundled licenses for both platforms.
[1]: https://discussions.agilebits.com/categories/windows-modern-...
They tell of good fortune for the owners of the thing that has been sold, but never tell the users what's in it for them. And that's usually because there is nothing in it for them.
What am I supposed to be happy about?
Second, why do they owe you anything? Either you are a free user, at which point you don't really have a whole lot of say in what they do with their own company, or you are paying $12 for a stellar password manager, which I would say is definitely worth it.
I am not exactly a fan of LogMeIn, and I do really like LastPass and use it every day, but if they chose to sell their company and cash out, good for them. If the service somehow becomes bad, I will move onto one of many alternatives, though this time probably an open source one.
Because I not only paid US$12,00 to them, but I have also invested time and thought in building habits and procedures based on their service.
If they their service becomes unworthy or cumbersome, or if I have any reason to distrust them, I'll have to look elsewhere, not only costing me time, but also giving me uncertainty and possibly having to choose a new service. And, if I have chosen Lastpass, is because I believe other services are not worth as much.
In short, while this change to LastPass might not be good for you (or me) in the long run, I don't see why they'd have any responsibility to consult you or me about whether to sell to LogMeIn. We are customers, not shareholders.
I don't understand the point you're trying to make here. Their product is SaaS; by definition to use the product requires consuming their computing resources--that's what they're selling! Unless you're honestly of the mentality that companies have moral standing to tell you to eff-off once they have your money. But I don't think you are, so please clarify.
To answer your question, LastPass's popularity is largely due to word-of-mouth. People used LastPass because they liked it, they liked its ease of use, they liked what they perceived to be the honest nature of the company. Because people like the average user on HN, who are likely the "Tech guy" for all of their immediate friends and family, tell their families to use LastPass and help them set it up. When you piss off the guys who evangelized your product, you're not just losing his business; you're potentially losing the business of everyone whom they recommended it to.
Case in point, I convinced my girlfriend to start using it (she fortunately got 6 months for free via a student email and hence will suffer no monetary loss if we decide to switch) and was considering telling my family about it, but now I'm having second thoughts. And considering this is, again, a subscription model, the "Haha, we already have your money!" model only works for one year. The projected revenue based on the expectation of renewals, however, goes out the window.
Of course this sale to LogMeIn might mean the end of LastPass as a reliable and easy to use password manager. Of course it might cause you and me to spend time looking for an alternative solution, setting it up, etc. I am saying that none of that is LastPass's team's problem and I don't think that even a paid subscription for their service buys us the right to be consulted on their corporate strategy.
If there's one business I REALLY do not want to be moving about, and I want as little churn as possible for, it's a password manager.
The thing I liked about LastPass was that it seemed like the highly geeky, less startupy approach to password managers, more likely to be run for the long-term, less likely to be at risk of an acquisition.
Going to look into Dashlane.
For me, I use a plaintext file in a Truecrypt archive because I'm a massive dweeb.
http://www.zdnet.com/article/truecrypt-critical-flaws-reveal...
Highly useful to be able to have access groups like "team" (everyone, things like Zendesk) "team-secure" (stuff with CC's, like Amazon), "dev" (general dev accounts), and "dev-secure" (compose.io access and the like).
Makes it way faster to onboard new folks, and when people leave, to cleanly strip access and change passwords.
The open source tools don't solve for those kinds of use cases, as far as I know. Just "I have one computer, and want to store my passwords on that one computer."
Also, no way I would do anything important on my phone. These things seem to be about as secure as sieves.
I've yet to find any open source software that does team management. Even multiple open source tools that work together to create this functionality would be great.
The server and the chrome/firefox extensions that are opensource (https://github.com/WeAreWizards/passopolis-server, https://github.com/WeAreWizards/passopolis-extensions).
Right now it's mostly for us and other mitro escapees to continue using it so we didn't bother with the site design or the mobile apps. The exact feature you mention would be the first one to be done if we decide to monetize it though ! It would say opensource as well.
Of course there is the argument that since it's open source it's safe since someone has "audited" it, but many times that's not true.
And even then unless you spend a lot of time trying to break it so you understand it completely you are way better off just writing your own solution, but that takes time and effort
I'm basically preparing to bail on lastpass with this news but need to have all my bases covered.
I just save+sync passwords in Firefox and use a strong master password. I (usually) only need to paste the password from Keepass once unless I elect to not save it (such as with financial logins).
> does it work on ios?
Google seems to return lots of results for iOS Keepass apps. You'll want to vet them on your own. I use KeePassDroid on Android and like it well enough.
I forgot about my nexus tablet but android is the other thing to have a look into.
There are multiple KeePass clients on iOS and just about all of them support things like Dropbox sync.
A curses-based CLI for KeePass, KeePassC was just recently on HN: http://raymontag.github.io/keepassc/
I'll look at some of this tonight thanks!
[1] - https://www.duosecurity.com/blog/breaking-down-the-probable-... [2] - https://www.dashlane.com/password-generator [3] - http://www.themooltipass.com/
It is more expensive than Lastpass, but this news suggests Lastpass was underpriced for a long time.
Big fan of Dashlane's 2FA with Authy. Really easy to share passwords securely around my organization too.
