We interview LastPass CEO: the human price and the real truth
It takes an incredible amount of work and dedication to start a company. You give it all of your time -- nights, weekends, everything -- and often most of your money. Your health can degrade because you often choose to pay attention to your customers and your obligations before your digestive system.
You constantly try to do the right thing, against constant pressures from competitors, the reality of never having enough money and time, and all the unexpected events that make up living in the real world.
It's hard enough starting a company with normal competitive pressures. It's far worse when doing so in the face of outside criminal attack. For Joe Siegrist, it's even more challenging, because he almost literally holds the keys that allow all of his customers to access their digital world.
Joe is CEO of LastPass, a password management company.
See also:
- LastPass melts down and leaves many users (hopefully, temporarily) stranded without their passwords
- Don't trust companies to safeguard your data
- More Sony bad news: Sony Online also compromised (this goes beyond the PlayStation Network)
- 7 important survival tips Amazon's orphaned 0.07 percent can teach us
- 6 important things about the ongoing PlayStation Network outage that Sony won't reveal
Last week, when Joe's company got hit with -- something -- he had some tough decisions to make. In doing what I consider the right thing to secure his systems and ultimately protect his users, his company couldn't handle the load and many users were stranded without access to their most-needed services.
ZDNet bloggers Jason Perlow, Michael Krigsman, Steven J. Vaughan-Nichols, and I had the opportunity to talk with Joe and learn more.
David: Let's start with the human side. How are you holding up?
Joe: I had no idea something like this was a way to lose 10 lbs in 4 days. Can't eat, can't sleep, skipped Mother's day on my wife's first... Luckily she's understanding.
David: Tell us about LastPass.
Joe: We have 11 employees. Most of us are out of a former successful startup company called eStara which was acquired in 2006. The core team started in April 2008. We came out with a beta product in August of 2008 and have been growing well since. We purchased Xmarks in November 2010.
David: What's your background?
Joe: I studied Computer Science at the University of Maryland, then went to UUNET, and then on to eStara a startup where the 4 founders of LastPass came together first. We started LastPass in April 2008 with the goal of reducing password complexity to something that people can manage.
SJVN: What actually happened?
Joe: We're still investigating what happened but we couldn't explain the traffic so we were forced to assume that something did happen. We've brought in a number of outside security expects to help us analyze and improve.
One thing is clear though, in our attempts to protect everyone we created big problems for ourselves and our users, this was exacerbated by the speed at which it spread, and getting many times the news coverage we've ever received before.
Jason: Why should we trust you to ensure the safety of all of our passwords going forward in light of your recent security failure?
Next: Why should we still trust you? »
« Previous: What actually happened?
Jason: Why should we trust you to ensure the safety of all of our passwords going forward in light of your recent security failure?
Joe: The key to trusting LastPass is NOT trusting LastPass. Seriously. Your data is encrypted locally with a password that LastPass never gets. Assuming you picked a strong master password you don't have to trust me because it's encrypted in a way that would take eons to break, we think this is the best way for people to handle this trust issue with LastPass. If we can't get it, no one else can either.
That said, the reason we put LastPass into a locked down mode and announced quickly was fear that some people didn't use a strong master password; we're doing our best to protect everyone. We knew this was going to be a be inconvenience to people, but felt it was the best move.
We're going to learn from this and get better. We've put a lot of time and effort into LastPass and are highly motivated to never feel this way again.
David: What happens to passwords if LastPass suddenly and permanently shuts down?
Joe: If I won the lottery I still need LastPass, probably even more so! LastPass stores everything both locally and in the cloud. We designed it to deal with us disappearing though so you'd still have access to your data even if we're offline. If we were gone you could simply login to LastPass in your browser or phone as normal and use LastPass as normal too except for the cloud syncing portion.
We designed this more for us being unavailable instead of available and intentionally preventing you from logging in. To solve this in our next release we're going to make a checkbox that allows you to login offline only, we should be more explicit here.
Michael: If a current customer started using Sesame (two-factor authentication) now, is the account safe even if the master password is cracked?
Joe: Yes it would protect you but I'd still encourage you to change your master password unless you're comfortable with how strong it is.
SJVN: What steps are you taking to make sure your systems are robust enough to deal with this level of server load in the future?
Joe: We had 4 new servers available which we brought up Thursday and will continue to over provision, but the real fix is an architectural one in which we can more easily scale up based on traffic volume.
Speaking as someone who's gone through a cyberattack aimed at a small business, I have nothing but compassion for Joe and his team. As consumers, though, we need to constantly evaluate the solidity of the companies with whom we entrust our most critical data. I think he's doing a lot of the right things, has the right attitude and spirit, and wish the best for him and LastPass.
Webcast about how to protect yourself and your business
To learn more about how to protect your business from cyberattack, I’ll be giving a free webcast on the subject Wednesday here on ZDNet and TechRepublic. It’s called Top 10 Tips To Protect Your Business Against Cyberattack. Believe it or not, this thing was scheduled way before the LastPass and Sony messes began. That said, there will be lots of tips and techniques for keeping yourself safe. It’s worth a tune-in.