In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Healthcare, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

Can I Trust LastPass with My Passwords? No! Our Unexpectedly Bad Experience with Them

Can I Trust LastPass with My Passwords? No! Our Unexpectedly Bad Experience with Them

by Adriana Cacoveanu on Oct 09 2018

“Trust LastPass at your own risk!” would be our answer. One based both on:

 

  1. this password manager's own “beefy” record of critical security vulnerabilities, cross-site scripting bugs, breaches and major architectural issues
  2. our bad experience with LastPass, as a client

     

And before we dig into the heavy load of evidence that we base our “case” on, allow us to expose some of their former clients' testimonials:

 

“I lost my entire LastPass passwords in March 2017. It was a disaster for me. I have had LastPass since the beginning, can you imagine all the passwords saved over the years?

I think you should do some research on LastPass and the changes, the bad changes that have happened with LastPass” (Barbara's comment, 5 Best LastPass Alternatives to Manage Your Passwords)

 

“About a month ago when I tried to log in to LastPass I got the message that I had entered the wrong vault password - but I can assure you that nor I, nor my cat has changed it... When I contacted LastPass, they in a rude manner "taught" me that what I hadn't experienced what I had in fact had experienced, since it is "impossible", and their "help" consisted in giving me the clue to the main password to LastPass - i.e. the password, which I explained to them isn't valid anymore... “ (Robert's comment, You Should Probably Stop Using LastPass Temporarily)

“Around a month ago I switched from LastPass to Bitwarden as my password manager. To make sure my passwords were protected I deleted my LastPass account, now I get an email asking me to renew my subscription for my DELETED LastPass account. I wonder what else they stored about me... “ (user/dumah310, LastPass storing email from deleted account)

1. But First: How Does LastPass Work?

In plain language:

LastPass stores your encrypted passwords (and secure notes) in the cloud and secures them via a master password.

And the “master password” is both the strength and the main vulnerability of this password management service.

Now before I back up the above statement with our own experience with LastPass, here's an excerpt of an “enlightening” HackerNews post:

“Users must also devise a “master password” to retrieve the encrypted passwords stored by the password management software. This “master password” is a weak point. If the “master password” is exposed, or there is a slight possibility of potential exposure, confidence in the passwords are lost.“

2. 5 Security Vulnerabilities Over the Last 7 Years... and Still Counting

“How secure is LastPass from being hacked?”

I'll leave it to you to evaluate it while going through its “impressive” record of security flaws and vulnerabilities reached over the last years:

 

2.1. In 2011 a Cross-Site Scripting Vulnerability Was Detected  

In February 2011 Mike Cardwell, a security researcher, tracked down an XSS bug on the company's website.

Once “exploited”, this vulnerability could basically enable attackers to steal:

 

  • hashed passwords
  • the list of websites that users log into (along with the IP addresses, time and dates of their logins)
  • their email addresses
  • underlying cryptographic salts

     

LastPass fixed that bug within hours.

 

2.2. That Same Year A Second “Likely” Security Breach Was Identified

Later on that year, in May, the company's team spotted a new “anomaly” in both their incoming and outgoing network traffic. Therefore, suspicions arose that a hacker might have accessed their servers.

What kind of risks did this “abnormal activity” entail?

Well, the attacker could check thousands of passwords in a short period of time, using a combination of user emails, guesses on their master password and the salt.

As LastPass CEO confirmed it himself back then, in an interview for PCWorld.com:

“ You can combine the user's e-mail, a guess on their master password, and the salt and do various rounds of one-way mathematics against it. When you do all of that, what you're potentially left with is the ability to see from that data whether a guess on a master password is correct without having to hit our servers directly through the website.” 

 

2.3. In 2015 A Hacker Attack Compromised the Company's Servers  

Here's another answer to your “Can we trust LastPass?” question:

In June 2015 a post on the company's blog announced that their team had detected suspicious behavior on their network.

The result? LastPass servers got hacked and the cryptographically protected content compromised. And we're talking here about:

 

  • user passwords
  • password reminders
  • cryptographic salts
  • email addresses

     

2.4. In 2016 A Vulnerability that Enabled Reading Plaintext Passwords Was Exposed

Within a year, in July 2016, a new security vulnerability in the autofill functionality was identified and then detailed by the representative of DETECTIFY, an independent online security firm.

Basically, the article raised new suspicions about whether one could trust LastPass with their passwords:

The URL-parsing code of the LastPass browser extension — the HTML piece of code that was added to every page that the “victim” would visit —  was poorly written. Sloppy enough to enable a potential attacker to read plaintext passwords once the user landed on a malicious website.

