We interview LastPass CEO: the human price and the real truth

We interview LastPass CEO: the human price and the real truth

Summary: ZDNet bloggers Jason Perlow, Michael Krigsman, Steven J. Vaughan-Nichols, and David Gewirtz had the opportunity to talk with LastPass CEO Joe Siegrist to learn the inside story.

TOPICS: Servers

It takes an incredible amount of work and dedication to start a company. You give it all of your time -- nights, weekends, everything -- and often most of your money. Your health can degrade because you often choose to pay attention to your customers and your obligations before your digestive system.

You constantly try to do the right thing, against constant pressures from competitors, the reality of never having enough money and time, and all the unexpected events that make up living in the real world.

It's hard enough starting a company with normal competitive pressures. It's far worse when doing so in the face of outside criminal attack. For Joe Siegrist, it's even more challenging, because he almost literally holds the keys that allow all of his customers to access their digital world.

Joe is CEO of LastPass, a password management company.

See also:

Last week, when Joe's company got hit with -- something -- he had some tough decisions to make. In doing what I consider the right thing to secure his systems and ultimately protect his users, his company couldn't handle the load and many users were stranded without access to their most-needed services.

ZDNet bloggers Jason Perlow, Michael Krigsman, Steven J. Vaughan-Nichols, and I had the opportunity to talk with Joe and learn more.

David: Let's start with the human side. How are you holding up?

Joe: I had no idea something like this was a way to lose 10 lbs in 4 days. Can't eat, can't sleep, skipped Mother's day on my wife's first... Luckily she's understanding.

David: Tell us about LastPass.

Joe: We have 11 employees. Most of us are out of a former successful startup company called eStara which was acquired in 2006. The core team started in April 2008. We came out with a beta product in August of 2008 and have been growing well since. We purchased Xmarks in November 2010.

David: What's your background?

Joe: I studied Computer Science at the University of Maryland, then went to UUNET, and then on to eStara a startup where the 4 founders of LastPass came together first. We started LastPass in April 2008 with the goal of reducing password complexity to something that people can manage.

SJVN: What actually happened?

Joe: We're still investigating what happened but we couldn't explain the traffic so we were forced to assume that something did happen. We've brought in a number of outside security expects to help us analyze and improve.

One thing is clear though, in our attempts to protect everyone we created big problems for ourselves and our users, this was exacerbated by the speed at which it spread, and getting many times the news coverage we've ever received before.

Jason: Why should we trust you to ensure the safety of all of our passwords going forward in light of your recent security failure?

Next: Why should we still trust you? »

« Previous: What actually happened?

Jason: Why should we trust you to ensure the safety of all of our passwords going forward in light of your recent security failure?

Joe: The key to trusting LastPass is NOT trusting LastPass. Seriously. Your data is encrypted locally with a password that LastPass never gets. Assuming you picked a strong master password you don't have to trust me because it's encrypted in a way that would take eons to break, we think this is the best way for people to handle this trust issue with LastPass. If we can't get it, no one else can either.

That said, the reason we put LastPass into a locked down mode and announced quickly was fear that some people didn't use a strong master password; we're doing our best to protect everyone. We knew this was going to be a be inconvenience to people, but felt it was the best move.

We're going to learn from this and get better. We've put a lot of time and effort into LastPass and are highly motivated to never feel this way again.

David: What happens to passwords if LastPass suddenly and permanently shuts down?

Joe: If I won the lottery I still need LastPass, probably even more so! LastPass stores everything both locally and in the cloud. We designed it to deal with us disappearing though so you'd still have access to your data even if we're offline. If we were gone you could simply login to LastPass in your browser or phone as normal and use LastPass as normal too except for the cloud syncing portion.

We designed this more for us being unavailable instead of available and intentionally preventing you from logging in. To solve this in our next release we're going to make a checkbox that allows you to login offline only, we should be more explicit here.

Michael: If a current customer started using Sesame (two-factor authentication) now, is the account safe even if the master password is cracked?

Joe: Yes it would protect you but I'd still encourage you to change your master password unless you're comfortable with how strong it is.

SJVN: What steps are you taking to make sure your systems are robust enough to deal with this level of server load in the future?

Joe: We had 4 new servers available which we brought up Thursday and will continue to over provision, but the real fix is an architectural one in which we can more easily scale up based on traffic volume.

Speaking as someone who's gone through a cyberattack aimed at a small business, I have nothing but compassion for Joe and his team. As consumers, though, we need to constantly evaluate the solidity of the companies with whom we entrust our most critical data. I think he's doing a lot of the right things, has the right attitude and spirit, and wish the best for him and LastPass.

