Reconsidering Lastpass for password storage
Posted by vonnagy on Jan 22 2020, in asylon
I recently found out that 3rd party password manager, LastPass, was sold to = for 4.3 Billion USD. This certainly opened my eyes, since I have been a long time user. I have recommended it in past, but with the recent sale I have reconsidered. Here’s why.
The first thought is the magnitude of the sale – for this purchase price, one would expect that buyers to try to ensure the profit of the sale. This is only natural, and not always an issue.
However, I do regard passwords as personally identifiable information, and with the sale, it has made evaluate if I trust the company enough through my information into the gears of surveillance capitalism. The issue here is getting opted in, without permission, to other 3rd party operators without my permission.
I had a look at the companies that where in the portfolio of the buyers, many in fact, looked good, but there was enough there to made me question whether the privacy was in good hands.
- Evergreen Capital Companies: This is looks like the main purchaser of LogMeIn, the former owners of LastPass. They also own the following: Travelport – A travel intelligence company. Coveo – A business intelligence company. These make me uncomfortable because they can certainly use LastPass data to drive their algorithms and machine learning, and almost certainly with prior permission.
- Francisco Partners: https://www.franciscopartners.com/investments – The
- Elliot Management Company https://en.wikipedia.org/wiki/Elliott_Management_Corporation – described in Wikipedia as a vulture funder. Though vulture funders are not bad in itself, their portfolio includes an advertising agency and telecom companies – both are not ideal fits for personally identifiable information.
There has been no official announcement on the Lastpass website as of yet. There privacy policy states:
We don’t store personal information on our servers unless required for the on-going operation of one of our services. (For example: If you choose to store login history, we keep login history, if you choose not to, we don’t)
To repeat, there is no indication that Evergreen Capital will ever use your password for nefarious purposes, however, I have to trust the company. Since there has been no transparency, the onus is on me to make the decision. And my choice is to move away from LastPass.