ReadWriteBuilders is a series of interviews with developers, designers and other architects of the programmable future.
The recent Heartbleed bug, which threatened to leak user passwords and other personal information like a sieve, had one unexpected consequence: It put password managers in the spotlight.
Post-Heartbleed, security experts warned users to choose new, unique passwords for affected apps and websites. That’s a big chore for most people, and relatively few actually follow through on such recommendations, even among the security conscious. Password managers, which store passwords for your various online accounts—email, banking, social sites like Facebook and Twitter and so forth—in the cloud, offered one way of easing that burden.
Password managers like LastPass have stepped up to help Heartbleed-fearing people lock down their accounts. The company, headed by CEO and founding developer Joe Siegrist, has been offering advice and online tools for concerned users since the bug was first reported last month.
Siegrist, 37, has been a vocal evangelist for better password security for six years, and in a way it’s now paying off, given that Heartbleed has been sending lots of nervous users his way. Siegrist’s earnestness, however, doesn’t hurt. “I want people to use a password manager; it doesn’t need to be mine,” he told me. “The core thing is that people realize that it’s necessary to use something, because reusing the same password for every site just doesn’t make sense.”
It’s the same drum he’s been banging since he started. Here’s how it all began.
The First Pass For LastPass
See also: Heartbleed Defense: The 3-Step Password Strategy Everyone Should Use
RW: You used to work in Internet telephony.
Joe Siegrist: Yes, I was the CTO of Estara [which sold to ATG in 2006 for $50 million]. We did a lot of security there, because we were doing phone calls for people on their computers, Voice Over IP calls, back in 1999 or 2000.
RW: You’re listed as inventor for 5 patents related to that. You also worked at an Internet service provider at one point. How does somebody with your background end up in password management?
JS: Security was a big issue at Estara. We had to do encryption. We had to figure out how to do key exchange, how to do all this securely. We were running a “Software As A Service” business before it was called that. When we left, we couldn’t do anything in VoIP telephony, so we had to pick a new one. I and three of my best guys who worked with me there left at similar times. We started LastPass because we wanted to work together again.
It was on my mind: How do people do this? It was painful, how I was handling passwords. I had them in a file that I was encrypting and decrypting manually every time I needed it, editing the files, searching for the site name, copying and pasting passwords. It was complicated. You start asking around, and other people handle it by using the same password for every site.
I was shocked. It was akin to using the same key for every lock. I really wanted to let people do what they wanted—which was reuse the same password everywhere—but do it securely, where you could update that password and be secure, without revisiting all the sites and without all the pain involved.
Building something that people use everyday is incredibly intoxicating. It’s fun to come up with something that will save somebody time or delight them.
—Joe Siegrist
RW: So you got the core team together in April 2008 to get LastPass off the ground. And the beta launch followed in August that year.
JS: Yes. It was a lot of time spent in the basement of my house, usually the three or four of us sitting at a long card table, banging away 10 to 12 hours a day.
RW: What did you decide to focus on first?
JS: On the core of the product: filling passwords in, remembering passwords automatically, grabbing passwords that are sitting unencrypted on your computer, getting it working for Internet Explorer and Firefox. Back in 2008, Chrome didn’t exist yet. So our core focus was showing people the data that was sitting on their PCs, that any malware or virus could pick up. We shocked tons of people when they saw all those passwords sitting here.
We started from there, and that allowed us to see people’s accounts. It let them get started without an empty vault and without a lot of effort on their side.
RW: Did you work on the encryption side in conjunction with user-facing features, or did that come later?
JS: We first tried to prove the major concepts of grabbing the passwords, being able to capture and fill them. This was before we launched. As we approached the launch date, we wanted to utilize cloud-type techniques. We wanted the best of what the cloud gave you without the downsides.
That was a tough decision back then, because we were the first cloud-based password manager. Everybody immediately said, “A cloud-based password manager is stupid.” They pre-judged it, because they assumed there was no simple, elegant way to protect your data while keeping it in the cloud. That was one of the core innovations we were proud of: We figured out a way to keep your data encrypted, locally, with a key that only you have—never passing that to LastPass—so that you can trust us.
We are provably secure. We can prove that your password data is encrypted in a way that even we can’t decrypt before it’s sent from your computer. Now, in retrospect, it seems like an obvious thing. But it wasn’t back then. It took a lot of education, years before people started recognizing that this was a better mousetrap.
Developing For Mobile Is Tricky Business
RW: For password managers in general, cross-app integration seems really tricky. On smartphones, particularly iOS, there’s still plenty of copying and pasting of passwords from LastPass into individual apps. How challenging has it been to deal with mobile versus desktop?