Webcast about how to protect yourself and your business

To learn more about how to protect your business from cyberattack, I’ll be giving a free webcast on the subject Wednesday here on ZDNet and TechRepublic. It’s called Top 10 Tips To Protect Your Business Against Cyberattack. Believe it or not, this thing was scheduled way before the LastPass and Sony messes began. That said, there will be lots of tips and techniques for keeping yourself safe. It’s worth a tune-in.

Topic: Servers


David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: We interview LastPass CEO: the human price and the real truth

    As I've always said and will always say...

    Cloud = Fail

    Put all your eggs in one basket and leave it in traffic is the same as put all your data in the cloud of traffic to get snatched or broken or tipped or run over... You get the point. The more people push to this cloud crap the more attacks will show up on the web. I'm shocked that people are not seeing this...
    • RE: We interview LastPass CEO: the human price and the real truth

      @audidiablo = Fail

      I use LastPass and had no issues the entire time of their worst 'down' time. Sure, if I'd been setting up on a new system, I'd have had to resort to some manual export and import processes but I wasn't and thus had no trouble as LastPass continued to do what it was supposed to do, flawlessly.

      I guess the fact that the program maintains an encrypted local database on your system meant that it could still work.

      While your assertion that anything on the internet "cloud" is a fail, well, if you really believe that, you should just disconnect and go somewhere else.
    • RE: We interview LastPass CEO: the human price and the real truth

      @audidiablo You obviously do not understand how Lastpass works.
    • RE: We interview LastPass CEO: the human price and the real truth


      Agree !

      Cloud = Potentially BIG problem
      Cloud = Many factors that can affect it
      Cloud = You are naked before the BIG online stage
      Cloud = Black Dark CLOUDS = BIG STORM COMING

      No Cloud is better and safer.
    • RE: We interview LastPass CEO: the human price and the real truth

      @audidiablo ... I have to agree with you. The events over the last month or so are proving me right even more so than I ever expected! I'm sorry so many people were inconvenienced, but ... after all, if those people at LastPass didn't have their OWN list of their passwords, I'm afraid it's their own fault.
      I keep mine in a windows 256 bit encrypted file right on my own machine, complete with backed up cert keys that do NOT live on my machine but on a CD. I can do anything I want with that file but I pretty seriously doubt anyone else would find much use for it. Even the name doesn't give away what's in it nor the folder it lives in. I also change my passwords periodically. Don't need no stinkin' outsiders keeping MY secrets a secret! Seriously.
  • Who says what is strong?

    Okay. So, we accept what he's saying...but what's a strong password? Strong today, might be weak tomorrow. Some measures show that apparently weak passwords are strong and vice versa. If a cracker is using bruteforce and other methods in parallel, then it's very hard to know whether any given password is strong, weak or indifferent...
  • Doesn't matter if someone gets in the front door

    If someone can find an exploit, then change your master password, they'll get access to all of your passwords. It's like getting the hidden key for the front door of your house by breaking into the insecure shed that houses it. How secure is the password reset procedure for master passwords? This is where most cloud providers will fail.

    At that point, it doesn't matter how much encryption they have on the data, since a hacker would have full, direct permission to access it. Encryption is only for "back-door" hacks to the data. Using a back door hack to reprogram the security on the front door will defeat any encryption, although it would also mean that they would have to access each account individually to retrieve all of the data.
    • RE: We interview LastPass CEO: the human price and the real truth

      Im upset for what they did, not just that they had a possible break in, but the fact they broke the system in their attempts to rectify it. I was locked out of all my accounts for about3-4 hours(I use all autogenerated passwords)

      But before you comment, understand what your talking about. The data is encrypted with your master password which is not stored in their systems, nothing can decrypt your data without it. When you change your master password, they decrypt the data with the original, then encrypt it with the new one. There is no exploit for this, its encryption 101.
      • RE: We interview LastPass CEO: the human price and the real truth


        How sure are you that your passwords are not copied or transferred to their online servers ? !

        80 %, 90 % 100 % ? ?

        You want to gamble with your passwords base on their words alone ? That is daft !
  • Nice interview. Good new info

    Good job. I, like many others no doubt, panicked at the news of what appeared to be a breach, and uninstalled my LastPass - which I had installed in order to have access to my passwords from each of my computers conveniently.

    I now see that my local password into LastPass locks my data in the LastPass cloud, so I will be redownloading and reinstalling and rejoining LastPass now.

    I am confident in my own passwords because I use rival Steganos to generate and remember secure local passwords for me.

    Thanks, David - very useful interview.
  • A double edged comment

    Ok, let me first say I was *extremely* pleased with the actions LastPass took when they weren't even sure they had been compromised.

    That was commendable, and something that Sony *should* have been doing from the beginning. So yes, absolutely, kudos to everyone at LastPass involved in the decision.

