back to article Log us out: Private equity snaffles Lastpass owner LogMeIn

Remote access, collaboration and password manager provider LogMeIn has been sold to a private equity outfit for $4.3bn. A consortium led by private equity firm Francisco Partners (along with Evergreen, the PE arm of tech activist investor Elliott Management), will pay $86.05 in cash for each LogMeIn share – a 25 per cent …

  1. Halfmad

    Ouch

    Time to look for alternatives then.. there's an el'reg article that needs a 2020 version!

    1. Khaptain Silver badge

      Re: Ouch

      Keepass is just fine..

      Web or Cloud versions of password managers are a complete no no... even more so when it involves an American company...

      1. Dwarf

        Re: Ouch

        +1 for KeePass

        When you need to supplement KeePass with password management on an Iphone or Mac, then look to KyPass. This is from a different developer, but it uses the same KDBX file format. Would be nice it if was a little slicker on the Mac (UI is a little clunky in places), but its better than the other alternatives for KeePass on Mac (i.e. none)

        1. jonathan keith

          Re: Ouch

          Yup, the excellent (and FOSS) KeePass in use here. And plenty of splendid plugins to make it do, well, just about anything you need it, really.

          https://keepass.info/

          1. DropBear

            Re: Ouch

            +1 for KeePass. There's even a plugin working with a hardware USB dongle that can directly "type" your password (emulating a HID keyboard) into whatever you plug it into, straight from you phone...

            1. J. Cook Silver badge

              Re: Ouch

              Another +1 for Keepass.

        2. sbt
          WTF?

          better than the other alternatives for KeePass on Mac (i.e. none)

          KeePassX working fine here for years. It's open source, too.

    2. Tom Chiverton 1

      Re: Ouch

      PasswordSafe runs in Mac, Linux, Windows and android. Uses a single file you can sync with Dropbox, Nextcloud etc

      1. Zippy´s Sausage Factory

        Re: Ouch

        And it's by Bruce Schneier. This may be my new password solution...

        1. Khaptain Silver badge

          Re: Ouch

          "And it's by Bruce Schneier. This may be my new password solution..."

          Can't vouch for Iphone but it works great on Android and with windows you only need to learn the following shortcuts on a daily basis:

          Ctrl+B = copy Username

          Ctrl+C = Copy Password

          Ctrl_V to paste into your application/browser as usual

          Ctrl+H = Hide or Show passwords on main screen.

          Been using it for many years...

          1. NetBlackOps

            Re: Ouch

            That's what I've been using since it came out. Dropbox integration works well, switching to NextCloud soonest.

        2. The Bloke next door

          Re: Ouch

          Bruce is not the author of keepass; his is called Password Safe.

          1. Zippy´s Sausage Factory

            Re: Ouch

            Yes, I was referring to PasswordSafe, not Keepass. I've tried Keepass and never really felt comfortable using it.

      2. Khaptain Silver badge

        Re: Ouch

        "Uses a single file you can sync with Dropbox, Nextcloud etc"

        Why on earth are you storing such things in the cloud ? Store a version on "your home" NAS/PC and sync with any suitable sync tool...

        1. Anonymous Coward
          Anonymous Coward

          Re: Ouch

          You mean like Nextcloud wot he mentioned...

        2. Paul Crawford Silver badge

          Re: Ouch

          "Why on earth are you storing such things in the cloud ?"

          If the file is at all competently encrypted then is should not matter how you sync devices as you still need a master password and, as long as the cloud provider lacks that, you are safe.

          1. Khaptain Silver badge

            Re: Ouch

            "If the file is at all competently encrypted "

            Encryption is only worthwhile when solid passwords/passphrases are used. I wonder how many people actually use a serious password for their Key Store....

            If you are anything like me, or a lot of others, you will be using the Key Store many times per day, I would hazard a guess that I use it around 20 times per day on a normal day. Because of this , I am not using a 27 letter, upper, lower, special characters, non repeating, non dictionary password. I can only guess how long it would take any of the 3 letter agencies to try a couple of million known passwords and get past by password. I wonder how many other are in exactly the same boat.... Hence my reasoning for not stocking such a thing in the Web/Cloud.

            1. Paul Crawford Silver badge
              Black Helicopters

              Re: Ouch

              Lets be realistic here. If you are a "person of interest" to any of the 3 (or 4) letter agencies they probably have a whole lot of other ways to get your info without identifying and brute-forcing your password manager:

              - Formally demand it of any web service you use (probably works for more than half of them, see PRISM)

              - Exploit back doors in to their systems to get it informally (smaller non-PRISM entities)

              - Exploit back doors to breach your system

              - Send round some goons with rubber hoses for some "advanced cryptography lessons"

              1. NetBlackOps

                Re: Ouch

                Simplest to either get physical access to the system or use any one of the most recent vulnerabilities they have popped up, ones that were never fixed (quite a few out there), or one that the user hasn't seen/installed an update for of which there are usually dozens. I use a very secure distribution and I know there are several outstanding vulnerabilities which haven't been patched at this moment. These things take time to spread.

