Joe Siegrist of LastPass: The Truth About Your Password Security

Ryan Dube 20-06-2014

After NSA surveillance, the Heartbleed threat, and hacking attempts against financial institutions, are you feeling like the digital world is falling down around you? Joe Siegrist, the CEO of LastPass, is here to settle the score on what all of these threats really mean for your password security.


Here at MakeUseOf, we often alert readers to the latest security threats The Latest Internet Security Threats That You Should Be Aware Of Security threats have increasingly come from new directions and that isn’t looking set to change in 2013. There are new risks you should be aware of, exploits of popular applications, increasingly sophisticated phishing attacks, malware,... Read More both on the Internet and within their own computer systems Is DRM A Threat To Computer Security? Read More . This included full coverage of the Heartbleed virus Heartbleed – What Can You Do To Stay Safe? Read More , the Windows technical support Cold Calling Computer Technicians: Don't Fall for a Scam Like This [Scam Alert!] You've probably heard the term "don't scam a scammer" but I've always been fond of "don't scam a tech writer" myself. I'm not saying we're infallible, but if your scam involves the Internet, a Windows... Read More scam, and many other computer viruses and threats 7 Types of Computer Viruses to Watch Out For and What They Do Many types of computer viruses can steal or destroy your data. Here are some of the most common viruses and what they do. Read More .

So what can you do to stay safe? The common advice, such as what Christian offered as part of the Heartbleed solution Heartbleed – What Can You Do To Stay Safe? Read More , is to change your passwords. But is this enough, and can a password service like LastPass provide an extra level of security?

An Interview With Joe Siegrist

When anyone first hears of the LastPass service, it seems a bit counter-intuitive. How can it be safer to store your passwords inside of a browser add-on, right on your computer? Wouldn’t this be more of a risk, since your computer could get hacked and those passwords stolen?

The reality is that password security is complicated, because your password goes through many levels of transmission when you log into any online service. In this interview, we sit down with LastPass CEO Joe Siegrist to discuss these sorts of issues and how LastPass – and similar password management apps – deal with those security risks.



MUO: First – can you describe a little bit about what inspired the creation of LastPass? How did it all start?

Joe: I used to work in Internet telephony as the CTO of Estara, and we did a lot of security there. We had to figure out how to do key exchange and how to do it securely. I left with four of my best friends, and we wanted to work together again, but couldn’t do anything in VoIP telephony. We had used complicated techniques like tiered passwords and utilized an encrypted file to store them, but as we asked around to find out what everyone else did and learned that they used the same exact same password for everything, we knew we could help them.

…but as we asked around to find out what everyone else did and learned that they used the same exact same password for everything, we knew we could help them.

MUO: When people think about storing their passwords inside of a browser add-on, it actually feels less secure, because the browser or computer can get hacked. Is this a misconception? Why is the LastPass safer than other options out there?

Joe: If you’re using your browser’s password manager, there’s a good chance that any malware coming along could pull your passwords — LastPass does this, so could any other software. With LastPass, your exposure is far more limited, because you have less risk when logged into LastPass and nearly no risk when logged out.


Heartbleed And LastPass

MUO: Heartbleed affected encrypted logon transmissions for millions of users across the Internet. Do I understand correctly that this even affected LastPass users? What did LastPass do to respond to the threat posed by Heartbleed?

Joe: We were affected — our web servers utilized OpenSSL as well, but because LastPass has a second layer of protection, we were in a far better position than 99% of companies impacted. This is because sensitive data never hits our servers directly, it’s always encrypted first, and then SSL is a secondary layer of protection. Peeling back a layer of protection is bad — but not nearly as bad as peeling back the ONLY layer of protection for 99% of impacted sites.

Peeling back a layer of protection is bad — but not nearly as bad as peeling back the ONLY layer of protection for 99% of impacted sites.

We first realized that people needed to know what sites were impacted, and if companies had taken the right steps to protect themselves, so we made an overall test page. People could find out if it was safe to change their passwords and if the site had updated their SSL certificates. This was a free tool available for anyone, even if you weren’t a LastPass user.

For LastPass users, we have a security check that looks for all vulnerable sites. It tells you exactly which ones they are, how old your password is, if you should go change those passwords, and when it’s safe to do so.


The Hacking Of EBay And Spotify

MUO: Recently, eBay’s servers were hacked, and hackers were able to obtain personal user information like emails, addresses and birthdays. Can you share whether LastPass users would have been more affected or less affected by this than other eBayers? Are there special concerns or actions LastPass users should take in response to the eBay security breach?

Joe: LastPass users were affected much less than others. If they utilized different passwords for every site (like our prompts, and security check pushes), they would have contained their risk quite a bit. The risk of identity theft is still there, but you don’t have the problem of that password being cracked (and they will be cracked) and then utilized on other sites.

MUO: At the end of May, Spotify announced unauthorized access to its systems, where one user’s data was accessed, but that it didn’t include password or financial information. Should LastPass users take any special actions in relation to their Spotify password?

Joe: Where there’s smoke, there’s typically fire, so be cautious and just change your password — no harm in changing it beyond the 30 seconds it takes to do it.


I’d advise LastPass users to use multi-factor authentication on your LastPass, and random passwords on all your sites.

MUO:  Do you think LastPass offers any unique protections from these sorts of threats?

Joe: I’d advise LastPass users to use multi-factor authentication What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More on your LastPass, and random passwords on all your sites. When you take these steps, you can’t be phished because you can’t accidentally give out passwords you don’t know!

Additional Steps To Secure Passwords

In the past, MakeUseOf has covered both the free version of LastPass LastPass for Firefox: The Ideal Password Management System If you've not yet decided to use a password manager for your myriad logins online, it's time you took a look at one of the best options around: LastPass. Many people are cautious about using... Read More , and reviewed LastPass Premium LastPass Premium: Treat Yourself To The Best Password Management Ever [Rewards] If you've never heard of LastPass, I'm sorry to say that you have been living under a rock. However, you are reading this article, so you've already made a step in the right direction. LastPass... Read More . Some other password managers we’ve covered before included Chris’s review of Dashlane Dashlane - A Slick New Password Manager, Form Filler & Online Shopping Assistant If you've tried a few password managers before, you've probably learned to expect some roughness around the edges. They're solid, useful applications, but their interfaces can be overly complex and inconvenient. Dashlane doesn’t just reduce... Read More , and Dave Drager’s roundup of the best password managers Password Manager Battle Royale: Who Will End Up On Top? Read More available (including LastPass).

As Joe explained, when you’re shopping for a password manager that truly protects you from serious threats like Heartbleed and hacking attempts, the key things you want to be looking for include multiple layers of security like SSL encryption and protections like multi-factor authentication on your password management software login.

Most importantly, the ideal solution is to keep a completely different password for every single site or service you use. That of course, is the key benefit that password management services like LastPass offer. You don’t have to remember every one of those passwords in order to stay safe.

Do you use LastPass or some other password management service? Does it make you feel more secure in the face of all of these security threats? Share your own thoughts in the comments section below!

Image Credits: Bank Vault Door Via Shutterstock

Related topics: LastPass, Online Security, Password Manager.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. John Williams
    February 28, 2015 at 3:09 pm

    I love how people use a miraculous piece of software that will save their butt one day, but find two stage log-in a PITA. Either that or "my phone was in the other room" or " I left my phone at home".

    Some people don't need a password manager, they need a butler, or a valet or a mummy!

  2. AndrzejL
    June 27, 2014 at 4:03 am

    "This included full coverage of the Heartbleed virus,"... Heartbleed was an openssl vulnerability (bug) not a virus... Please check Your articles before posting...



    P.S. Thanks Joe. Keep up to good work and think about opening the LastPass sources - this will improve the trust in LastPass (or not depends how well written Your code is :D).

