One of the biggest beasts in the password management world, LastPass, is being spun out from parent LogMeIn as a “standalone cloud security” organisation.

“The success we’ve seen across the entire LogMeIn portfolio over the last 18 months proves there is a vast growth opportunity ahead for both LastPass and LogMeIn,” said Andrew Kowal, a partner at Francisco Partners.

Francisco Partners, a private equity business, bought the bundle of remote access, collab and password manager tools – which also includes Citrix’s GoTo business – in 2019 for $4.3bn.

“The substantial scale of LastPass, its tremendous growth, and its market leading position and brand makes it a perfect candidate to seize new opportunities as its own standalone company,” said Bill Wagner, CEO and prez of LogMeIn, in a canned statement.

LogMeIn itself bought lastPass in 2015.

The “global shift to remote working has also fueled the adoption of new accounts and applications,” said LogMeIn. It added that “50 per cent of people in the 2021 Psychology of Passwords research reported twice the number of accounts today, compared to pre-pandemic levels,” raising the question of why it wouldn’t expose any of its own customer growth numbers in the release.

In 2018, the then-public LogMeIn made revenues of $1.2bn and profits of $446m. The private firm said today it made “over $1.3bn in annual revenue” in 2021, a rise of about 8 per cent. LastPass, by contrast, had managed a “50 per cent compound annual growth rate” over the last three years.

LogMeIn’s competition includes Bitwarden, 1Password, Dashlane, Keeper, NordPass and open-source password manager KeePass.

According to the press statement, LogMeIn has 2 million “customers” and 30 million users, many of whom will be on its freemium tier.

LogMeIn said today it planned to “increase investment in the customer experience” for the new standalone business and said customers would see “planned enhancements on an accelerated timeline in 2022, with the benefit of additional dedicated LastPass resources.”

In February this year LogMeIn tried to heave some of those freemium fans onto paid plans by limiting them to one device type only: computer or mobile. How did that go? Well according to today’s announcement, “the significant majority” of its business is still corporate customers.

Also in February, LastPass came in for criticism after a security researcher recommended against the password manager’s Android app after noting seven embedded trackers in the software. LogMeIn said at the time that users can opt out if they want.

El Reg today spotted Apache’s Log4j 2.x – vulnerable to a remote code execution hole CVE-2021-44228 – among Lastpass’s list of third party software licences. LastPass told The Reg it had released a patch for the vulnerability for “impacted customers.”

Version 2.15 of Log4j was released with part of the exploitable functionality disabled by default last week; version 2.16 is also out and completely kills off the insecure feature by default. ®