JS: Sandboxing, if you are the person that is playing outside of the sandbox like we are, is something that drives you crazy [in mobile]. Basically, sandboxing means that apps are isolated and can only play within their own sandbox. LastPass is special, in that it needs to interact with other sandboxes. It needs to interact with other apps.
We’ve been very happy lately to utilize the Accessibility API in later versions of Android to get in and do app filling directly. iOS continues to be a thorn in the side, since we can’t deliver the solution we and our customers want, because of the limitations Apple puts upon developers.
RW: And there’s no way to get around that.
JS: There are no very clean ways to get around it. If it’s jailbroken, you can do things, but none of that is easy for the mass market.
Apple closed down and prevented developers from expressing and creating great software for its platform because of restrictions it ignores for itself, but restricts everyone else. If I sound a little bitter, I am. It’s not the way it should be. Nobody wants the future of computing to be completely isolated, wholly controlled by company-only type experiences. That will be bad for everyone.
RW: You mentioned Android’s Accessibility API. How did you use it and which features ride on it?
JS: With later versions of Android, it’s essentially the same technology that a screen reader would use for a blind person. We can utilize that to see what’s on the screen, and potentially fill in different fields using that Accessibility API. We can recognize what app is running, that a password field is there, and combine that. LastPass can present it to you and give you the option to fill this in for you.
RW: All of it hinges on the master password, though. So what happens if a hacker manages to crack it? Is the user screwed?
JS: There are a lot of protections. We have a ton of different multi-factor [authentication] options for your LastPass account, based on your phone, location, biometrics, etc. We support, by far, the most multi-factor type options, so that even if you screamed out your password at a bar, someone couldn’t use it without a secondary factor.
We also have a lot of protections on the cloud side, like how many attempts you can make at guessing a password. This makes it difficult to break into an account that way; it gets locked down quickly.
Staying Competitive
RW: Your pricing is really low. It’s 12 bucks per year, isn’t it?
JS: We’re trying to help people as much as we possibly can. Like with pricing. My pricing isn’t sophisticated. It’s always been cheap. Everyone who contacts me thinks it should be [more]. We want to make a great product at a fair price, so it’s an easy decision for people.
RW: You mentioned that you encrypt locally, on whatever device you’re using, and again in the cloud. At this point, others have come along that do that as well.
JS: LastPass supports more platforms, more devices, more multi-factor [authentication] devices than anyone out there. We’re committed to ensuring that every device, platform is going to be supported. Because if that doesn’t happen, you’re going to fall back to your old habits of reusing passwords, or be terribly frustrated.
I want people to use a password manager; it doesn’t need to be mine. There are others out there that are good. They don’t have the breadth we have, but they’re decent choices. The core thing is that people realize that it’s necessary to use something, because reusing the same password for every site just doesn’t make sense.
We’re trying to cover all the bases, including covering you at work [with LastPass for enterprise]. We have a lot of big name companies that are using LastPass to make sure employees are practicing good password hygiene. We want people to stop emailing, texting and IMing passwords. You’re putting that password at risk, especially when you email, and it’ll sit there and be recorded forever. You should be sharing those passwords in the correct way, through LastPass, and it will help you when it updates—and magically everyone in your team has that update.
Stopping The Heartbleed
RW: You were very vocal when the Heartbleed news broke.
See also: Exterminating Heartbleed: How To Clear It Out Of Your Data Center
JS: People needed to know what passwords to change and when, so we made an overall test page. People could find out if sites had updated their SSL certificates, if it was safe to change that password yet. That was a free tool for anyone, even if you didn’t have a LastPass account. We love making tools like that for everyone.
And for LastPass users, we have a security check that looks for all sites known to be vulnerable. It tells you exactly which ones they are, how old your password is, if you should go change those passwords, and when it’s safe to do so.
RW: For the Heartbleed checker, I heard that LastPass didn’t actually test sites for their vulnerabilities, but merely compiled info based on company announcements. Is that accurate? Or is it a checker with a real-time status updater?
JS: That’s not the full picture. We had the exploit code that we could run ourselves, but we weren’t legally clear that that was allowed. I’ve since figured out how to do it, so we’ll be adding real-time current checks for sites currently vulnerable to Heartbleed on our page.
Certain large sites fixed the major bug within a day. It was easy to do that. The harder part was reissuing and revoking certificates, and that was what we thought [was important], because that’s when you know its safe to go change your passwords.
We focused on any sites that were known to be vulnerable. We checked the SSL certificates the sites were using, in multiple different ways—going to sites, grabbing the current certificates, seeing if they had been reissued and the date reported.
RW: But didn’t LastPass itself use the Heartbleed-affected version of OpenSSL [the vulnerable security protocol used by many websites and cloud services]?