              2. Trigonoceps occipitalis Silver badge

                Re: Ouch

                https://xkcd.com/538/

            2. NetBlackOps

              Re: Ouch

              I use PasswordSafe for the reason that Bruce Schneier was involved in its design and implementation, so I know it's as cryptograpically secure as you can get. That, too, means I am more than aware of the risks of using simply defeated security. I don't do four digit PINs, nor simple passwords for unlocking my password store. Yes, it's a bit of a pain at the beginning but after a while, little thought is required in entering those long sequences. Confusing one tablet for the other is the worst problem I face in unlocking one. Wrong PIN. Not that I would ever "trust" a tablet.

              Secondly, if a nation-state is your primary threat actor, give it up. Either you aren't worth their time or you don't have the resources to counter any actions they may take with their billions dollars budgets. That's reality. I know what they can do, I've worked with them professionally before.

              [Worse in my case. I have the NDA from hell and with a mere signature, I'm back in uniform and they can bloody do whatever the fuck they want to me.]

            3. Darkk

              Re: Ouch

              Use keyfiles in addition to your password to make it harder to brute force the password alone. I have this on my Android devices, Linux Mint PC and Windows 10 PC.

              1. NetBlackOps

                Re: Ouch

                I don't understand the down vote, but someone came through and carpet bombed all the 0 down vote messages on this topic, so there you are. Anyway, anything to shake up the mix when it comes to accessing into a cryptographically secure file is something to take advantage of against, at the least, the talented amateurs.

                What was once the realm of TLA's, then the realm of Ph.D.'s, becomes soon the realm of the script kiddies not much later. Again, that's reality.

                1. ThatOne Silver badge
                  Facepalm

                  Re: Ouch

                  > I don't understand the down vote

                  Don't worry, somebody is apparently bulk downvoting any mention or thread about Password Safe.

                  For the record, Password Safe is great. The original, Counterpane version is what brought me to password managers many, many years ago. (Here are my own 2 downvotes coming...)

            4. russmichaels

              Re: "The former policy wonk -

              If the user is incompetent enough to still be using a weak password for the password manager, then all your suggestions are moot. Such a person is likley to have bad security everywhere, so storing it locally won't be any more secure for them.

              Storing it in the cloud encrypted with a strong password, which multiple levels of back/redundency is fine for the rest of us who do not want to risk a local disk failure and losing all our data.

            5. Brangdon

              Re: I use it around 20 times per day

              I'd recommend using a pass phrase instead of a password. For example, you will probably find that you can type a phrase like "I wonder how many other are in exactly the same boat" pretty quickly, because it is English words spelt correctly and you are probably good at typing that kind of thing. You will get quicker by practising it 20 times a day. You can even type it easily on a mobile phone or device without punctuation keys. At 11 words it probably has around 121 bits of entropy; maybe less because it is (almost) grammatically correct, but still not bad and better than what you are currently using by the sound of it. By all means make it longer, and/or throw in a few obscure words that wouldn't be found in a 2048-word dictionary. Don't use a line from a song or book.

              This would be good advice for online passwords, too, but those often have silly length restrictions. For a password database there won't be such restrictions, and you really do want something strong.

            6. Ade Vickers

              Re: Ouch

              So use a phrase based password. Four random words, separated with a random non-alphanumeric character; one word of the four in caps, e.g. register;COMPUTER;bonus;crackthatyoubastards

              Easy to remember, will take a computer years to brute force it.

        3. Anonymous Coward
          Anonymous Coward

          Re: Ouch

          Is it possible to store in the cloud using some kind of 2FA either with the password app or with the cloud store so the initial password doesn't need to be stupidly long and difficult?

          1. FrogsAndChips

            Re: Ouch

            KeePass has several plugins which will allow you to use 2FA for your master database.

        4. Scene it all

          Re: Ouch

          With a backup on an SD card in your home safe.

      3. Darkk

        Re: Ouch

        I use KeePass for my android devices, Linux Mint PC and Windows 10 PC. I keep the database sync'd with NextCloud running at home. Works very well.

    3. fidodogbreath Silver badge

      Re: Ouch

      Sticky Password is a bit more feature-rich than Keepass, and it gives you the option of syncing to their cloud or to a local share that you specify. You can usually get a lifetime multi-device license for dirt cheap on sites like StackSocial or Sharewareonsale.

      1. Michael Wojcik Silver badge

        Re: Ouch

        I like Sticky as well, in part because they support a wide range of browsers. Their plugins work with Pale Moon and Comodo Dragon, for example. The app is pretty configurable; you can enable or disable integration with non-browser applications, for example. (You can always have it copy credentials to the clipboard - the integration just lets it insert directly into input controls.) And it offers cloud-based encrypted synchronization,1 synchronization over your local network, or no synchronization at all, depending on your preference.

