I’m normally in agreement with your stance on all the monopolies you’ve uncovered and written about (thank you for that, it has been an eye-opener).
However, as much as I dislike PE, I do not see the problem in this situation. The situation here is:
- A company offers a free product in a space that has other products available, with some of them still being free (eg. Bitwarden)
- The company suddenly decides to start charging for the service (it is a for-profit company after all)
- But it is easy to migrate away to a competing service, by doing bulk export of all the data (including the hard-to-remember generated passwords) and importing it into any competing service. So there is no lock-in for the user
I think it is not reasonable to expect that once a company offers a product for free, it has to perpetually be kept free of cost.
PS: I’m not affiliated with LastPass in any way and I’m not even a user of LastPass. These are just my thoughts on the situation.
Although this is indeed annoying, I don't think it's quite ransomware-bad. (In fact, I read the headline and thought, "Wow, that's horrible! I'm glad I'm a LastPass user instead of whatever horrible service Matt's discovered!")
My understanding (which I guess we'll find out for sure about tomorrow!) is that users can always access their LastPass password vaults through a browser on either desktop or mobile. I've always done exactly that on mobile, because I think it's basically crazy to have autofilling passwords on a mobile device that could be lost or stolen at any moment. Certainly makes mobile life more cumbersome, but it's not unusable, at least not for my use-case.
Also, lock-in is fairly low. You can go to your LastPass Vault right now, click Advanced Options, then click Export, and boom, it exports ALL your passwords to a csv file, which you can save to your desktop. (Consider encrypting it, so attackers who penetrate your desktop can't read it!) I've just done this in case LastPass does in fact get sucky and I have to migrate.
When I started considering options for a password manager, I finally settled for a solution that, while a bit DIY-ish, doesn't really depend on any third party service.
- Use KeepassXC to generate your password and manage your password files.
- Use Keepass2Android Offline on the phone.
- Use Dropbox to store the password file and sync on different devices.
The third step is the only one that depends on someone else. But if that someone decides to pull the plug, I can move to a different provider.
I have been a user of LastPass for over 2 years and have bought a premium version with the new changes. The fundamental difference was that LastPass provided services to sync your passwords between different devices for free that no other service provided. This caused it to gain a large number of customers, this does seem like predatory pricing to me since other services offered this for a cost. Still it always confused me as to how they would make any money. There were no ads, everything was free and they surely couldn’t have been selling our data. I suppose now it’s obvious that they were not making any money and simply starting charging once the PE demanded profitability. I think the problem is with this strategy of offering a different product to gain customers and then changing it to become profitable which Silicon Valley is regularly employing. That said, there are a lot of competitors that always offered the syncing ability for a price and for now LastPass is priced the lowest.
It's not exactly a barrier to entry but I do think password managers that seem "established" in some vague sense will do better, just because people tend to think "who is this random startup I've never heard of and why should I trust them with my passwords?"
I’m normally in agreement with your stance on all the monopolies you’ve uncovered and written about (thank you for that, it has been an eye-opener).
However, as much as I dislike PE, I do not see the problem in this situation. The situation here is:
- A company offers a free product in a space that has other products available, with some of them still being free (eg. Bitwarden)
- The company suddenly decides to start charging for the service (it is a for-profit company after all)
- But it is easy to migrate away to a competing service, by doing bulk export of all the data (including the hard-to-remember generated passwords) and importing it into any competing service. So there is no lock-in for the user
I think it is not reasonable to expect that once a company offers a product for free, it has to perpetually be kept free of cost.
PS: I’m not affiliated with LastPass in any way and I’m not even a user of LastPass. These are just my thoughts on the situation.
Although this is indeed annoying, I don't think it's quite ransomware-bad. (In fact, I read the headline and thought, "Wow, that's horrible! I'm glad I'm a LastPass user instead of whatever horrible service Matt's discovered!")
My understanding (which I guess we'll find out for sure about tomorrow!) is that users can always access their LastPass password vaults through a browser on either desktop or mobile. I've always done exactly that on mobile, because I think it's basically crazy to have autofilling passwords on a mobile device that could be lost or stolen at any moment. Certainly makes mobile life more cumbersome, but it's not unusable, at least not for my use-case.
Also, lock-in is fairly low. You can go to your LastPass Vault right now, click Advanced Options, then click Export, and boom, it exports ALL your passwords to a csv file, which you can save to your desktop. (Consider encrypting it, so attackers who penetrate your desktop can't read it!) I've just done this in case LastPass does in fact get sucky and I have to migrate.
When I started considering options for a password manager, I finally settled for a solution that, while a bit DIY-ish, doesn't really depend on any third party service.
- Use KeepassXC to generate your password and manage your password files.
- Use Keepass2Android Offline on the phone.
- Use Dropbox to store the password file and sync on different devices.
The third step is the only one that depends on someone else. But if that someone decides to pull the plug, I can move to a different provider.
I have been a user of LastPass for over 2 years and have bought a premium version with the new changes. The fundamental difference was that LastPass provided services to sync your passwords between different devices for free that no other service provided. This caused it to gain a large number of customers, this does seem like predatory pricing to me since other services offered this for a cost. Still it always confused me as to how they would make any money. There were no ads, everything was free and they surely couldn’t have been selling our data. I suppose now it’s obvious that they were not making any money and simply starting charging once the PE demanded profitability. I think the problem is with this strategy of offering a different product to gain customers and then changing it to become profitable which Silicon Valley is regularly employing. That said, there are a lot of competitors that always offered the syncing ability for a price and for now LastPass is priced the lowest.
It's not exactly a barrier to entry but I do think password managers that seem "established" in some vague sense will do better, just because people tend to think "who is this random startup I've never heard of and why should I trust them with my passwords?"
How is this legal?