The future of LastPass - what next for the Internet's top password manager?

LogMeIn seems to be attracted to the value in retaining the large user base that LastPass built over many years

Two months on from LogMeIn's contentious $110 million (£70 million) acquisition of the popular password security system LastPass, Computerworld UK decided to test the water on the application's future under its new owners. Takeovers are a common and often desirable occurrence in tech and security, allowing smaller companies to gain investment and access to new customers. Just as often they mean small, innovative, popular products disappearing into larger firms that don't understand them or necessarily care about the established user base.

On the basis of LogMeIn's answers to our questions, it sounds as if this one will fall into a generally positive grey area between these two extremes. On the one hand the answers below avoid making any firm statements regarding future pricing of LastPass Premium (the annual $12 fee is considered a bargain by many) but neither do they suggest any big hikes are likely. LogMeIn seems to be attracted to the value in retaining the large user base that LastPass built over many years. Changing things would be risky and pretty bad PR - LastPass's user base is active and more influential than most.

LastPass will continue its Freemium model for now. LogMeIn says that its controversial decision to hike prices for its own LogeMeIn remote support system early in 2015 was based on a completely different market whose dynamics don't apply to LastPass. The password manager also has a sizable user base of 15,000 companies for its Enterprise version and it is this profitable niche it will want to expand to fuel financial growth.

Other positive noises include that the LastPass team based in Virginia will continue to drive the product's development so the software won't be handed over to engineers who've never worked with it. The Meldium product gained from a previous acquisition, will be subsumed within LastPass rather than the other way around. As for the security breach that hit LastPass in 2015, we remain none the wiser although LogMeIn repeats the view that LastPass's CEO Joe Siegrist handled a difficult event to his credit. We'd generally agree with that but it would still be nice to have mroe informaiton on exactly what happened.

The following answers were supplied by LogMeIn's vice president of corporate communications, Craig VerColen.

Computerworld UK: Why did LogMeIn buy LastPass and why now? Or why did LastPass sell itself and why now? The company bought a separate system called Meldium in 2014.

VerColen: Identity and access management represents one of LogMeIn's declared strategic growth drivers. It's an area where we have been investing from both an organic and M&A standpoint. And we see password management as a key, relatively underserved part of that market. With LastPass, we have acquired a market leading position in password management, as well as a wildly popular and beloved product. Meldium's capabilities, which are focused on teams and small businesses, offers a great complement. In the short term, both products will be supported. In the longer-term, we'll be building around a single IAM offering, and that will be based on LastPass, both architecturally and from a brand.

Were you surprised by the negative reaction of some LastPass users to news of the takeover?

VerColen: LastPass is a great company with a beloved product, loyal customers and a strong team. Obviously whenever there is an acquisition like this people are understandably nervous that it could change the product and customer experience they've come to love. With this acquisition, the goal wasn't just to acquire a great product, it was acquiring a great business. LastPass CEO Joe Siegrist and the entire LastPass team are joining LogMeIn, and they will continue to lead the LastPass strategy and development of the product.

The LastPass team remains in place - does that mean development of the product is still primarily being done from its Virginia offices?

VerColen: Yes, the LastPass team will maintain their Fairfax, VA office and will continue to lead the strategy and development of the product. We will provide additional resources and expertise from our other development centres, as necessary to accelerate development.

What short-term changes will LastPass users (both free and Premium) notice to the service in the coming months?

VerColen: The only short-term changes will be around accelerating LastPass's roadmap. With the help of additional resources, we'll be able to accomplish more, much faster - providing an even better service to millions of people. There are no plans to change the model.

Longer term, what plans does LogMeIn have to merge Lastpass with Meldium and what features might this add?

VerColen: As mentioned, both will be supported in the near-term as standalone offerings. The longer-term plan has us bringing the team and small business sharing aspects of Meldium - areas where Meldium really shines - into LastPass. What we really want to do is have a product tailored to the needs of individuals, teams and businesses. As an early mover, LastPass has a lot of great capabilities built in for both individual and company-wide use cases. So we're starting with a great foundation.

Can the company make any predictions on the future pricing of the service for either free or Premium users? LastPass users are obviously concerned after LogMeIn killed its own free service in 2014.

VerColen: LastPass is an amazing product and is by most measures the market leader in a high growth space. This is also a key growth market for LogMeIn. We have no plans to change anything that would potentially impede this growth. And while some may worry given the move to shift the LogMeIn remote access product to a premium-only business, this was largely due to the late lifecycle and longer-term new user growth potential of that legacy market. In contrast, LogMeIn also makes, which, like LastPass is a freemium offering. Like LastPass, plays in a high growth market, and like LastPass,'s free offering gives us a key way to expose vast amounts of new users to our offering.

LastPass suffered a significant security breach earlier in 2015, its second in four years. Is the purchase of the company likely to change or improve the overall security architecture?

VerColen: From our perspective, LastPass handled the incidents very well. And that includes both how they communicated the issues, as well as the steps they took to further protect users. During the acquisition, they also worked closely with our team, and with 3rd parties, to improve security and we believe we have taken steps to put LastPass in a more secure position.

What security enhancements do LastPass Premium users have to look forward to? The range of security options in the product are a major attraction.

VerColen: Security is a top priority for LogMeIn. We're committed to ongoing security investments within the LastPass service. The LastPass team will work closely with our team to further enhance the security of their infrastructure.

On a separate note, LogMeIn has been accused of inadvertently facilitating remote support scams that use its software - can the company comment on these claims?

VerColen: First, we take the security and safety of end users very seriously, and have taken several steps to ensure their protection. While the vast, vast majority of remote support is delivered from credible entities - for example 50 telecommunication companies in Europe use our products in their customer care organizations - it's important to note that the use of our products for nefarious and/or illegal purposes is strictly prohibited, and we terminate accounts for anyone found in violation. We have also taken steps in our product, itself, to prevent nefarious usage, and to detract nefarious or illegal entities - steps designed explicitly to protect consumers.

These include warnings aimed at ensuring people only accept support from people they know and trust, as well as kill switches that allow people to terminate sessions at will. Additionally, we have built alerting into the product, so consumers can instantly report nefarious attempts directly in the product - information that can be used to both terminate an account and, at times, assist local law enforcement in their efforts to track down bad actors. We have also implemented internal processes with our security and support teams to proactively identify potential bad actors, as well as to quick and efficiently investigate any and all reports of such action.

Join the CSO newsletter!

Error: Please check your email address.

More about LogMeInPremium

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts