TL;DR: It's probably fine for now, but keep an eye out for key staff departures and major technology changes.
Change is scary, especially when it happens to your password manager. When LastPass announced their acquisition by LogMeIn, the news ignited such a panic that they had to shut down comments on the blog post. Lists of alternative password managers quickly appeared on Reddit and Github while HackerNews swung wildly between outrage, calculation, and despair.
Now that the dust has settled a bit, let's figure out what's really going on here.
Why do we love LastPass?
LastPass was founded in 2008 and build a market-leading company on a solid product and hard-earned user trust. Just a few months before the acquisition they earned a PC Magazine Editor's Pick and were "clearly the juggernaut" in password management according to LifeHacker. They did this by addressing core password management requirements with a unique architecture, adding a suite of nice-to-have features, and clearly communicating with their users the whole way.
Create and store strong passwords
At this point, you know that you should use a password manager to help you create and manage long, random, unique passwords for your online accounts. LastPass checks all the right boxes here:
Flexible password generator to create new password
Vault with search, folders, and icons to keep track of everything
These tools are available pretty much wherever you need them. LastPass maintains extensions for all the major browsers (Chrome, Firefox, Safari, Internet Explorer, Opera) and applications for all the major platforms (Mac, Windows, Linux, iOS, Android, Windows Phone, Blackberry).
Make them available on all my devices
LastPass provides all the key features you expect from a password manager, but so do several free open-source solutions like KeePass and PasswordSafe. Unfortunately these options tend to break down when you need convenient access to your passwords on multiple devices.
Cross-device syncing solutions fall into three groups.
1) User-managed, explicit syncing is the most secure way to do any kind of sync task, but it's also the least convenient. In this model, you manually move your vault between your devices. You might keep your vault on a thumb drive or use a tool that supports Wi-Fi sync.
2) Third-party continuous syncing means putting your password vault into Dropbox or network share drive. Syncing is managed by this third party while secure password storage is done by your management software. This is the primary method supported by 1Password
3) Integrated sync builds cross-device sync directly into the password manager itself. This is the approach used by LastPass and Dashlane.
Each of these options offers a different balance of security and convenience. User-managed is secure, but the high-friction sync task doesn't happen often enough, and you often wind up with out-of-date passwords on some of your devices. Third party syncing is pretty good, but you have to remember a secure password for your syncing service, that third-party service has to support all your platforms (difficult for mobile), and you're screwed if something like the 1Password metadata leak shows up.
That leaves us with integrated sync. This is easy to use because you get automatic support for every platform your password manager supports, and the syncing happens automatically in the background. The real advantage though, is that you sync passwords separately from your other cloud files, and that sync is provided by a security-first company. That means things like excellent support for multi-factor authentication and improved backend monitoring.
LastPass Premium ($12.00/yr) and Dashlane Premium ($39.99/yr) are pretty much the only password managers that provide integrated sync. LastPass delivers this critical feature for less than a third of the cost of it's only competitor.
Do it securely
None of these features matter if the core security isn't there. Password managers need to be true zero-knowledge services, meaning the service provider cannot ever see your passwords, even when providing syncing services.
Zero-knowledge means you don't have to trust the service provider to keep their eyes out of your password vault, because they'd only see encrypted gibberish. You do have to trust them to actually implement the architecture they claim to have.
LastPass earned this trust the only way you can: openness & third-party verification. Check out Steve Gibson's analysis on Security Now episode #256 convinced a lot of people, myself included, that LastPass was doing it right:
Beyond a solid architecture, you have to trust that the company will handle security issues correctly. LastPass passes this test with flying colors. Their handling of a June 2015 security incident is a textbook example good corporate behavior: clear communication and quick action.
LastPass goes beyond these strong fundamentals to offer a variety of nice-to-have features, including:
Secure sharing with other LastPass users
Native mobile apps with autofill & integrated browsers
Security check up tool
Automatic password changes
Has the LogMeIn Acquisition Broken LastPass?
Not yet. All the things you love about LastPass are still basically true. It's only been a few weeks.
Will they change in the future?
That's the important question. Things will change if LogMeIn wants them to. They own the product, they call the shots.
So what is LogMeIn's deal anyway?
LogMeIn appears to be a holding company for a grab-bag of enterprise software products. Join.me is probably their best-known consumer offering. They're particularly excited about Xively, which is some kind of consulting service that builds Heroku-based backends for Internet of Things products. You know, a typical SaaSaaS (Software-as-a-Service-as-a-Service) offering.
Their focus on enterprise cloud products means they probably have decent tech fundamentals. I've only used Join.me, and it seems like a reasonable entry in the crowded online meeting space. It competes with Citrix GoToMeeting and Cisco WebEx, which are both Very Serious Enterprise operations. It's not nuthin'!