  3. SuperSleuth
    June 26, 2014 at 11:52 am

    . . . and to add as an addendum . . . All passwords have the potential to be hacked!
    However, the number of characters one uses can slow down an attempt to get one's log-in information.
    It has been Recommended that one should use a Seven (7) or Twelve-character sequence using Upper and lower letters and at least One (1) number to be placed in the middle of the sequence BUT never on either end!

  4. Rick B
    June 25, 2014 at 2:39 pm

    There are another couple of options available in Last pass to help prevent any unauthorised user from trying to hack in the first one is "Only allow login from selected countries" and the other is "Disallow logins from Tor network".

    • Ryan D
      June 26, 2014 at 1:15 am

      Not sure I follow what the "Disallow logins from Tor network" is good for? This some hacking method I'm unaware of?

  5. Julie
    June 24, 2014 at 3:34 pm

    Lastpass will auto-fill on tablets and phones, you must set it up to do so.
    I use formfill as well, on both android devices.
    I have the paid version, I don't know if that is a factor in this functionality.

  6. Godel
    June 23, 2014 at 8:05 pm

    While this comment is a little off topic, make sure your relatives and/or loved ones have the passwords to access your stuff if you croak.

    Be aware that some web mail providers e.g Yahoo simply delete your account if they find out you've died.

  7. LenS
    June 23, 2014 at 5:18 pm

    I use RoboForm Everywhere, synced on laptop & phone and runnable off flash/thumb drive. Usually generate 16-18 character random passwords, including special characters. My phone is almost always where I am so, if I need to enter a password on a machine where I can't run RoboForm directly, I can at least look it up (that said, the situation has never come up).

    • Ryan D
      June 26, 2014 at 1:11 am

      @LenS - how does the encryption work. Where is the key stored and is part of the service online? The "Everywhere" part of the title seems to imply it's synced to an online account? I've never used RoboForm Everywhere so I'm very curious.

    • LenS
      June 26, 2014 at 4:21 am

      The encrypted key is stored on the copy of RoboForm (the app) on each device (PC, mobile) and the user-created 'passcards' are stored on and synced to each device and online on the RoboForm site. However, those online passcard copies cannot be viewed simply by signing in to the user account on the RoboForm website (which uses a different password than the 'master password' for the RoboForm app, unless the user is foolish enough to use the same password...). If you try to view an online passcard, the attempt is handed over to the RoboForm app on the device. If you are already logged on to RoboForm on the device, you will see the contents of the passcard on your device. If not logged on locally, the master password for the app must be entered to view the passcard locally. That said, it is possible to change the master password for the app not just while in the app but when you're on the website, whereupon it will presumably be synced to the various devices.

  8. Cybermaven
    June 23, 2014 at 4:25 pm

    I have been a very satisfied with Lastpass. I've used it for years. I recommend it to all my family and friends - and none of us have had the misfortune of being hacked! Lastpass rocks!

  9. Thomas
    June 23, 2014 at 3:40 pm

    About Heartbleed came infographics from 4 manufacturers of password managers.

  10. Doug
    June 23, 2014 at 3:22 pm

    I have a different password for every account and do not use a password manager. I generate all passwords from the same algorithm. I do not have to remember any passwords only the algorithm. After using the algorithm several times each day for a few weeks, it became like my SSN: impossible to forget. It is not stored anywhere digitally and I change my passwords regularly.

    • Ian
      June 25, 2014 at 12:55 pm

      Doug - this is an attractive idea, but can you give us another clue? You won't tell us the algorithm, but what is the seed upon which the algorithm operates? It seems to me it must be different for each password, yet each one must be easily retrievable otherwise you would have said you have to remember the algorithm AND a whole lot of seeds.

    • Ryan D
      June 26, 2014 at 1:09 am

      @Doug, I'd be curious too. I mean I recently described a few algorithms I've used for past passwords (variations of the first letter of nursery rhymes or phrases), but your comment that you can use the algorithm to change your password regularly without forgetting them...that's intriguing!