    Having said that, I think LastPass's actual business (as in what they do) is *INSANE*.

    As in dangerous idiocy. This is keychain in the cloud, and I don't care if the master password *isn't* available via cloud, it's available too many other ways.

    What happens if there's a compromise on the local machine? With malware watching you type in your master password it's the Holy Grail of criminal hacking--and you are *screwed*, folks.

    That's because the hackers get everything all at once, and within a day they could clean out everything you have.

    At least without keychain you may not lose everything before discovering you're compromised!

    Wonderful implementation and administration of a horrible, crazy idea.
    • RE: We interview LastPass CEO: the human price and the real truth


      While keychains can indeed be bad, the fact is if your local machine is hacked the hacker is going to get all of your passwords anyway, it's just going to take longer. In the digital age keychains are conveinent and some would say necessary as there are so many things that need passwords. What should start happening is websites/companies that require passwords should start using biometrics that are encrypted when send from client to server. This would be a step in the right direction, but even then, if you need security to protect something, there's always going to be someone who is going to try and possibly crack it.
      • RE: We interview LastPass CEO: the human price and the real truth


        You're absolutely correct! There is no such thing as 'secure.' We can make it more difficult for the criminal to break in and steal but basically, if someone really wants your info, they'll get it. True security resides only within the mind of the holder of the secret and only when they never willingly give up that secret.

        All we can do is make it difficult for the criminal and maybe enough so that they'll reach for the other, easier to pick fruit.

        I love LassPass because I can have one complex password that I have to remember to unlock all the others which are very randomly generated and thus (for me anyhow) impossible to remember.
    • RE: We interview LastPass CEO: the human price and the real truth

      @wolf_z ;

      I'm not really disagreeing with you wolf_z, but keyboard inputs can be scrambled and encrypted too, as in Keyscrambler. I defy any cracker in the known world to crack Keyscrambler. This would simply make life very difficult for the criminal.

      But even ignoring that, if it weren't for LastPass - my clients would be using one password for the whole internet, like they were before. This would make it possible for one cracker to get into just one account on the web, and from then on could get into any account that had the same user, and no encryption whatsoever. So which is worse? I say LastPass or other ID vaults are still the way to go for the lazy and forgetful out there. And it definitely beats writing down hundreds of passwords on a sticky note.
  • I use LastPass too

    Considering what they went through, LastPass were extremely polite when I asked "what the **** is happening?". I'm still a happy user of the LastPass/ XMarks combination, but then without it I would be a lazy password user with somewhere upwards of 30 sites requiring authentication.
    I suppose a keychain is bound to attract hackers.
  • Happy User

    I just wanted to add my thanks to the team at LastPass. The service they provide - and *well* - is a necessary one and they have handled the whole situation with a level professionalism and integrity that many other, much larger companies should be paying attention to (yes, Sony, I'm looking at *you*).<br><br>I am a premium LastPass user and will continue to be so but regardless of the level of security employed by them and other similar providers, I would never store my passwords for online banking anywhere other than in my own head.<br><br>This whole thing though has made me think about the kind of passwords I use and I think in the next week or so, I will be changing many of my important sites to either autogenerated ones or much more complex (but easy to remember offline ones - passPHRASEs instead of passwords!).<br><br>Regardless of anyone's personal feelings towards it, cloud computing has been coming for several years and is not going to go away so until a biometric standard becomes universally available and universally implemented, people (myself included) need to stop being lazy and going for convenient passwords.
  • RE: We interview LastPass CEO: the human price and the real truth

    After looking at some of the press coverage today, I am surprised that one of the biggest issues involved is not confronted. I received an email about the breach from LastPass today, May 10 at 11 AM. That's seven days after the breach. I had absolutely no idea there was a problem, I wasn't told to changed a password, I just went about my life for a week oblivious to this. On their website, the company admits their delay in emailing users was "inefficient," but for those of us who don't read computer sites and blogs daily or even weekly, we had no idea. Ironically, one news story complimented the company for letting people know "Sooner rather than later" about the breach. For all of the interviews they've done, each interviewer should have realized that a great many users had no idea the issue had arisen at all.
  • RE: We interview LastPass CEO: the human price and the real truth

    This is only about lost passwords? Something one should be changing periodically anyway? Only prett dumb people would depend on ONLY someone else to track/store their passwords ON THE NET! And in the misnomered "cloud" to boot!
    Anyone who doesn't keep their OWN list of their passwords is pretty dumb IMO so LastPass should really have been nothing but an inconvenience, NOT the disaster everyone is trying to make it out to be. Good Lord, what a crazy world of lazy stiffs!
  • RE: We interview LastPass CEO: the human price and the real truth

    This will not have effect in reality, <a href="http://www.muebles.pl">muebles madrid</a> that is what I believe.