        They also donate a portion of their profits to saving manatees. I don't especially care about manatees, to be honest, but I like that because it ought to annoy some of the people who annoy me.

        1I have no problem with cloud-based synchronization with proper encryption and a decent key. (I use a long but easy-to-remember passphrase as the master key.) I don't think highly of threat models which consist of "oh lawks everything with 'cloud' in the name is automatically an unacceptable risk!". That's cargo-cult security. Get a real threat model.

  2. SimonAldrich

    Bitwarden

    I can recomend Bitwarden. It's open source, has apps for all the platforms I use and you can self-host if you choose.

    1. Steve 53

      Re: Bitwarden

      I've moved from LastPass to Bitwarden. Lastpass have upped prices year after year and provided very little by way of enhanced user experience as a result - which might explain why they're making such substantial profit by revenue. It felt very dated when I moved in April.

      Bitwarden is less than 1/3rd of the price for premium, offers a solid set of features and has a noticeably nicer UI (IMHO). Self hosting is obviously a bonus, but I'm happy to have them host for me.

      I've suggested a number of friends (mostly technical) move from lastpass to bitwarden, and they've all been happy.

      1. stuartnz

        Re: Bitwarden

        A ditto from me, too. A BOFH friend I've known since he was more PFY than BOFH recommended Bitwarden to me last year, and I'm pleased I took his recommendation on board. And just to be on the safe side, my l33t Master Phrase is ROT13'd.

        1. hazzamon
          Coat

          Re: Bitwarden

          Pfft, if you want ultimate security, try ROT26.

          1. A K Stiles
            Joke

            Re: Bitwarden

            excellent - twice as secure.

          2. DavCrav

            Re: Bitwarden

            You don't fool me. I'll stick with my two rounds of ROT13.

            1. DropBear

              Re: Bitwarden

              I still think XORing with a guaranteed random stream coming from a hardware noise source is more secure. Twice with the same stream of course, to be extra sure...

            2. Montreal Sean

              Re: Bitwarden

              @DavCrav

              Your two rounds of ROT13 have nothing on my ROTTWEILER method. He won't let anyone near the list pinned to his collar.

  3. Alister

    Not just a password manager, but we use PasswordState from Click Studios

    It integrates with Active Directory, and as well as password management it allows you to start SSH or RDP sessions from within the browser so that staff can connect to a resource without ever knowing the credentials. It also rigorously audits and logs every change made, and every access to information made by any user.

    No connection, just a happy customer.

  4. JakeMS
    Thumb Up

    KeePass

    For some reason my gut always had me avoid LastPass sadly.

    I've always been partial to KeePass. So if you're looking for a new home I recommend it! You can use many methods to sync with Android and your computer.

    Latest version of KeePassXC for Linux has impressed me a lot, because I can finally ditch gnome-keyring for evolution. (It allows to select a group of PWs to act as system keyring, so KeePass stores evolutions passwords, not gnome-keyring)

    Then there's the auto unlock and add SSH keys to ssh-agent when unlocking the pw database, and automatically removes them from the agent (lock them) when DB is locked or closed which is also super useful.

    Overall makes my life a lot easier...

  5. Anonymous Coward
    Anonymous Coward

    Or you could, maybe, possibly, perhaps...

    Why not simply remember your passwords? Systems won't share them so you can use the same root for all with site- or service-specific parts on all of them and the only ones you will need to worry about are those that don't let you set your own.

    1. Ragarath

      Re: Or you could, maybe, possibly, perhaps...

      I only run a smallish site and I have hundreds of passwords for the services I have set up. There is no way I can remember them all at 12 characters and properly random.

      Even using passphrases for them all is not going to help in that manner and still with some services not properly allowing spaces or certain characters.

      Remember too that this is after having to remember all my personal passwords (which I do just use my memory for) for all my services.

      1. Claptrap314 Silver badge

        Re: Or you could, maybe, possibly, perhaps...

        I'm pretty sure that 12 characters is no longer considered enough.

    2. Anonymous Coward
      Anonymous Coward

      Re: Or you could, maybe, possibly, perhaps...

      I think you forgot the joke icon :-) Or did you click submit to that post in 1970 and it only just appeared?

    3. Captain Scarlet Silver badge
      Stop

      Re: Or you could, maybe, possibly, perhaps...

      I have been bitten by using <Mypassword>@Amazon before, it doesn't work in this day and age.

      I have the memory of a bloke, so at most I can remember 4 complex passwords.

      I only have my personal email password and a seperate password for work, seperate password managers for both and seperate passwords for the password managers. If I need access to something I can't remember the password for I just do a password reset.

