Talk:LastPass

Sale price

"On October 9, 2015, LastPass was acquired by LogMeIn, Inc. for $125 million..."

and on https://en.wikipedia.org/wiki/LogMeIn it says "LogMeIn acquired LastPass for $110 Million in October of 2015."

So what was the actual sales price, and can we get it correct on both pages? -[mrdeleted] — Preceding unsigned comment added by Mrdeleted (talk • contribs) 01:06, 4 February 2016 (UTC)

Upon further review, I see where the prices are different: "Transaction Details

Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction."

https://investor.logmeininc.com/about-us/investors/news/press-release-details/2015/LogMeIn-to-Acquire-Password-Management-Leader-LastPass/default.aspx

How do we normally list such prices, and can we make sure both pages reflect the above? — Preceding unsigned comment added by Mrdeleted (talk • contribs) 01:10, 4 February 2016 (UTC)

is this an ad?

Is this article an advertisement for lastpass? Where are the factual commentary and comparisons? --74.179.121.25 (talk) 20:05, 12 July 2010 (UTC)

Point taken, but if you are so concerned why not seek out some references and contribute? I must admit I find it hard to believe it hasn't come in for criticism from someone, but I've yet to find anything (but at least I've looked). For now, I have at least moved the info related to its positive reviews into a separate section - having that up in the lead section doesn't help. Regards, Halsteadk (talk) 12:58, 16 July 2010 (UTC)

This article is written in a fact-based tone, it does not read as a "hyped" advertisement. The article could be expanded to offer comparisons to other products, so a tag indicating the article could be expanded would be more fair than indicating that it is written as an advertisement. Merbenz (talk) 22:18, 8 April 2011 (UTC)

There are clearly encyclopedic words in here. "LastPass seeks to resolve the password fatigue problem by centralising user password management in the cloud," reads as an ad. I'm an inexperienced editor so pardon my lack of the right term, but looking at other 'Good' pages they would attempt to be short and succinct and with implied bias; "the password fatigue problem" reads as an ad. The link to the appropriate page for this category of software should be sufficient, additional detail should appropriately be obtained in the linked "http://en.wikipedia.org/wiki/Password_manager" page. I don't know enough about this topic to successfully improve the article up to 'Good' standards, but I will be flagging it spam as per WP:SPAM. TheDonny (talk) 01:36, 24 August 2013 (UTC)

Wikipedia requires that articles not express a bias or point of view. This article presents only the company's marketing line, which omits or minimizes any privacy concerns flowing from the fact that user login histories are by default sent to the company. I have tried to add balance in a new section describing how the company plans to target advertising and to monetize login history data. Keeping this known liability out of the article is not in accordance with WP guidelines. David Spector (talk) 21:36, 7 April 2013 (UTC)

And sourcing an alleged criticism based on one user raising a concern on a forum in 2009 is not in accordance with WP guidelines either. You need to find a ref to show significant concerns have been raised and published so that it's verifiable they are significant. People also moan on forums and it is impossible to gauge the genuine level of user feeling, that is why forums are not normally appropriate sources. Halsteadk (talk) 22:16, 7 April 2013 (UTC)

I agree with this objection to my criticism. Furthermore, I have used LastPass myself since that time in an attempt to discover security or other problems and could find only some minor annoyances in the user interface and rare situations where user programming (as in iMacros) would have been needed to login automatically, but nothing worse. I am impressed by the quality, functionality, and reliability of the software and could only wish that the passwords were stored on the local computer, especially for financial form information, based on nothing more than abstract principles. I am also impressed by how the company refrains from including misleading marketing hype in its public statements. David Spector (talk) 17:19, 11 June 2013 (UTC)

Explanation for move

I moved this page because the official name of the software is LastPass, as evidenced by the Chrome web store entry, the official website, and the US Patent and Trademark Office trademark. – FenixFeather ^{(talk)(Contribs)} 19:03, 27 April 2014 (UTC)

• FenixFeather, would you have any objection if I moved the article to just plain LastPass? Right now that's just a redirect back to this article.—Neil P. Quinn (talk) 04:30, 28 April 2014 (UTC)
  • @Neil P. Quinn: Not at all! I had considered it myself, but the only reason I added "(software)" to it was because I wanted to provide for the possibility of their being a future article on the company. "LastPass (service)" might even work better, too. Dropbox (service) is a similar service that involves both a software client called "Dropbox" and an online component that functions as a large part of the service. Then again, Steam (software) is also a sort of mix between the app itself and the service that Valve provides, so I think at this point, anything works. – FenixFeather ^{(talk)(Contribs)} 05:20, 28 April 2014 (UTC)
    • Well, if we need to create a separate article for the company at some point, we can definitely move it back. But it'll probably be a long time before that happens, if ever. Dropbox the company still doesn't have a separate article from Dropbox the service! I'm going to make the move now; obviously, feel free to revert if you think it's premature. —Neil P. Quinn (talk) 05:37, 28 April 2014 (UTC)
      • Seems good to be! But, at least to me, the talk page is still LastPass (software). – FenixFeather ^{(talk)(Contribs)} 00:16, 30 April 2014 (UTC)
        • Note: I wasn't able to move the talk page, maybe because of some technical problem? – FenixFeather ^{(talk)(Contribs)} 00:19, 30 April 2014 (UTC)
          • Sorry, fixed now! Feezo (send a signal | watch the sky) 06:04, 30 April 2014 (UTC)

Thanks Neil. I was going to suggest just that, so rather than that, I've requested the move to be performed. As you say, although "LastPass" is ambiguous, it should be a long time before separate article are warranted. --Chealer (talk) 03:55, 29 April 2014 (UTC)

Nature

According to the definition we give, LastPass is a service. According to the following sentence and to the article's name, LastPass is software. Is LastPass software, a service, or both? --Chealer (talk) 19:47, 27 April 2014 (UTC)

• Both. Lastpass is a web service made up of many interconnected software components, including backend server software, browser extensions, mobile apps, and so on.—Neil P. Quinn (talk) 04:11, 28 April 2014 (UTC)
  • Resolved
    Makes sense. I hope the article will now avoid confusion. Thanks Neil. --Chealer (talk) 14:37, 30 April 2014 (UTC)

Offline capable?

Is LastPass capable of offline usage and synchronisation? Is it possible to make local backups of passwords? Seems like a pretty relevant feature to mention. Diggory Hardy (talk) 19:43, 28 April 2014 (UTC)

In regard to WP:NOTFORUM, this shouldn't be discussed here. It would be be better suited to ask Lastpass themselves. But yes, they do. (According to their handbook) https://helpdesk.lastpass.com/password-manager-basics/your-lastpass-vault/offline-access-to-your-lastpass-vault/ Tutelary (talk) 20:27, 28 April 2014 (UTC)

Mac app

v3.6 - January 28, 2015

69.230.97.74 (talk) 08:08, 3 February 2015 (UTC)

Maxthon (see release notes)

The latest version has Maxthon now

69.230.97.19 (talk) 21:07, 15 July 2015 (UTC)

New Logo

LastPass got a new logo: https://blog.lastpass.com/2016/02/meet-the-new-lastpass-logo.html/

The article should be updated. Ascom99 (talk) 04:50, 4 February 2016 (UTC)

More security issues in 2016

I think you should add information that there was 2 security problems in July 2016, both allows to steal passwords from LastPass on any website with prepared JavaScript:

https://www.engadget.com/2016/07/27/lastpass-addresses-two-major-vulnerabilities-found-by-users/ — Preceding unsigned comment added by 109.90.192.211 (talk) 10:57, 28 July 2016 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified 2 external links on LastPass. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Corrected formatting/usage for http://www.pcmag.com/article2/0%2C2817%2C2343562%2C00.asp
• Added archive https://web.archive.org/web/20160926052950/https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details to https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 00:47, 12 May 2017 (UTC)

