A popular app that promised to eliminate the burden of remembering passwords has sparked a backlash by demanding, weeks after it was acquired by two private equity firms, that users pay up or face restrictions on access to their online accounts.
LastPass has encouraged millions of people to replace weak passwords on retail websites, Internet banks and other online services. Instead, the software handles authentication automatically using long, complex passwords that are impossible to guess—or remember.
Two investment firms, Elliott Management and Francisco Partners, acquired the service as part of their $4.3 billion buyout of Internet software group LogMeIn in September last year.
Now, the app is warning users that they must pay as much as $36 a year if they want access to those cumbersome passwords on all their devices. Those who refuse to pay will have to choose between synching only to their desktop computers, or only to mobile devices such as phones.
The change, which comes into effect on March 16, was a blow to Scott Rothrock, a Tokyo-based software developer who said he realized at once that “there was no way to go back to my old life in a practical manner.”
Before switching to the password manager some years ago, Rothrock used a memorable algorithm to devise passwords that mixed up letters from the web addresses he visited with punctuation marks and the names of mythical beasts.
Now, his LastPass-generated passwords “are, I’m uncomfortable to admit, only known to my password manager. LastPass’s policy change was, for me, an ultimatum.”
The move to limit what LastPass gives away for free underscores how financially sophisticated owners are seeking to wring more profit from popular Silicon Valley products.
Last month Twitter said it would experiment with tools that allow users to give tips or pay for exclusive content, ideas that could allow the microblogging platform to take a cut of the revenue.
That announcement, too, followed an investment from Elliott, which took a 4 percent stake last year and attempted to oust Twitter’s chief executive, Jack Dorsey.
Elliott invested in LogMeIn via Evergreen Coast Capital, a Silicon Valley outpost it created in 2015.
The technology investing venture marks a departure from the New York firm’s long-time strategy of pursuing aggressive public campaigns against public companies and delinquent debtors. Its past targets have ranged from health insurance company Athenahealth to the Republic of Argentina, which in 2012 had one of its navy ships impounded in a dispute over defaulted bonds owned by the New York fund.
Francisco Partners, which invested alongside Elliott, is another battle-hardened firm, having been the owner, until 2019, of NSO Group, a maker of surveillance software that is being sued by Facebook over an alleged attack on 1,400 users of the social network’s WhatsApp messaging service.
Experts say it is hard to know whether the new limitations on the free version of LastPass will encourage more paying users to sign up.
“Without the ability to sync, there’s very few users who will really be able to use [LastPass],” said Joseph Bonneau, a cryptography researcher and computer security expert at New York University. “They’re making the free version so difficult to use that most people will be forced to pay or use another solution.”
LastPass, which claimed more than 25 million users last year, said it had given 30 days’ notice of the change and was not deleting any user data. It added that the free version of LastPass still offered functions that rivals lacked, and that “a healthy number of users” had taken up its discounted subscription offers.
But one free password app, BitWarden, has registered a fivefold increase in new users since LastPass announced its more restrictive policy last month, according to Gary Orenstein, its chief customer officer. “We’re understandably thrilled,” he said.
Among BitWarden’s new users is Rothrock, who said that in his experience, the two services were “functionally identical.”
Some of his friends offered to cut him in on their “family pack” subscription to LastPass, but he declined.
“I just didn’t trust LastPass anymore,” he said.