    • Doug
      June 26, 2014 at 2:35 am

      The seed comes from the site itself. The algorithm tells me how to gather and how to "scatter" numbers and special symbols around what I gather from the site. So, the way I gather is the same for each site, but what I gather is different. As far as regular changes, I version and immerse the version of the password in the name of my bookmark. End result; when I go to my bookmarks to log on, I see the password's version, then when I get to the site, I build my password.

    • Ryan D
      June 26, 2014 at 2:56 am

      That's rather brilliant, actually.

  11. isael
    June 22, 2014 at 12:30 am

    I saw another password manager that included a feature to share your passwords with selected loved ones after you die and activates after 3 months of not logging in, although I think you could change that time frame. I would love to see this feature in LastPass

    • Someguy
      June 23, 2014 at 4:05 pm

      I wrote my LP master password on a piece of paper with no other information. Paper goes inside a sealed envelope which says something like 'open when I croak' and stuck it my desk drawer. My spouse and kids know I use LP and will figure it out if I go belly up. Not a perfect solution but simple enough.

      June 24, 2014 at 8:30 pm

      Just a side note. For most of the people, using Google email accounts, you can specify what to send to whom after a specified period of time of non-use. (Like when you die.) You can then send an email to your family members or whomever and give them the link and password or whatever other info you want them to have after you are gone.
      It's in the settings after you log into your Gmail account.

    • Ryan D
      June 26, 2014 at 1:07 am

      Isael - I agree...that would be an excellent feature in LastPass! I didn't realize there were other password managers that did that - what a cool feature.

  12. Peter Hood
    June 21, 2014 at 11:28 am

    Always use a standalone like PINs, which uses strong encryption. You are thus nottied to a brwser.

  13. Hasan ??M?EK
    June 20, 2014 at 9:21 pm

    @Imad.sawal I aggre with you about multifactor thing.but also for such cases( like forgetting your phone ) they offer a grid table which you can print and keep in your wallet.Without your main password it is useless .So even if someone finds the grid table, it doesnt matter

    • Imad.sawal
      June 21, 2014 at 6:00 am

      Well those are called Backup Codes , and I am well-aware of them but keeping them with you "Always" is also quite impossible but still quite a good option !

  14. Henry
    June 20, 2014 at 8:22 pm

    @ReadandShare LastPass do not hold your encryption key. In fact LP use a more sophisticated way that combine your key to othes to make it more secure but if you lose your key there's no way to recover it. That's the price of being secure with all other passwords.

  15. ReadandShare
    June 20, 2014 at 7:53 pm

    One part I am still confused about is whether LastPass holds the encryption key to my data?? It seems to claim it doesn't... but...

    • Henrique D
      June 20, 2014 at 8:24 pm

      @ReadandShare LastPass do not hold your encryption key. In fact LP use a more sophisticated way that combine your key to othes to make it more secure but if you lose your key there's no way to recover it. That's the price of being secure with all other passwords.

    • Amber
      June 24, 2014 at 6:18 pm

      Full disclosure that I work for LastPass :). With regards to our encryption, the key is: We never have the master password, which means we don't have the encryption key to unlock the user's account. The data is encrypted locally, on the user's machine, before ever syncing, and anything stored on our end stays in that encrypted format. We use AES 256bit encryption with salted hashing and PBKDF2 iterations - tech speak for military-grade, powerful encryption.

    • Ryan D
      June 26, 2014 at 1:06 am

      @ReadandShare - that has actually been one of the biggest selling points for LastPass...the fact that even LastPass doesn't have access to the master password. It's really one of the most secure password management setups (not just LastPass in particular, but password management apps that use this approach) available online today, in my opinion.

  16. ReadandShare
    June 20, 2014 at 7:51 pm

    I use Lastpass and unique, complicated passwords on all sites -- except for "forum and comment" type sites. These, I use the same easy-to-remember-and-type password for all of them. Why?