    4. brainyguy9999

      Re: Say, what?

      Not to offend, but that is absurd. I have over 500 different UID/PW combinations in my password manager. Most of them are 15+ character randomized complex passwords. At work we have an in-house password manager with nearly that many more for equipment, applications, and support websites. Trying to remember all of those would be impossible unless you had eidetic memory (which I do not). And suggesting using the same password for multiple sites is begging for trouble. There is no way I'm going to use the same password for Papa John's and my bank. And my employer won't let me set all of the admin passwords to "IL0veH@mburg3rs!". I've asked.

      1. A K Stiles
        Joke

        Re: IL0veH@mburg3rs!

        That's an excellent password - I shall add it to the list for the next time the system times out the current one and compels yet another change!

    5. JohnFen

      Re: Or you could, maybe, possibly, perhaps...

      "Why not simply remember your passwords?"

      I have a few dozen dozen long, randomly generated passwords for various things (ignoring web site logins, etc.). While I certainly remember the three I use the most, it's beyond my ability to remember them all. A password vault (or a written list of the passwords, but vaults are encrypted) is a necessity.

      That said, I wouldn't use any that communicate over the network.

    6. Charles 9 Silver badge

      Re: Or you could, maybe, possibly, perhaps...

      "Why not simply remember your passwords?"

      Now was it correcthorsebatterystaple or donkeyenginepaperclipwrong? Some of us just have bad memories and CAN'T remember a password to save our lives. Are we simply screwed?

    7. J. Cook Silver badge

      Re: Or you could, maybe, possibly, perhaps...

      ... because having a password for each of the 100+ sites (not including ones I use for work) is more than burdensome, and even if one does what you are suggesting, it's bad practice, because when one of the sites you use gets hacked and the passwords dumped to the internet, your root is now compromised along with the method for salting it.

      It may be a pain in the buttocks at times, but a password manager program is an essential in these enlightened times.

    8. AndyD 8-)&#8377;

      Re: Or you could, maybe, possibly, perhaps...

      ... or ... remember a couple of simple passwords for unimportant sites, and one very long passphrase for a truecrypt'ed list of important passwords?

      1. Anonymous Coward
        Anonymous Coward

        Re: Or you could, maybe, possibly, perhaps...

        There's no such thing as an unimportant site. Just about any site can be leveraged in things like social engineering attacks to reach more lucrative sites.

  6. Andy Non
    Happy

    Call me old fashioned

    I keep encrypted documents on an encrypted drive on my computer containing all my passwords (100+), all of which are excessively long and complex and beyond my ability to remember. All of which get backed up regularly to encrypted media in my own possession. No cloud backups for me. I don't need to trust any third parties. It may take me a few seconds longer for me to get at the passwords for my bank etc, but so what?

    1. Anonymous Coward
      Anonymous Coward

      Re: Call me old fashioned

      old fashioned

      1. Yet Another Anonymous coward Silver badge

        Re: Call me old fashioned

        I have them written on a post-it note on the monitor

        Try hacking that, Cyber-Ninjas !

        1. Tom 35

          Re: Call me old fashioned

          Had a guy in sales that did the sticky note on his monitor, seems someone took his pen and changed a 3 to an 8 and he couldn't log on... He upgraded his security by moving the sticky note to the bottom of his keyboard.

          1. Yet Another Anonymous coward Silver badge

            Re: Call me old fashioned

            Obviously you need security rules to restrict access to writing instruments.

            I believe this is called pen testing

          2. Trigonoceps occipitalis Silver badge

            Re: Call me old fashioned

            In the organisation writing down pass words was strictly forbidden, probably a sacking offence. During log-on a clerk produced a folded piece of paper to consult.

            When challenged his reply was "Its only written in pencil!"

            True

            1. Charles 9 Silver badge

              Re: Call me old fashioned

              What did they do when it was done by someone high enough to be sack-proof?

        2. phuzz Silver badge
          Thumb Up

          Re: Call me old fashioned

          For older relatives who would struggle with a password manager (or even copy/paste), I sometimes recommend a notebook with the passwords written down.

          Although it's vulnerable to getting lost or stolen, it is completely secure against hacking.

          Of course, you still have to worry about phishing...

          1. Anonymous Coward
            Anonymous Coward

            Re: Call me old fashioned

            You can actually buy password books. Another recommendation for older relatives.

            1. Charles 9 Silver badge

              Re: Call me old fashioned

              How do you keep someone with REALLY bad memory from losing the book?

              1. DJV Silver badge

                How do you keep someone with REALLY bad memory from losing the book?

                Tattoos - unless they are also prone to losing their arms and legs.

                1. Charles 9 Silver badge

                  Re: How do you keep someone with REALLY bad memory from losing the book?

                  Already full of them--Nam vet.

          2. JohnFen

            Re: Call me old fashioned

            For many years, I kept my passwords written down. Two copies, even -- one in my wallet and one in my home safe.

