LastPass is undoubtedly one of the leading products in the password management space, offering a range of premium features and one of the best free packages to help everyone stay secure online. The recent strategy shift combined with some controversial researcher findings have shed doubt and confusion in the large community that trusted the platform, so we have reached out to LastPass for a short interview that would clear things up.
Dan DeMichele, the VP of Product Management at LogMeIn, LastPass's parent company, has answered our call and shared some interesting points. Most importantly, we learned where LastPass is heading next and how an expert in the field sees the future of passwords in general.
Can you give us a short introduction of yourself and your role in LastPass?
My name is Dan DeMichele. I’m the VP of Product for LastPass at LogMeIn, responsible for leading both LastPass development and product management software teams.
LastPass has recently gone through a business strategy shift making its free tier less competitive against other products. Can you elaborate on what drove your decision to shake off a large chunk of your existing userbase?
Even with this change, we still have one of the best, if not the best free solution in the market, with millions of active free users every day. This change is part of our increased focus on delivering future product improvements for our paid offerings as the security landscape continues to evolve in this new era of remote work. Over the coming months and years, users will continue to see additional value and new features added to LastPass Premium & Families, in addition to what’s included today - a security dashboard, dark web monitoring, secure password and item sharing, a save and fill experience across devices, and dedicated personal support.
With this change, we continue to deliver a complete password management experience, providing secure and unlimited password storage and syncing across users’ device type of choice (all mobile phones and tablets, or all computers), while also offering a Premium & Families plan for those who want to store and access passwords across device types, share items with multiple others, and want to protect their entire digital life in one tool.
Now that this process has been completed, can you comment anything on the results? Has this move played out the way you have hoped for?
We gave people 30 days’ notice and an opportunity to upgrade at a discounted rate to either Premium or Families extended into May, and a healthy number of users have chosen to convert. For those who prefer to stay with the free product, we still have a very compelling offer with more functionality than our competitors.
It is true that the password management space is a pretty crowded one today. If you were to give our readers up to three compelling reasons to choose your product over the competition, what would these be?
LastPass competitors such as Dashlane, 1Password, and Bitwarden either don’t offer a free version or offer one that is more limited in functionality than the modified version of LastPass Free. So for those looking to get started with basic password management functionality, LastPass Free is still a great option. LastPass offers premier usability for all users, including intuitive Save and Fill functionality. For those looking to take advantage of the advanced security and convenience features of a password management solution, I’d say our three differentiators are:
- The LastPass Security Dashboard is your cybersecurity command center for assessing password security & monitoring accounts for data breaches. Users can view their security score and see a list of weak and reused passwords to make improving security immediate and seamless. This also includes Dark Web Monitoring that automatically detects threats and alerts you of the risks in real-time.
- One-to-many password sharing allows users to conveniently and safely share logins and passwords with multiple people to give everyone you trust convenient access. But this is not just limited to passwords, users can share personal data such as passport information or health insurance with family members.
- The LastPass zero-knowledge security architecture is set up in a way that all sensitive data stored in your LastPass vault is encrypted locally at the user's device with a key—your master password-- that is never shared with us. What that means is that LastPass never has your master password or access to the data within your vault.
There’s a surge of new solutions that invite people to discover life without passwords, using MFA tokens and additional biometric layers. As an expert in the space, do you see this taking off in the next couple of years, or are passwords going to remain the central authentication method?
The truth of the matter is passwords aren’t really going away anytime soon; they’ve been around in some form since before computers were invented, so they’re deeply ingrained in consumers' minds and the standard development of software. Passwords are simply going to be used more and more behind the scenes and managed by administrators to provide a passwordless experience for end-users.
In what direction are you moving to, R&D-wise? Do you see anything disrupting the “good-old” password authentication scheme and the need of each person to manage hundreds of them?
We plan to continue to invest more resources behind LastPass in 2021 and beyond, as we aim to extend our lead as the world's #1 password manager and take a share in the rapidly growing identity management space. As a leader in managing passwords, we believe we are uniquely positioned to help businesses provide the best balance of strong security and user experience.
Our LastPass Business solutions, including enterprise password management, single sign-on, and MFA, do that by enabling IT to manage every password behind the scenes while also giving employees a simple, truly passwordless experience. Going passwordless with LastPass introduces new ways for employees to securely log in to their work accounts and devices without a password in sight, thus eliminating many password-related risks, leading to higher security and employee productivity while also freeing up resources for IT.
What’s your take on the long passphrase approach, and does it make any difference when using something with strong encryption like LastPass anyway?
The use of long, complex passwords is industry standard. With the help of password-cracking programs and ever-increasing computing power, it’s pretty easy for hackers to guess short, weak passwords that use dictionary words. Using a premium password manager like LastPass makes it extremely easy - and practical - to create these long, strong passwords for every online account, store them in a secure vault, and autofill them the next time users need them.
The passwords stored in your LastPass vault are protected with 100,100 rounds of PBKDF2-SHA256 encryption. This encryption, along with our strong master password requirements (must be at least 12 characters long, at least 1 number, at least 1 lowercase, and 1 uppercase letter), is designed to protect a user’s master password from being brute-forced. However, this does not mean the individual passwords stored in LastPass can be weak and still be secure. We strongly encourage users to stay informed of our recommended password best practices and the additional ways they can protect their accounts from threats, such as enabling Multi-Factor Authentication (MFA).
German researchers have recently discovered that the LastPass app for Android uses several trackers and requests a galore of permissions on top of that. Have you changed your previous approach (set trackers to active by default) after the publication, and was this a configuration mistake or just an unfortunate decision?
The privacy and security of our users are always a top priority at LastPass, which is why LastPass was designed with a patented zero-knowledge security model to protect sensitive customer data. No sensitive, personally identifiable user data could be passed through these trackers. These trackers are industry-standard mobile analytics tools and are used for a limited purpose – to collect aggregated statistical data about how LastPass is used to help us improve and optimize the product to deliver the best user experience.
We are continuously reviewing our existing processes to ensure we are prioritizing our customer’s privacy and security. Finally, it is very important to note that LastPass does not share or sell user, tracking, analytics, or telemetry data. For additional information about trackers and analytics, see our blog post.
If you were to give our readers one password security advice, what would that be?
Online security has never been at higher risk, and we only see that growing–especially in the era of remote work. Password security is an integral part of that. We’re all spending more time online, creating new accounts, accessing online tools for work, or connecting with family and friends. Each one requiring a password. And it’s not just our own passwords we need to keep track of – everyone in the family has an online footprint bigger than they had a year ago. Think about all the passwords your kids have now with online learning. It’s important to protect your and your entire family’s passwords.
One of the most common ways people are leaving themselves vulnerable online is by using weak, easy to guess passwords and then reusing them on multiple other online accounts. Attackers who have successfully breached website X and stole the credentials of their user base will then take those passwords and try to use them on other, more valuable sites, such as an online banking one. If you used the same password that was stolen from website X, then you are at risk of losing your money.
People need to realize that passwords are the keys to our digital life, and they are worth protecting. We’re not just talking about Amazon or Netflix; think emails, bank accounts, healthcare, tax information - you name it, there is a password protecting it. It also doesn’t have to be a burden to create unique passwords and remember each of them. That’s near impossible. Relying on tools like LastPass can make improving password security a breeze.