Law suit

Is this worthy of being mentioned? "LastPass Faces Class-Action Lawsuit Over Password Vault Breach" form PC Magazine online: https://www.pcmag.com/news/lastpass-faces-class-action-lawsuit-over-password-vault-breach?utm_source=email&utm_campaign=whatsnewnow&zdee=gAAAAABjNL7RnFIcIoaSGXoF1uSGpnC7O37WoqoyO_Uw7AKENWxc7yHpCPqickNItT7IRv3SHhdomXe7W7j-BqNE_uLA0Wa_1mjKCbJ96w-JXCUrLHw2eic%3D Kdammers (talk) 16:27, 6 January 2023 (UTC)

Yes! Chumpih ^t 17:05, 6 January 2023 (UTC)

Some words added now. Chumpih ^t 18:42, 6 January 2023 (UTC)

2022 security incident - rework

At the moment, the driving chronology of LastPass#2022 security incidents section is the multiple reports from LastPass over 2022 and 2023. Perhaps it would be preferable to rewrite this with the driving narrative being the sequence of the attack, or a list of exfiltrated data, or the impact to users, or similar, or all of the above.

For sure, the fact that the investigation's results were released over a period of months warrants some words.

Or do we wait until there are N months without a report, or some 'final' report, before reworking?

Thoughts? Chumpih ^t 05:40, 28 February 2023 (UTC)

Have now reworked the section, given the recent reports from LastPass say 'investigation concluded'. Chumpih ^t 11:45, 5 March 2023 (UTC)

NPOV Issues

Hi. My name is Amy and I work for LastPass. I feel the current page is unfair and violates several of Wikipedia's policies/guidelines (WP:UNDUE, MOS:OVERSECTION, etc.). For example, there are 8 dedicated sections to individual security breaches. LastPass did have at least a couple breaches that were a big deal, received substantial press, and rightfully made a lot of users upset.

However, the dedicated section about a 2020 incident is only cited to a corporate blog. The 2017 section is cited to LastPass itself and a Tweet. The 2016 section is also cited a blog and LastPass' own website. A lot of the others are dedicated sections about vulnerabilities that were quickly patched and did not expose user passwords.

There's other items as well, for example, there's a criticism that LastPass is "bait and switch" cited to a Forbes "Contributor"[1]. However, Wikipedia sees Forbes Contributors as guest blogs that should not be used as a citation.

I was hoping to find an impartial, neutral editor willing to consider my feedback, in compliance with WP:COI. AmyMarchiando (talk) 20:15, 28 June 2023 (UTC)

Not unreasonable. So what's the suggestion? A few of the 'majors' are retained, and coalesce / reduce the others under a singe "other minor incidents" section? Chumpih ^t 07:04, 3 July 2023 (UTC)

I've reworked per above suggestion, but this wasn't with consensus, just on the basis that nobody has objected so far. Other editors may still revert or further edit, of course, and if that's the case, hopefully consensus will prevail. Chumpih ^t 22:20, 9 July 2023 (UTC)

Thanks @Chumpih:. Appreciate what you've reworked. To respond to your question, I suggest:

• Trimming down the security breaches to the ones independent journalists have written about in something more than a routine announcement, alert, or Q&A (per UNDUE)
• Merging the remaining security breaches into the History section per WP:CRITS
• Removing the Forbes contributor per WP:FORBESCON

In practice, the result of these bullets, would likely leave us with a sub-section of the History section devoted to the 2022 security incident that was a major event in the company's history, without all of the other items that were likely added by users that were frustrated about the 2022 breach.

I think expanding the rest of the page would help as well, but that's for another time. AmyMarchiando (talk) 17:44, 10 July 2023 (UTC)

Again, not unreasonable. There's an argument for WP:NNC and WP:BALASP which would suggest down-playing the less-reliably citied points. Chumpih ^t 10:05, 14 July 2023 (UTC)

If there are no comments or objections here, I'll make some further edits along the lines suggested above on 2023-07-10. Chumpih ^t 03:11, 5 August 2023 (UTC)

(Continuing this monologue) ... looking at the article today, and bearing in mind the suggested tweaks, I didn't see obvious locations for change. Most of the incidents in the list are now short points, and reasonably cited. That said, I can still see that WP:BALASP and WP:CRITS may be valid concerns. So if another editor were to modify, that may be preferable. Chumpih ^t 05:31, 17 August 2023 (UTC)

