This is somewhat of a perplexing acquisition, but apparently LastPass is now owned by LogMeIn. I get it in the-big-publicly-traded-company-gobbling-up-the-smaller-one kinda way, but it’s an odd marriage for a company that builds remote desktop software to buy one that builds a password manager. People aren’t real happy either when you look at the comments they’ve left on that post.
Why aren’t they happy? I touched on it here:
Very interesting to see how many people say they will now leave @LastPass as a result of the @LogMeIn acquisition. Reputation is critical.— Troy Hunt (@troyhunt) October 10, 2015
You see, entrusting all your passwords to one organisation is a big thing. Companies like LastPass live and die by reputation and incidents like their breach in July that exposed master password hashes are hugely significant due to the impact it has on the perception of the company. Now I actually think they handled that really well; their hashing approach was solid and indeed it was designed to be resilient to precisely this style of attack. LastPass remains a very viable option for those who want a password manager that runs as a managed service, but the LogMeIn acquisition has people concerned.
One of the common complaints is that LogMeIn was deceptive in the promotion of their free service. Here’s the issue:
The problem with “will always be free” is when it’s no longer free:
After 10 years, LogMeIn Free is going away. Learn more about the changes: http://t.co/meHjFlHwKb— LogMeIn, Inc. (@LogMeIn) January 21, 2014
Now I get that commercial imperatives inevitably caused them to refocus their direction, but you can see what that does to reputation. (It reminds me of the Red Gate saga with Reflector in 2011 where they copped an absolute shellacking for doing the same thing)
The thing that’s upset me personally with LogMeIn is it’s continued presence in virus cold call scams. You know, the ones where you’re sitting at home relaxing of an evening and then “Microsoft” calls you up and tells you you’ve got viruses. No? Here’s an example for you:
Amazing that video has had nearly a million views! You’ll see LogMeIn begin to feature around the 39 minute mark and it’s featured in pretty much every other scammer video I’ve done (I did make somewhat of a sport of it…). In fact they featured so heavily that I wrote How LogMeIn is enabling scammers to profit and encouraged everyone to raise awareness and put some pressure on them:
Please RT! Help @LogMeIn understand the impact of allowing scammers to easily use their product: http://t.co/46B0AlRq— Troy Hunt (@troyhunt) June 4, 2012
Unfortunately, more than three years on, LogMeIn remains the software of choice for these scammers. In fact even just this weekend I had a journalist contact me doing a story on the scam and he confirmed that indeed, LogMeIn still made an appearance.
The point of all this is that many people are concerned about the direction of LastPass as a result of the LogMeIn acquisition. As much as they may proclaim that the password manager will remain independent or uninfluenced (and I’m merely speculating here but that’s often the messaging in these acquisitions), they’re now under the broader corporate umbrella and LogMeIn will influence the direction of LastPass. So here’s how to jump ship.
I’m fond of 1Password and I independently arrived at their doorstep four years ago when I wrote The only secure password is the one you can’t remember. I like that it’s a client-only product and doesn’t run in the browser. I like that I control my encrypted keychain and sync it however I want to. I use Dropbox because of the convenience factor and the primary threat actors for that service (hi NSA!) are not the ones that worry me when it comes to who I need to protect my keychain from. If you’re paranoid about them or just don’t want to use any cloud services then you can copy and paste it between devices whilst sitting in a faraday cage if you like, it’s your call and that’s a key feature IMHO – you control your security level. There are free alternatives out there but frankly, passwords are too important and they’re used too frequently for cost to be a determining factor, especially when you're talking in the tens of dollars to cover all your devices. So here’s how to move from LastPass to 1Password.
Firstly, this process is going to involve handling your credentials in plain text. Don’t do this at in internet cafe, don’t do it in front of your friends and don’t do it on any machine you don’t fully trust so that means running up to date anti virus (and keeping in mind that’s frequently ineffective these days) and not putting the file we’re going to generate anywhere that then gets backup up to other locations or is handled by other processes.
Next, jump into the LastPass browser plugin:
You don’t need to be on the LastPass website when you do this, but the screen above shows a bunch of the accounts we’ll be exporting. Jump into the “Tools” section then into “Advanced Tools”:
Now “Export To”:
And eventually “LastPass CSV File”:
Complete the authentication challenge:
And now here they are:
The column headings there are self-explanatory, copy and paste that content into a file on your local machine called “LastPass.csv” and remember – a local machine you fully trust!
Now jump over to 1Password and go to “File” –> “Import…”:
Choose the “LastPass.csv” file you just created to bring up this prompt:
You’ll see that each field has a dropdown you can select from which shows the column names in the exported file:
Fill in the first four fields:
The LastPass export didn’t include the additional field names 1Password can import so we’ll just run with the four above. Now give it a “Yes to All”:
And that is all:
I trimmed my CSV down to only 3 items so I didn’t double up with credentials I already have in 1Password. The reason we’re seeing “4 new item(s)” in the dialogue above is that it’s imported the column headings row as well which can now be deleted:
Jump into one of those now and you should see all the original data:
Once you’re happy everything is in there, permanently delete the CSV file from your machine so that’s a “Shift-Delete” in Windows which means it doesn’t go to the trash can:
And that’s it – job done!
Actually, I did do just one more thing:
And the confirmation:
I honestly don’t know how much impact the LogMeIn acquisition will have on LastPass but clearly the situation is making a lot of people uncomfortable in an area where you really want to have complete confidence in the organisation handling your data. It’s not just the incidents above (certainly other trust issues have also been raised), but ultimately that’s a judgement decision each LastPass user will need to make on their own, hopefully this post makes it a little easier for those who decide to jump ship.