            I've never understood the problem with this. Sure, it's an attack vector -- but writing them down meant that I could use more secure passwords, so it seems to me that, on balance, it led to greater security. And if my wallet was ever lost or stolen, I still had the backup list so I could go through and change all the passwords.

            I don't write them down on paper anymore, though. I use the modern equivalent -- a standalone password manager on a portable device.

            1. jelabarre59

              Re: Call me old fashioned

              I don't write them down on paper anymore, though. I use the modern equivalent -- a standalone password manager on a portable device.

              I *used* to have that (GNU-Keyring on a PalmOS device) which even synced to JPilot on my home computer. Unfortunately any PalmOS devices I still have are long since dead, sync no longer works under Linux (and was a severe PITA to get working even when it was still current), but at least I still have the local backup in JPilot.

        3. Flywheel

          Re: Call me old fashioned

          You mean the monitor with the webcam and the mirror on the wall behind you?

          1. Anonymous Coward
            Anonymous Coward

            Re: Call me old fashioned

            "You mean the monitor with the webcam and the mirror on the wall behind you?"

            Oh no, I have a web cam and there is a mirror behind me. I must move the post-it notes.

            Darn, too many to go on the bottom of the keyboard and it's hard to type them in with the keyboard upside down.

            Time for plan C...

        4. Steve K

          Re: Call me old fashioned

          My first contract was at HMRC and one of the users' password was "Compaq" as that's what was on the monitor bezel right in front of him.....

          I hope that his monitor didn't get swapped out for an Iiyama as he'd never have worked out whether it was a lower-case L or an "I".

          (If you're reading this Les, hang your head in shame....;-))

          1. DropBear
            Facepalm

            Re: Call me old fashioned

            I can one-up you on that: what one business, now defunct (for completely unrelated reasons if you must know) used for multiple decades for absolutely all passwords on anything was several simple combinations of its own name and a random brand name they had on a large batch of mouse pads acquired at some point in the past. To the best of my knowledge, they were never ever compromised. Not defending the practice, mind you - I'm saying all this amidst some heavy Picard-facepalming in a "what can one get away with" sense...

            1. Anonymous Coward
              Anonymous Coward

              Re: Call me old fashioned

              Place I used to work, we always had a login on client systems, and it was always the same: Username was our company name, password was the MD's first name, backwards. All four letters of it. And that was better than most of the users' passwords.. Not a massive problem when the was no external access, but some sites wanted remote support, so we'd hang a modem on the server. Anybody who dialed in immediately got a welcome screen that, among other things, indicated who had supplied the system...

              But this was simpler times.. When I left we were just putting in internet connectivity, with vpn to get access. That allowed better passwords..

          2. phuzz Silver badge

            Re: Call me old fashioned

            It's not a terrible idea, it's just a poor implementation.

            For a while my main password was based on the lyrics to a song, from an album that I could see from my desk. Song lyrics are good because most people can remember them quite well, and they can be arbitrarily long. If I was a bit hazy, I'd look up, see the album cover, think of the song, and be able to reconstruct my password.

            (Either type the whole lyric out as text ("imabelivericouldntleaveherifitried"), or use some sort of substitution (eg 'I' becomes 1). Lines from books/plays/films etc. could also work, just don't make it too obvious (ie, if you're a Star Wars fan, don't crib the obvious lines).)

            1. Anonymous Coward
              Anonymous Coward

              Re: Call me old fashioned

              For a while my main password was based on the lyrics to a song, from an album that I could see from my desk.

              Anime series titles, using their Japanese titles in 'romaji'. Mixed case, substitute numbers for letters as needed. Additionally, the hiragana for 'no' (an equivalent of the English preposition "of") looks similar to the "@" character, "ku" looks similar to the ">" character. So mix those in where possible.

              Or you can just use your favourite "ships" for a passphrase.

          3. ThatOne Silver badge

            Re: Call me old fashioned

            Well, I must admit I did something similar about 20 years ago, by choosing a serial number I could glimpse through the front grille of a minibar-sized SGI server besides me (CPU module serial IIRC).

            The rationale was that everybody accessing that server locally needed to know that password, but we didn't want to write it down either. Also losing it wasn't an option, so the barely visible serial number was perfect: Long, letters and numbers, easy to remember, and tied to the machine. Note that server wasn't connected to the Internet and the data it contained was very important to us, but not worth stealing.

            1. JohnFen

              Re: Call me old fashioned

              Me too, in my early naive days. Except I didn't use a serial number, I used the ISBN number of a book that I kept near the computer. Later, of course, I learned better.

              1. ThatOne Silver badge

                Re: Call me old fashioned

                > I used the ISBN number of a book that I kept near the computer

                Well that sounds like a fairly secure password to me. Mostly because, even if somebody guessed that this book contained the password, he needed to guess it was the ISBN number (as opposed to any other piece of text in that book, which most likely contained a lot).