Not having a Linux client is a real miss though, I also kept Lastpass because the Linux integration is seamless.
After reading the article (and then reading it again) I'm not left feeling confident that this is in any way positive for me as a LastPass Premium and Xmarks customer.
In particular the vague line about, "As we become part of the LogMeIn family over the next several months, we’ll be releasing updates to LastPass, introducing new features..." To me, LastPass is feature complete. So either I'm going to have a mind blowing, I never knew I needed that, moment, or more likely some sort of bloated crap is going to get shoe horned into LastPass.
I hope they don't ruin LastPass also, but from here on out I'll be intensely skeptical.
https://github.com/zerotier/ZeroTierOne
https://www.zerotier.com/
Also does a lot of other things, and is evolving into a full-fledged SDN layer. If you don't want to use the pretty GUI they give you to create/manage networks you can run your own 'network controller' -- see READMEs in GitHub.
You're reading Hacker News. You know what "exit" means.
I also agree with colinplamondon's comment "The thing I liked about LastPass was that it seemed like the highly geeky, less startupy approach to password managers, more likely to be run for the long-term, less likely to be at risk of an acquisition."
So the thought of them seeking an exit never crossed my mind.
Logmein is still in business, and buying companies. At first blush it seems like they'd be a good company to have a stake in.
But it doesn't appear to have anything like Lasspass's autofill on android that supports the fingerprint reader.
And I literally just migrated all of my stuff from KeePass to LastPass like two weeks ago.
Back to the drawing board, I suppose.
My devices - Linux Desktop, Laptop, Windows 7, 8 and 10 Machines at work, Android Phone, iPad (Work)
Lastpass worked on all of them. The only alternative I could find was Keeper https://keepersecurity.com that worked with all of my devices.
Anyone have experience with Keeper Security?
Wondered if people have experience with them.
And I've already got spider sense tingles about them... lack of SSL cert for a security company? No pricing info? No "About Company"?
http://enpass.io/apps/android/
So for me that is $20 for iPad and Android BUT my iPad is a company product that is likely to switch on me shorty with an upgrade.
So this might not work if it is $20 per platform per personal and business use.
From the LogMeIn investor release[1]
Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.
1. (https://investor.logmeininc.com/about-us/investors/news/pres...
https://investor.logmeininc.com/about-us/investors/news/pres...
From the LogMeIn investor release[1]
Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.
1. https://investor.logmeininc.com/about-us/investors/news/pres...
I would caution, then, that any interviews given by any staffer to the effect of "LastPass is not changing, your data is perfectly safe with LogMeIn, the prices will not skyrocket, etc." over the next few months should be taken with a grain of salt, since they quite literally have $15 million riding on you not leaving.
I'm blown away, I've been a fan since day one because of it's simplicity and availability.
I am torn between waiting to see what happens and giving them the benefit of the doubt and just changing all my passwords before Logmein can f--- me.
gratuitous- uncalled for; lacking good reason; unwarranted.
I feel that my comment falls into what I consider a fair statement about the severity of the situation. They have my passwords and could easily hike up their rates. This change may add features I didn't know I wanted, but thus far I'm happy with the way LastPass has been operating and I don't want a change.
I won't be doing that.
I'll tell you what I think. I was right; he was too negative; and folks feel threatened by that. Fits the data here pretty well.
"KeeFox connects Firefox to KeePass Password Safe"
Are they just bad at running a company or are you scared they will sell your data or similar?
Edit: I read some of the comments on https://news.ycombinator.com/item?id=10359491 and most of them have bad things to say about LogMeIn.
When you complain to LogMeIn and give them the details of the scammer, they couldn't give a rat's arse and just ignore you. Those kind of ethics do not belong with the owners of a password vault.
Source: Experience trying to report a bad actor.
I'm happy for the LastPass team that they were able to profit off their hard work, but I'm leery of what this means, not only for the hundreds of my passwords and notes LastPass has in its vault, but what sorts of "features" LogMeIn will want to forcibly integrate into the product--and then charge 50x my lowly $1 a month contribution.
What gets me down about this is the trust I had for the service LastPass provided. I appreciated their open and pre-emptive communication. They were willing to dive into the details of a possible issue and explain everything about it.
I understand why the users might have concerns with "LogMeIn", but well one should've expected (at least on this forum) that this is going to happen.
I know this isn't the most popular comment. But, what the heck, be happy for the LastPass team, they've worked their ass off. That's what this forum is for, isn't it ? We(hackers) are all in the same boat.
So hooray to the LastPass team and condolences to the LastPass customers.
Also, the valuation also seems low to me. Maybe LastPass was having trouble generating recurring revenue. It seems like going public would be a better route for security companies but maybe the revenue wasn't there for an IPO.
I've had a paid subscription for years and used their enterprise service for 2 different startups. Hopefully the service doesn't start to suck. I'm already scouting alternatives.
Mitro's owner being really nice, they open-sourced the browser extensions, server and mobile applications so we used them to run our own: https://passopolis.com/
We plan to keep the code open-source and we're working hard at the moment to introduce the organisation feature useful for start-ups. We plan to make the organisation feature a premium service so we can justify running and improving Passopolis for as long as it stays useful.