I've seen a few people vouch for LogMeIn's enterprise offerings.
LogMeIn has a history of sudden changes in pricing and product line up. Most complaints seem to focus on the fact that they:
Discontinued LogMeIn Free in 2014. Join.me is different and left some people out in the cold.
And again in an update to the original announcement:
I want to personally assure you that this is good news for our users. First of all, we (LogMeIn/LastPass) have no plans to change our existing business model. Secondly, this acquisition provides us with access to resources that will enable us to innovate faster, as we continue to strive to deliver an even better product than the one you have come to know and love.
I think it's safe to say that Joe believes the acquisition will be benefit LastPass' current customers by delivering a stronger product.
So what will that look like?
LogMeIn already has a password manager, Meldium. In fact, LogMeIn's press release about the LastPass acquisition specifically states that they plan to merge their Meldium product line into LastPass:
LogMeIn plans to bring complementary capabilities of its early identity management investments, including those of Meldium, which it acquired in September 2014, into LastPass. In the near-term, both the Meldium and LastPass product lines will continue to be supported, with longer-term plans to center around a singular identity management offering based on the LastPass service and brand.
I haven't used Meldium, but the marketing indicates that it does have some features that would be cool to see in LastPass. Specifically,
Auto-login tools that are slicker than the current autofill/copy-paste workflow
Employee on-boarding tools for creating sets of accounts
Unfortunately Meldium appears to be much less secure than LastPass. Check out this item from their security FAQ:
When is my data decrypted?
The keys to decrypt your data are only stored on secure subset of Meldium's computers. These keys are stored as runtime configuration, and never checked in to source code. The computers that are able to decrypt your API keys, OAuth tokens, and passwords run in an isolated application that is not accessible to the public internet. This means that if Meldium's public-facing servers are attacked, the master encryption keys will not be compromised.
Your secrets are only decrypted when they are needed to perform some operation on your behalf (adding an account, disabling a user, logging in to a service, etc.) and the decrypted data is never written to disk or logged. In order to provide the best user experience, our systems periodically use your authentication information to refresh application data.
Do you see the problem? It's this bit: "the keys... are.. stored on... Meldium's computers." This means Meldium can see your passwords whenever they want. They have the keys, they have the power. You have to trust them not to look, and furthermore, not to ever get hacked.
This is made more explicit in a later FAQ item:
Is my data available to Meldium employees?
Due to the architecture of our system, it is technically possible for a Meldium employee to gain access to your secret data. As a matter of corporate policy, this kind of access is forbidden. Therefore, we have strong internal controls in place to prevent this unlikely event. We never manually decrypt your data, even when debugging issues with our systems or with third parties. We've built a suite of internal tools that allow an operator to perform actions using your secret data without actually logging in to our secure fleet.
A limited set of Meldium employees have access to the secure fleet and the master encryption keys - this access is only granted to employees for whom it is absolutely necessary. Third-parties or contractors will never gain access to Meldium's secure hosts or master keys, or your secret data. All internal access to all of Meldium's systems (secure or otherwise) is logged and audited.
So Meldium is fundamentally a big bag of NOPE that violates the zero-knowledge principals that LastPass is built on. Hopefully LogMeIn recognizes the problem here and will base their future identify management tools on LastPass rather than Meldium.
Red Flags to Watch For
It's unsettling to watch an essential service like LastPass go through an acquisition, but it's too early to panic. I plan to continue to use (and pay for) LastPass for the time being.
That said, be vigilant! Here are some key red flags that would indicate it's really time to jump ship:
LogMeIn has irked users with pricing changes in the past. If they start tweaking LastPass, we'll probably see:
Elimination of the free tier, reducing the value of sharing features and forcing you to re-train all your relatives who won't pay for premium
Significant increases in Premium pricing. LastPass premium is a great deal at $12/year; watch for this to creep up.
Unstable enterprise pricing. LogMeIn clearly has an enterprise focus, and probably have big ideas about how much they should charge and what markets to target. This could result in small / medium business being left behind.
Key Staff Departures
Business is business, so some price changes are to be expected. Changes in philosophy are much more important, and those would show up as key staff departures.
Joe and his team have worked hard to earn user trust. If they leave, they'll take that critical user trust with them. This disaster would look a lot like when Victoria Taylor left Reddit. Nobody wants that.
Unsettling product changes
Finally, if Meldium's auto-login features show up in LastPass, we need assurance that it's done with LastPass-grade security rather than Meldium-grade security. Zero-knowledge or bust!
Conclusion: A Final Exhortation
Congratulations to Joe & the LastPass team on the acquisition, a $110M validation of all your hard work. As a long time LastPass customer, I hope to see the tradition of great security, customer service and value continue for years to come.