                So your password was hidden in plain sight, and the difficulty wasn't in getting the information, but in finding the right information. The greatest danger was the lucky guess.

                1. JohnFen

                  Re: Call me old fashioned

                  ISBNs are poor passwords because they're very far from random. The search space required to crack one is much smaller than it appears on first glance.

          4. Anonymous Coward
            Anonymous Coward

            Re: Call me old fashioned

            My first contract was at HMRC and one of the users' password was "Compaq" as that's what was on the monitor bezel right in front of him.....

            One test lab, where the corporate image we used on the machines feeding test scripts to the big systems required passwords, we used the serial number clearly printed on t he front of the systems.

    2. FrogsAndChips

      Re: Call me old fashioned

      Fine if it suits you.

      Me, I couldn't live without the convenience of my PM which lets me organize my entries as I wish and retrieves them very fast, has auto-type, allows me to change passwords with the same rules as the previous one, can work offline but also allows me to sync across all my devices...

  7. Pascal Monett Silver badge

    Time to add an "import from LastPass" option

    All password managers that don't have that option today would do well to add it pronto.

    LastPass is going to have to do a recount of it's user base come June next year. It might well get a nasty surprise.

    1. Huw D

      Re: Time to add an "import from LastPass" option

      As a friend of mine found out today, Dashlane is particularly rubbish about imports from LastPass if the password contans a double quote.

      1. Roland6 Silver badge

        Re: Time to add an "import from LastPass" option

        LastPass is actually a little rubbish on exporting passwords and form data...

        The best way to ensure you export your passwords complete with all the special characters is to download LastPass Pocket (4.0.0 was current as of 17-Sep-2019) - not currently listed on the LastPass website but available from reputable file sharing sites.

        Useful resources:

        https://help.bitwarden.com/article/import-from-lastpass/

        https://support.logmeininc.com/lastpass/help/lastpass-via-usb-lp060004

  8. Anonymous Coward
    Anonymous Coward

    Google

    I looked into LastPass a while ago but have stuck with keeping things stored and sync'd in Chrome. Is that bad?

    1. Locky
      Coat

      Re: Google

      Icon requires correction...

    2. Alister
      Facepalm

      Re: Google

      Is that bad?

      See icon...

      :)

    3. Huw D

      Re: Google

      Bad doesn't come close :D

    4. magicaces

      Re: Google

      I had a look at password managers too but could not bring myself to pay for one. I use Chrome and I know it's probably not the safest but its not like google are just handing the keys over to people.

      What I dont understand is whats the difference between Chrome and say lastpass? KeePass is local only? But then how do you get passwords when logging into your phone say?

      1. FrogsAndChips

        Re: Google

        KeePass can open a local or a remote database (FTP/HTTP supported natively, other storage methods supported via plugins). If you have several devices, you can sync between them using various methods.

      2. Dan 55 Silver badge

        Re: Google

        You sync the password file with the file on your NAS.

      3. Roland6 Silver badge

        Re: Google

        >I had a look at password managers too but could not bring myself to pay for one.

        Well Lastpass Free will provide you with all the functionality of Chrome and some.

        >What I dont understand is whats the difference between Chrome and say lastpass?

        The Chrome password manager will only work in Chrome - so if you are happy to only use Chrome across all your devices then not a problem, if however you want to also use say Firefox or Yandex then you'll need products like Lastpass. Likewise, if you are wanting to use the password manager outside of the browser.

        >KeePass is local only? But then how do you get passwords when logging into your phone say?

        The choice is either use a networked password manager such as Chrome or Lastpass for which you can install clients across all of your devices and leave it to sync all your devices, or use KeePass and configure up your own device sync. mechanism.

  9. Anonymous Coward
    Anonymous Coward

    I keep mine under a rock near my back door

    It's a very convincing rock...

  10. Anonymous Coward
    Anonymous Coward

    "both our core and growth assets"

    I am amazed how easily these guys can come up with bull shit.

  11. Josco

    No one has mentioned Dashlane

    I'm worried now that I may be missing something important.... Is Dashlane bad?

    1. JohnFen

      Re: No one has mentioned Dashlane

      I am unaware of anything bad about Dashlane. I'll bet that there are people here who use it.

      1. JohnFen

        Re: No one has mentioned Dashlane

        To the person who downvoted my comment -- I assume that was because you are aware of something bad about Dashlane. Please reply and say what it is. That kind of thing would be important for me (and others) to know!

    2. Mellifluous
      Meh

      Re: No one has mentioned Dashlane

      Just comparably expensive!

      1. itzumee
        Thumb Up

        Re: No one has mentioned Dashlane

        I use 1Password, it's fully featured and costs me around 30 quid per year, no issues with it so far...