    With my home desktop, Lastpass fills in my passwords automatically. But I am often on the road,, and no password manager can fill in automatically when using phone/tablet browsers. So we have a trade off between convenience and security. In my view, security is a low issue with forum sites where I use a made-up name and 'throwaway' email addy.

    • Dann A
      June 21, 2014 at 5:59 am

      As long as you don't use that password for any accounts with your non-throwaway e-mail account, I'd say you probably aren't running too much of a security risk (though someone with more experience in the field could give you a better answer).

      Have you tried using the LastPass mobile options? You have to be a premium subscriber, but you can get an extension for the Dolphin browser on Android that'll auto-fill sites for you. And iCab Mobile for iOS has LastPass integration, too.

    • Ryan D
      June 26, 2014 at 1:02 am

      Dann has a good point - there are mobile options available, just not free. Also, I know a lot of people that take that same approach - not really using Lastpass for forum and comment sites. The problem I've seen however, is that in some cases those accounts were hacked and the person's identity was stolen on the forum - and private information retrieved from the profile (like email address, phone number, etc). So the assumption is that if you're not going to use a secure password for those accounts, you aren't going to store any sensitive or private information in those accounts as well.

  17. Imad.sawal
    June 20, 2014 at 6:20 pm

    Well to be honest , I don't fully agree with the CEO . Well , instead he should have said that there is nothing perfect for " everyone " . I mean like I am not such a old person , but still a while ago because he and many other " great " persons praised it I turned on 2 factor authentication , and started using Last Pass ( well, I still use it .. ) , but you know the hassle it has got ? Oh , I didn't brought my mobile phone at college and couldn't submit an important assignment to the principal . After that and similar incidents I disabled that . And you know that I have a randomly generated password for Facebook . Too good I don't remember it , can only open it on computer or on laptop where I am signed into my email account .

    I don't say that Joe is wrong but I think that we should only " Super - Secure " the accounts that are really valuable for us such as bank accounts , email accounts and so on , So that you can sacrifice that Time when you are unable to access them for the sake of security , for other lower
    value accounts , I myself choose another password . ( and no 2 factor authentication ).

    In the last , This was a great article I skimmed through it but will read the whole of it later . Keep up with the great stuff Ryan !

    • techno
      June 21, 2014 at 12:56 am

      So you're blaming a tool because you forgot to bring your phone and were unprepared? You're literally saying keeping yourself protected is too hard. Maybe the internet isn't the place for you?

    • Lisa O
      June 21, 2014 at 4:20 am

      You are being way too hard, techno. It's a real everyday situation. Not everyone brings their gadgets wherever they go, and for less sensitive accounts I don't think the super-protection-unpenetrable-defense to be a must (but recommended) as long as you keep the weaker password exclusive to the service and it's not tied to sensitive accounts like your online banking, like Imad has been doing.

    • Dann A
      June 21, 2014 at 5:57 am

      While I'm a big proponent of LastPass, I do agree that two-factor authentication is a pain in the ass. Even aside from being out and about with your phone, it can be annoying if you're in the zone working at home and you need to step away to go get your phone from the other room (call me lazy, but it seems like a lot of effort when you're on a roll).

      Like anything else, though, it's a trade-off. It's extra effort for security. You can use more effort and get more security, or you can use less effort and less security. Even without two-factor, I'd say using a password manager will keep you safe, just not QUITE as safe as a password manager and two-factor.

      Also, as a commenter pointed out, you can always print out one of the grid tables and keep it with you so you can access your stuff if you don't have your phone.

    • Ryan D
      June 26, 2014 at 1:00 am

      I agree - I've tried using 2-factor for a few accounts, and once I realized how annoying it was, I stopped using it until I could figure out a way to make it fit into my lifestyle and work life more easily. Given - the 2-factor authentication is still optional, so it isn't like users are forced to use it, but it's there and probably should be used (I keep telling myself this, but never really get around to it...)