JS: Fifty percent of sites were using the vulnerable version of SSL. You could say we had a 50/50 chance of being in that. We were also using it, but because we practice what’s known as “defense in depth,” we had another layer. So what could be revealed from LastPass is far less than just about any other website.
Your data was encrypted on your device before it was sent to us, so it’s not very useful, compared to grabbing a password directly from memory from another site. We were also quick to shut it down, patch it and get it replaced, and quick to help people realize what they need to do to protect themselves.
We have multiple layers of defense. Peeling back one layer of the onion exposes a little, but not enough that we felt it was necessary to take extraordinary steps. For sites that are fully reliant on SSL only, it’s a much more grave scenario for them.
The Challenges
See also: NSA Accused Of Exploiting Heartbleed For At Least Two Years; Agency Denies It
RW: You’ve had some challenges, even apart from being affected by Heartbleed. A few years ago, LastPass landed in the headlines for leaking passwords.
JS: That harks back to May of 2011, when we saw some anomalous traffic. We couldn’t figure out if anything had been taken; we just didn’t have any real signs, except for a certain set of traffic graphs that indicated traffic had been passed. We were upfront about what we knew, what we didn’t, when we knew and when we didn’t. We definitely lost some people on the short term, but it made people respect how we view things and how we’re going to handle them.
It was definitely a tough time—not just that it happened, and saying that mistakes were made, but also the ensuing time. Tons of additional people wanted to know more, wanted more support; it was a challenging experience, all the way around.
[With Heartbleed,] we were out there, talking about how we were vulnerable hours after it happened. We think it’s important that people immediately know and have all the facts. I think that engenders a lot of trust. So many companies told us how great that was, because their company had run into something similar and basically passed it to their lawyers, who decided to sweep it under the rug.RW: With the password leak, and then Heartbleed, at each turn, you seem to be able to survive the issues and maintain your fanbase. What’s your secret?
JS: From our perspective, we’re in the public trust. We have over 2 million people that use LastPass everyday, and over 4.8 million people total. We take our role protecting those people seriously. But we’re not perfect. There will be mistakes that we couldn’t have caught.
If we see something wrong, we’re not going to brush it under the rug. We’re going to be open about it, so people can decide what’s best for them.
Trust is built over time, and that’s something you earn. All we’re trying to do is keep earning that trust.
RW: Trust is definitely an issue for consumers, particularly when it comes to passwords. That leads me to a blunt question: Online, some users wonder if the National Security Agency has ever approached you guys. Has it? If not, what would you do if it did?
JS: The NSA has never come knocking on our door. If the NSA showed up, I would be availing ourselves of whatever legal resources we could to protect ourselves and our users. It hasn’t happened yet.
But there are easier ways for them to peg attacks. If you’re interested in a particular site, going after that site is probably easier than trying to go after LastPass, where there are layers of defense that have to be peeled back, and a company that’s not going to be quiet about that.
What you’re storing in LastPass is mostly passwords to other sites. If you’re the NSA, you’d rather attack the actual sites.
Last Lessons
RW: You’ve been doing this now for six years. What have been some of your biggest lessons?
JS: There’s been a ton of highs and lows. Building something that people use everyday is incredibly intoxicating. It’s fun to come up with something that will save somebody time or delight them, and be able to roll it out relatively quickly, in front of a mass audience.
Timing is always the hardest thing with companies. You can start too early; you can be too late. We might have still been a little early to the game, so we spent a lot of time educating, which is fine in retrospect. But it certainly would have been easier had we started later.
RW: You think you were too early?
JS: You can go back to our forums and blogs from 2009. There are epic, 50-post battles with people demanding every intricacy, and going from, “This is the stupidest idea in history” to “Oh my gosh, you have figured out how to do this!” There was a ton of that back and forth, and we had to slog through it and convince people, because there was so much “wisdom” that anything in the cloud was going to be taken by hackers.
No one could do some of these things we could do in a secure manner. That kind of education is the battle we’ve been in from the get go—[and it’s] the battle right now that we’re fighting.
Passwords aren’t a joke. It’s really important, and if you let your identity slip out because you’re reusing passwords everywhere, a lot of real damage can be done to you. That has been a drum that I’ve been beating for six years now. Heartbleed really helps with that education, but I’m hopeful that the media and others can help with educating consumers about it.
RW: Strangely enough, I imagine Heartbleed must have been good for your business. Have you seen a surge in users since it surfaced?
JS: We absolutely have. It was good exposure for the need of password managers. Heartbleed has been a wakeup call.
Mobile photo by Anthony Myers for ReadWrite; All other images courtesy of LastPass