LastPass + LogMeIn – Initial Thoughts

Posted onAuthorPer

Lastpass joins LogMeIn, and Twitter goes bonkers. Here are my initial thoughts.

What you're seeing here is imho reputation-based risk at work. I have no doubt LogMeIn is the bigger part, and can bring cash & people to the continued & accelerated development of LastPass.

LastPass, which I use myself, have "good enough" security. Others have still valid objections to intrinsic details about their crypto implemenations (Sc00bz specifically), others object heavily to their 2SV/2FA (Paul Moore).

To me the security of LastPass is "good enough". If the NSA was part of my threat model, they could just as well send a black helicopter with armed agents instead of cracking crypto or installing keyloggers. Cheaper and sure as hell more certain to succeed.

Lastpass has been reviewed (read: attacked through research) by many, most notably (imho) by Elcomsoft in a paper presented at BH EU in 2012 (PDF). Along with several others, it was "good enough".

Other attacks have been handled and responded promptly imho by LastPass. In summary: I trust them. CEO Joe Siegrist "selling out"? Bullshit. Any startup want to succeed. Some founders want to retire, other go on to something new, others remain and continue working on their product. No matter which option Joe has chosen, I salute him for what he's done so far with LastPass.

LogMeIn?
Can't point at anything specific that I remember right now, but there's an alarm ringing in the back of my head. I don't like them. Bad customer service? Doesn't appeal to me as a product? Bad reputation? Bad security? Weird UX? Too "commercialized"? I don't know, but I DO NOT TRUST THEM for some reason.

That makes me concerned, but I'm not abondoning LastPass for that reason. I want to see & hear more before jumping ship. Since I'm lazy as many others (or just too busy), changing product means to me 3-400 sites, notes etc to be exported from LastPass and imported into whatever other product I choose (1Password, Strip (drop the SHA-1 SSL cert guys!), and Dashlane are all obvious candidates to me). That's gonna be *"#%#/"#%/&/ weekend to do. Laziness trumps FUD sometimes.

Dig around for vulnerabilities & attacks against LogMeIn, and check out how they have responded to all of them. I could be completely wrong about them of course.