Looking a bit, I still notice an overall trend: an overreliance on primary informations sourced from the LastPass website itself, assembled together and contrasted from different citations to create a narrative that the sources themselves don't explicitly mention. For instance, in the following paragraph, individual elements themselves are sourced, but they are being contrasted in a way close to WP:OR:

LastPass's December report suggested that, if customers had selected a strong master password and elected, under the account's advanced settings, to uses the many thousands of rounds of PBKDF2-HMAC-SHA-256 encryption (600,000 iterations recommended by OWASP, as of 2023),^[1] it would take millions of years to decrypt the passwords.^[2] However, new customers prior to June 2012 had by default a single PBKDF2-HMAC-SHA-256 hash applied to their master password, with site usernames and passwords encrypted with the weak AES-ECB cipher mode. The default iteration count that was later increased for new customers to 500 encryption cycles, then later increased to 5000. By February 2018 the default for new customers was 100,100 iterations, a minimum master password length of 12 characters, and the stronger AES-CBC cipher mode employed.^[2][3][4] Old customers using old defaults may not have had their encryption rounds increased, nor have been forced to use a long password.

Notably, some information (like the pre-2012 hash) used in the foundation of the argument are not even mentioned in the sources, and the argument itself is never explicitly made in any of them. Chaotic Enby (talk) 14:44, 19 September 2023 (UTC)

References

1. "Password Storage - OWASP Cheat Sheet Series". cheatsheetseries.owasp.org. Retrieved 2023-02-03.
2. Toubba, Karim (22 December 2022). "Notice of Recent Security Incident". The LastPass Blog. Retrieved 2022-12-22.
3. Palfy, Sandor (2018-07-09). "LastPass BugCrowd Update". The LastPass Blog. Retrieved 2023-02-03.
4. "Increase your Lastpass Password Iterations | Dominion Digital Services". Retrieved 2023-02-03.

Poor citations

@Chaotic Enby: mentioned above that even the trimmed down version of the Security Incidents section still relies heavily on primary sources to Lastpass.com and citations that are misrepresented. I wanted to share a detailed breakdown here of places where the article relies on Lastpass.com, poor citations, or citations that don't say what they're cited for. I was hoping an impartial editor would review my suggestions/comments. Pinging @Chumpih: as well, who participated on talk above. AmyMarchiando (talk) 20:17, 21 November 2023 (UTC)

Requested Updates

I work for LastPass and would like to request the following updates:

1. Update Owners in Infobox

−

[[Francisco Partners]] (2021)

+

[[Francisco Partners]] and Eliott Investment Management (2024)

Explanation: To include both of LastPass' major owners as stated here.

2. Add History to Lead: Requesting adding a second paragraph to the Lead as follows: LastPass was founded in 2008^[1] by four developers.^[2] It was acquired by GoTo for $110 million in 2015.^[3] LastPass was spun-off from GoTo into a stand-alone business in 2024.^[4]

Citations

References Stross, Randall (June 11, 2011). "Why Encrypted Passwords Make a Difference". The New York Times. Retrieved May 1, 2024. Orin, Andy (January 16, 2015). "Behind the App: The Story of LastPass". Lifehacker. Retrieved May 1, 2024. Gagliordi, Natalie (October 9, 2015). "LastPass bought by LogMeIn for $110 million". ZDNET. Retrieved May 1, 2024. Hale, Craig (May 2, 2024). "LastPass officially splits from former parent GoTo". TechRadar. Retrieved May 2, 2024.

Explanation: Currently the Lead dives right into the security breaches without any kind of summary of LastPass' history. My suggested edit adds when it was founded and when it was acquired - the largest milestones in the company's history. Suggest adding the last sentence to the end of the History section as well. The articles about the spin-off also discuss the security breaches. I think that's already covered in-depth the page but wanted to point it out. AmyMarchiando (talk) 20:31, 2 May 2024 (UTC)