        1. Richard Parkin

          Re: No one has mentioned Dashlane

          1Password for many years. Fingerprint used on iDevices, never a problem. I don’t understand the reluctance to pay for a password manager.

          1. Charles 9 Silver badge

            Re: No one has mentioned Dashlane

            Keep as is FOSS, and you can never fully trust a third-party cloud. It's a service, and services inevitably have lifespans.

    3. IGotOut Silver badge

      Re: No one has mentioned Dashlane

      A downvote on the Reg is standard practise.

      If you don't get a least one, got back and check you pressed the submit button.

      1. mr-slappy

        Re: No one has mentioned Dashlane

        You're absolutely right, but I downvoted you anyway, on principle.

        And it's "practice."

        1. Dagriffi58@gmail.com

          Re: No one has mentioned Dashlane

          It just did'nt seem right that your comment had no down vote. I hope that you can return the favour. ;)

  12. Alistair
    Windows

    Last Pass will be helping you to SAVE MONEY now

    and charge by character entered by the application!

    (okay, yeah, I shouldn't give the vulture capitalists ideas)

  13. erikscott

    It's 2^32 dollars. Coincidence?

  14. Doctor Syntax Silver badge

    "the PE arm of tech activist investor Elliott Management"

    Just as well I never so the point of a password manager on somebody else's computer.

  15. a_yank_lurker

    Taps

    Another one bites the dust in a couple of years. Vulture crapalists are not interested in building the company as that costs money up front. So look for LastPass to wither on the vine and slowly be forgotten as competitors over take them. They will probably linger for awhile until they are executed.

    1. Dan 55 Silver badge

      Re: Taps

      I look forward to it turning into the Bonzi Buddy of password managers.

      1. J. Cook Silver badge
        Joke

        Re: Taps

        *hisses and digs out the holy water(coffee), staves, and garlic*

        We do not speak of such things in public!

        1. J. Cook Silver badge
          Go

          Re: Taps

          For what it's worth, my company uses an on-prem installation of Thycotic Secret Server; it does what we want it to, and has a boatload of features that might interest people.

          (not a paid shill, just a happy customer.)

  16. Captain Boing
    Devil

    gets its claws into everything

    I de-installed LMI years ago...

    some time after I was doing registry cleanup... couldn't believe the number of logmein hits I got when searching.

  17. Anonymous Coward
    Trollface

    Here to collect the downvote.

    Someone has meticulously downvoted every comment on this thread/forum. I wonder if Reg would block/ban them just for spamming?

    1. Antonius_Prime
      Big Brother

      Re: Here to collect the downvote.

      Up to about 4 hours ago, my time, anyway. (12:30pm GMT, in wintertime. DO THE MATHS AMERICANS! XD )

      Possibly a gruntled LastPass employee?

      Gruntled because if they were disgruntled they'd downvote the ones praising LP.

    2. JohnFen

      Re: Here to collect the downvote.

      No downvote from me. Let this old joke explain why: the masochist says to the sadist "Please hurt me!" With a wicked grin, the sadist says "no."

  18. max allan

    Any full feature alternatives?

    As a corporate user, have been gradually more annoyed with LastPass.

    They seem to be deprecating useful features and replacing them with new features that don't work. (See their new SSO replacement for SAML and its total lack of CLI access and that the "SSO Apps" are not in your Vault, like everything else, so you can't search for them from the plugin button.)

    I am looking for something that does SAML SSO and can do AWS CLI login. As well as sharing passwords between the team. (so that next time something goes wrong, we aren't stuck waiting for the one person that has the root/admin password to come back from leave)

    Anyone know if DashLane can do it?? (Particularly the AWS CLI SAML login!!)

    1. croc

      Re: Any full feature alternatives?

      try radius...

  19. Martin hepworth

    why is this an issue

    They cant get at my password vault, it's secured by my master password.

    Why is the sale a security risk? The legislation under which they operate doesnt change that much given US law, unless they move the State they are HQ-ed in

    1. Tim 11

      Re: why is this an issue

      Theoretically they could change the encryption algorithm to one that has a back-door and re-encrypt your vault next time you type in the password, and you'd never know.

      In reality, my hunch is that the risk is low - the bigger a company is, the more concerned it tends to be about internet security and obeying the law, but in the world of password management it pays to be a bit paranoid (especially as there have been demonstrated attempts of governments trying to interfere with encryption), and many would argue that unless it's open source, you can't rely on it. I certainly have some sympathy with that view.

      1. Whaaaa?

        Re: why is this an issue

        And these fears only arise now because of the new PE owners?

  20. Snarf Junky

    1L0v3P@55w0rd5

    That such an industry exists making huge amounts of money to keep your incredibly complex passwords safe just goes to show how broken the concept of passwords for security is.

