The Heartbleed Effect: Password Services Are Having a Moment

What's This?

Image: iStockphoto, Thirteen-Fifty; Heartbleed

By Seth Fiegerman2014-04-14 19:51:37 UTC

Joe Siegrist was dropping off his son at school on Tuesday morning when he got a phone call from his staff: Heartbleed was even worse than they thought.

News of the security bug first came out the previous day, April 7, after Siegrist and much of his team at LastPass, a password security company, had already left the office for the day. It wasn't until the following morning they learned Heartbleed potentially allowed attackers to extract 64 kilobyte batches of memory at random.

See also: The Heartbleed Hit List: The Passwords You Need to Change Right Now

"That is significantly worse than most bugs that occur," Siegrist, CEO of LastPass, told Mashable. "You don't know what exactly was in the payload of those Heartbleed messages: It could be user names and passwords. It could be financial data. It could be the SSL certificate, which is especially bad."

"It was definitely a 'holy sh*t' moment," he says.

When Siegrist got to the company's headquarters in Fairfax, Va., that morning, he addressed the entire office, briefing them on the updates and lay out the plan. Half of the developers, about eight people, dropped everything and focused on making sure any SSL certificates were revoked and reissued for LastPass.com. The other half of the team went to work on building a tool that would help users identify impacted websites and determine whether they should change their passwords right away, or wait.

The LastPass Heartbleed checker was cited by a number of top publications and news programs and quickly became a go-to source for concerned Internet users to assess the risk posed by the security bug. The tool has had more than 3.8 million views in the less than a week since it launched, and it has been used for 4.5 million lookups.

Moreover, LastPass is seeing a tremendous surge in the number of people creating accounts. The company added 125,000 new users over the last week, compared to 35,000 or so in a normal week. LastPass is free, but a premium version sells for $1 a month.

"It's definitely good for business, which is a paradox," says Siegrist, who founded LastPass in 2008 and has been working to reach more of a mainstream audience. "Do I want it to happen like this? No, I don't. But if any good can come out of it..."

1Password, a password management app, shot up into the top 10 iPhone apps after Heartbleed.

LastPass isn't the only password management service experiencing a surge in popularity as a result of the Heartbleed bug. 1Password, a service from AgileBits, saw a "tenfold" increase in traffic to its website and its paid iPhone app jumped into the top 10 in the U.S. last week from the low-200s previously.

"We are getting a lot of customers who have heard of Heartbleed and they haven't really thought significantly of their internet security until now," says Jeff Shiner, CEO of 1Password. "It's one of those things that in peoples' minds is always happening to somebody else."

Emmanuel Schalit, CEO of Dashlane, another password manager, says his company experienced a "10x" surge in new users at its peak over the last week. Traffic to Dashlane didn't peak until a couple days after Heartbleed was discovered. As with the other password security companies we spoke with, traffic remains much higher than normal a week later.

"I think it's going to last for awhile," Schalit says. "The news story will die down as with any news story, but I think it will create a step change in the market and awareness."

In an effort to keep the momentum going, Dashlane is suggesting customers tell their friends about the importance of taking extra password precautions. LastPass, meanwhile, is working to simplify its customer education tools so that its easier for new users to get started and stay engaged — with or without another Heartbleed.

"Before it was if you were in the know, you used a password manager, but it has always been a struggle to get that out to a mainstream audience," says Erin Styles, VP of marketing for LastPass. "We're trying to set up better general education for getting started with one."

"I think a lot of folks don't know what a password manager does even when they sign up for one," Styles added.

Have something to add to this story? Share it in the comments.

Topics: Apps and Software, Business, heartbleed, LastPass, password