We interview LastPass CEO: the human price and the real truth
Summary: ZDNet bloggers Jason Perlow, Michael Krigsman, Steven J. Vaughan-Nichols, and David Gewirtz had the opportunity to talk with LastPass CEO Joe Siegrist to learn the inside story.
It takes an incredible amount of work and dedication to start a company. You give it all of your time -- nights, weekends, everything -- and often most of your money. Your health can degrade because you often choose to pay attention to your customers and your obligations before your digestive system.
You constantly try to do the right thing, against constant pressures from competitors, the reality of never having enough money and time, and all the unexpected events that make up living in the real world.
It's hard enough starting a company with normal competitive pressures. It's far worse when doing so in the face of outside criminal attack. For Joe Siegrist, it's even more challenging, because he almost literally holds the keys that allow all of his customers to access their digital world.
Joe is CEO of LastPass, a password management company.
See also:
- LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords
- Don't trust companies to safeguard your data
- More Sony bad news: Sony Online also compromised (this goes beyond the PlayStation Network)
- 7 important survival tips Amazon's orphaned 0.07 percent can teach us
- 6 important things about the ongoing PlayStation Network outage that Sony won't reveal
Last week, when Joe's company got hit with -- something -- he had some tough decisions to make. In doing what I consider the right thing to secure his systems and ultimately protect his users, his company couldn't handle the load and many users were stranded without access to their most-needed services.
ZDNet bloggers Jason Perlow, Michael Krigsman, Steven J. Vaughan-Nichols, and I had the opportunity to talk with Joe and learn more.
David: Let's start with the human side. How are you holding up?
Joe: I had no idea something like this was a way to lose 10 lbs in 4 days. Can't eat, can't sleep, skipped Mother's day on my wife's first... Luckily she's understanding.
David: Tell us about LastPass.
Joe: We have 11 employees. Most of us are out of a former successful startup company called eStara which was acquired in 2006. The core team started in April 2008. We came out with a beta product in August of 2008 and have been growing well since. We purchased Xmarks in November 2010.
David: What's your background?
Joe: I studied Computer Science at the University of Maryland, then went to UUNET, and then on to eStara a startup where the 4 founders of LastPass came together first. We started LastPass in April 2008 with the goal of reducing password complexity to something that people can manage.
SJVN: What actually happened?
Joe: We're still investigating what happened but we couldn't explain the traffic so we were forced to assume that something did happen. We've brought in a number of outside security expects to help us analyze and improve.
One thing is clear though, in our attempts to protect everyone we created big problems for ourselves and our users, this was exacerbated by the speed at which it spread, and getting many times the news coverage we've ever received before.
Jason: Why should we trust you to ensure the safety of all of our passwords going forward in light of your recent security failure?
Next: Why should we still trust you? »
« Previous: What actually happened?
Jason: Why should we trust you to ensure the safety of all of our passwords going forward in light of your recent security failure?
Joe: The key to trusting LastPass is NOT trusting LastPass. Seriously. Your data is encrypted locally with a password that LastPass never gets. Assuming you picked a strong master password you don't have to trust me because it's encrypted in a way that would take eons to break, we think this is the best way for people to handle this trust issue with LastPass. If we can't get it, no one else can either.
That said, the reason we put LastPass into a locked down mode and announced quickly was fear that some people didn't use a strong master password; we're doing our best to protect everyone. We knew this was going to be a be inconvenience to people, but felt it was the best move.
We're going to learn from this and get better. We've put a lot of time and effort into LastPass and are highly motivated to never feel this way again.
David: What happens to passwords if LastPass suddenly and permanently shuts down?
Joe: If I won the lottery I still need LastPass, probably even more so! LastPass stores everything both locally and in the cloud. We designed it to deal with us disappearing though so you'd still have access to your data even if we're offline. If we were gone you could simply login to LastPass in your browser or phone as normal and use LastPass as normal too except for the cloud syncing portion.
We designed this more for us being unavailable instead of available and intentionally preventing you from logging in. To solve this in our next release we're going to make a checkbox that allows you to login offline only, we should be more explicit here.
Michael: If a current customer started using Sesame (two-factor authentication) now, is the account safe even if the master password is cracked?
Joe: Yes it would protect you but I'd still encourage you to change your master password unless you're comfortable with how strong it is.
SJVN: What steps are you taking to make sure your systems are robust enough to deal with this level of server load in the future?
Joe: We had 4 new servers available which we brought up Thursday and will continue to over provision, but the real fix is an architectural one in which we can more easily scale up based on traffic volume.
Speaking as someone who's gone through a cyberattack aimed at a small business, I have nothing but compassion for Joe and his team. As consumers, though, we need to constantly evaluate the solidity of the companies with whom we entrust our most critical data. I think he's doing a lot of the right things, has the right attitude and spirit, and wish the best for him and LastPass.
Webcast about how to protect yourself and your business
To learn more about how to protect your business from cyberattack, I’ll be giving a free webcast on the subject Wednesday here on ZDNet and TechRepublic. It’s called Top 10 Tips To Protect Your Business Against Cyberattack. Believe it or not, this thing was scheduled way before the LastPass and Sony messes began. That said, there will be lots of tips and techniques for keeping yourself safe. It’s worth a tune-in.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: We interview LastPass CEO: the human price and the real truth
Cloud = Fail
Put all your eggs in one basket and leave it in traffic is the same as put all your data in the cloud of traffic to get snatched or broken or tipped or run over... You get the point. The more people push to this cloud crap the more attacks will show up on the web. I'm shocked that people are not seeing this...