    1. Anonymous Coward
      Facepalm

      Re: 1L0v3P@55w0rd5

      Well, even biometrics means you gotta trust the production/assembly of the device doing the scanning. No easy solutions. Pick your poison!

    2. Charles 9 Silver badge

      Re: 1L0v3P@55w0rd5

      Unfortunately, passwords are like capitalism: it's the worst of the lot...with the notable exception of every other option.

  21. Anonymous Coward
    Anonymous Coward

    better solution?

    So the preferred solution is to use a password manager making random strong passwords. So far so simple. Synced between all of your devices. Fine.

    But how do you handle, for example, typing your Netflix password into the TV?

    Or joint passwords ( eg: the Morrisons account, we both add things to it, we both need the password ) ?

    To both of those questions, if the answer is "Read it out: upper case X, upper case I ( or is that an L? ) four, seven, ampersand, no that's the thing that looks like a musical note, yes that one, then a pound, caret, no you're thinking of a tilde, a caret is like a pointy hat. " Then no thanks.

    1. FrogsAndChips

      Re: better solution?

      My Netflix password is one of the very few that is not as secure, so I can input it in the TV quite easily. I don't care if someone finds it, all they can do is watch things for free and I'll probably notice based on new recommendations. Anything else (password change, payment card change..), I'll be notified and can reverse.

      For joint accounts, you can use a separate database that contains all joint accounts and for which you both know the master password. You keep all the other stuff in your private database.

    2. Brangdon

      Re: better solution?

      A password manager doesn't make that problem worse. It makes it easier to use longer passwords so there's less need to use obscure characters. KeePass can be configured to generate passwords that don't use 1, l, 0, O.

    3. Tim 11

      Re: better solution?

      correct horse battery staple

      1. Charles 9 Silver badge

        Re: better solution?

        Someone with poor recall could end up recalling that as "donkey engine paperclip wrong". Then what?

  22. Anonymous Coward
    Anonymous Coward

    What's the import feature like on alternatives to LastPass ?

    When the last LastPass scare was going on, I looked at all the El Reg recommended alternatives (starting with KeePass) and none of them seemed to be able to import the standard LastPass export of it's database. At which point plan switcheroo rather stalled.

    Personally I try to reduce my reliance on LastPass by having 2FA up the backside for everything I can - starting with all email accounts. Even if my password safe was to be found unencrypted (which LastPass say is impossible) it's only of so much use.

    I guess 2020 could be the year I sort out the 500+ accounts I seem to have acquired over the years into the 50 or so that I actually use.

  23. Jdoley

    Are you worried?

    If you are worried about your data in LastPass or the cloud - then read this article https://www.forbes.com/sites/thomasbrewster/2019/04/10/what-happened-when-the-dea-demanded-passwords-from-lastpass/

    It seems 90% of the people in this thread - and the writer of this article - did not do their homework or know anything about how AES-256 bit encryption works... shame that the industry is dominated by people who do not understand the basic principles of encryption and cryptography.

    Saying that open source is better is just ridiculous. Most people compile opensource in compilers that have in-built backdoors added to the code they are compiling for crypto mining or other ransomware and adware. 95% of the people do not check their compiler or code and therefore all of you using OpenSource software just because "its better" are way off the real world of security products. Good luck!

    1. jtaylor

      Re: Are you worried?

      tl;dr Citations needed

      "It seems 90% of the people in this thread...[do not] know anything about how AES-256 bit encryption works...do not understand the basic principles of encryption and cryptography."

      Many cryptographic weaknesses in software are in flawed implementation, not poor choice of encryption algorithm. We don't know exactly how LastPass implements encryption, nor how their future updates will implement it. I think that caution and skepticism are healthy in this situation, Why do you think they indicate gross ignorance of the subject?

      "Saying that open source is better is just ridiculous. Most people compile opensource in compilers that have in-built backdoors"

      Well, open source lets us see exactly how the product implements encryption. Skilled people can identify weaknesses in the code or spot dubious dependencies. Plebs like me can read what the clever folks have found. We can also notice if the vendor suddenly replaces parts of their encryption with Folger's Crystals, so we know to run for the hills.

      Which compilers do you know are back-doored?

      1. Charles 9 Silver badge

        Re: Are you worried?

        I believe he refers to the "Trusting Trust" problem where one cannot be sure a compiler isn't slipping code in behind the source's back, although there are mitigations against this (such as compiling a compiler multiple times against multiple compilers--a secret code modification is more likely to get detected in such a criss-cross).

  24. Zangetsu

    why can i not keep using it ?

    i do not understand why everyone is acting as if they have to find something else now.

    there is no news that lastpass is shutting down.

    1. Charles 9 Silver badge

      Re: why can i not keep using it ?

      It's called a warning sign. A company with no real specialist experience in security is acquiring a company with both a focus and a (BAD) reputation in security. Usually, when something like this happens, you can count on a clock to start ticking...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like