RE: We interview LastPass CEO: the human price and the real truth
I use LastPass and had no issues the entire time of their worst 'down' time. Sure, if I'd been setting up on a new system, I'd have had to resort to some manual export and import processes but I wasn't and thus had no trouble as LastPass continued to do what it was supposed to do, flawlessly.
I guess the fact that the program maintains an encrypted local database on your system meant that it could still work.
While your assertion that anything on the internet "cloud" is a fail, well, if you really believe that, you should just disconnect and go somewhere else.
RE: We interview LastPass CEO: the human price and the real truth
RE: We interview LastPass CEO: the human price and the real truth
Agree !
Cloud = Potentially BIG problem
Cloud = Many factors that can affect it
Cloud = You are naked before the BIG online stage
Cloud = Black Dark CLOUDS = BIG STORM COMING
No Cloud is better and safer.
RE: We interview LastPass CEO: the human price and the real truth
I keep mine in a windows 256 bit encrypted file right on my own machine, complete with backed up cert keys that do NOT live on my machine but on a CD. I can do anything I want with that file but I pretty seriously doubt anyone else would find much use for it. Even the name doesn't give away what's in it nor the folder it lives in. I also change my passwords periodically. Don't need no stinkin' outsiders keeping MY secrets a secret! Seriously.
Who says what is strong?
Doesn't matter if someone gets in the front door
At that point, it doesn't matter how much encryption they have on the data, since a hacker would have full, direct permission to access it. Encryption is only for "back-door" hacks to the data. Using a back door hack to reprogram the security on the front door will defeat any encryption, although it would also mean that they would have to access each account individually to retrieve all of the data.
RE: We interview LastPass CEO: the human price and the real truth
Im upset for what they did, not just that they had a possible break in, but the fact they broke the system in their attempts to rectify it. I was locked out of all my accounts for about3-4 hours(I use all autogenerated passwords)
But before you comment, understand what your talking about. The data is encrypted with your master password which is not stored in their systems, nothing can decrypt your data without it. When you change your master password, they decrypt the data with the original, then encrypt it with the new one. There is no exploit for this, its encryption 101.
RE: We interview LastPass CEO: the human price and the real truth
How sure are you that your passwords are not copied or transferred to their online servers ? !
80 %, 90 % 100 % ? ?
You want to gamble with your passwords base on their words alone ? That is daft !
Nice interview. Good new info
I now see that my local password into LastPass locks my data in the LastPass cloud, so I will be redownloading and reinstalling and rejoining LastPass now.
I am confident in my own passwords because I use rival Steganos to generate and remember secure local passwords for me.
Thanks, David - very useful interview.
A double edged comment
That was commendable, and something that Sony *should* have been doing from the beginning. So yes, absolutely, kudos to everyone at LastPass involved in the decision.
Having said that, I think LastPass's actual business (as in what they do) is *INSANE*.
As in dangerous idiocy. This is keychain in the cloud, and I don't care if the master password *isn't* available via cloud, it's available too many other ways.
What happens if there's a compromise on the local machine? With malware watching you type in your master password it's the Holy Grail of criminal hacking--and you are *screwed*, folks.
That's because the hackers get everything all at once, and within a day they could clean out everything you have.
At least without keychain you may not lose everything before discovering you're compromised!
Wonderful implementation and administration of a horrible, crazy idea.
RE: We interview LastPass CEO: the human price and the real truth
While keychains can indeed be bad, the fact is if your local machine is hacked the hacker is going to get all of your passwords anyway, it's just going to take longer. In the digital age keychains are conveinent and some would say necessary as there are so many things that need passwords. What should start happening is websites/companies that require passwords should start using biometrics that are encrypted when send from client to server. This would be a step in the right direction, but even then, if you need security to protect something, there's always going to be someone who is going to try and possibly crack it.
RE: We interview LastPass CEO: the human price and the real truth
You're absolutely correct! There is no such thing as 'secure.' We can make it more difficult for the criminal to break in and steal but basically, if someone really wants your info, they'll get it. True security resides only within the mind of the holder of the secret and only when they never willingly give up that secret.
All we can do is make it difficult for the criminal and maybe enough so that they'll reach for the other, easier to pick fruit.
I love LassPass because I can have one complex password that I have to remember to unlock all the others which are very randomly generated and thus (for me anyhow) impossible to remember.
RE: We interview LastPass CEO: the human price and the real truth
I'm not really disagreeing with you wolf_z, but keyboard inputs can be scrambled and encrypted too, as in Keyscrambler. I defy any cracker in the known world to crack Keyscrambler. This would simply make life very difficult for the criminal.
But even ignoring that, if it weren't for LastPass - my clients would be using one password for the whole internet, like they were before. This would make it possible for one cracker to get into just one account on the web, and from then on could get into any account that had the same user, and no encryption whatsoever. So which is worse? I say LastPass or other ID vaults are still the way to go for the lazy and forgetful out there. And it definitely beats writing down hundreds of passwords on a sticky note.
I use LastPass too
I suppose a keychain is bound to attract hackers.
Happy User
RE: We interview LastPass CEO: the human price and the real truth
RE: We interview LastPass CEO: the human price and the real truth
Anyone who doesn't keep their OWN list of their passwords is pretty dumb IMO so LastPass should really have been nothing but an inconvenience, NOT the disaster everyone is trying to make it out to be. Good Lord, what a crazy world of lazy stiffs!
RE: We interview LastPass CEO: the human price and the real truth