 

2.5. In 2017 a “Major Architectural Problem” Was Discovered 

In June 2017 Google's security researcher Tavis Ormandy made a new discovery:

A security vulnerability in the LastPass Chrome extension (that applied to Firefox and Edge, as well), which, once exploited, could enable a hacker to steal passwords or engage in remote code execution.

He described it as a “major architectural problem” to point out that this time we weren't facing some... signs of carelessness, but a hole in LastPass' security shield instead.

“How safe is LastPass?” Users started to ask themselves again and many even started looking for alternatives.

 

3. About Our Own Unexpectedly Bad Experience as a LastPass Client 

Let us share with you some glimpses of our rough experience as LastPass users. 

I would start by saying that:

Yes, the worst-possible scenario did happen to us. We've apparently lost all the passwords “safely” stored in our LastPass account.

There are zero chances to retrieve them, to export them to another password manager or/and to get a refund, considering that we had paid for one year in advance.

How did it all begin?

With us trying to log into our account, as usual. But, we got this “welcome” message instead:

“Invalid password”

We next tried to reset our master password, using their reset password form. With no success, though:

“LastPass account recovery failed for... Your current web browser did not save account recovery data on this computer. Please try account recovery again with every browser and on every computer you...”

And then the “dialogue of the deaf” began, with:

Us stating that we did NOT reset our password, for it was not possible and the LastPass support team claiming that we did restart it.

And telling us that there's no option but to:

 

  1. create a whole new account
  2. say goodbye to all our passwords "safely" stored there for good; there's no chance to export that user sensitive data to another password manager service
  3. lose all hope of getting a refund for the money we had paid in advance, due to their “No refund policy”

     

In short: if for some mysterious reasons, one day LastPass doesn't recognize your current master password anymore and you're not allowed to reset it either... you're doomed.

Now, can you guess what's our answer to this question:

“Can we trust LastPass?”

 

4. Bottom Line: Should You Trust LastPass?

“Trust this service at your own risk!”

For one day, no matter whether you've:

 

  • disabled the auto-fill functionality
  • enabled a two-factor authentication (for both LastPass and your other critical accounts)
  • chosen an "invincible” master password for your LastPass account
  • kept both your software and your machine “spotless clean” and up-to-date
  • used one different password per account

     

you still run the risk to find yourself locked out!

 

Just talking from experience...

 

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

4 Reasons Why You Need Drupal Maintenance Services
  Entering the world of Drupal web development can feel like diving into the unknown for many business owners. Once they've figured it out with the help of a developer or a Drupal development agency, the business runs smoothly for a little while.  However, building and optimizing a website is like buying a new house—it's functional at first, but things break down and need repairing and regular care in time.  Since spring is just over the corner, what better moment to start cleaning, improving, optimizing, and refreshing your website? Whether you do it in-house or hire an agency that offers Drupal maintenance services, it will work wonders and could actually double your potential market value. But first, it's essential to understand why a regular maintenance plan is critical, how to tell when you need Drupal maintenance, and what does Drupal maintenance include. This article will answer these questions.   Why you should stick to a regular Drupal maintenance plan  If you've already entered the world of digital marketing, you know that the journey towards attracting and retaining customers doesn't end with web development and deployment. Change is a permanent constant in life, and businesses have to adapt to this ever-changing dynamic.  Security  A few years ago, website maintenance was optional. Building a static website that you could leave unattended for the entire year was perfectly normal.  Today, as the digital landscape has expanded and become more prone to security vulnerabilities, Drupal support is imperative for maintaining a healthy security posture.  Although Drupal is known for being the most secure CMS, this only applies if your Drupal website is regularly optimized with security updates and patches. The Drupal community and Drupal security team continuously build security patches, fixes, and upgrades, and Drupal users need to be in the loop about these updates. In other words, keeping up with the news and module updates in Drupal security is vital in order to avoid breaches.  Constant Drupal core module updates can boost website protection and secure it against cyberattacks and threats.  Fixing errors To ensure that your website performs well and meets the needs for speed and agility that the modern digital user demands, fixing bugs and errors is a top priority. These malfunctions may happen for multiple reasons—rushed coding and deployment, inadequate testing, or miscommunication. They may affect your site's performance and loading speed or even alter your Drupal website’s functionality.  And since users don't want to spend more than four seconds waiting for websites to load, not paying attention to repairing bugs could cost you customers.  This price is too big to pay, and it's worth considering Drupal maintenance services as part of your website strategies.  Keep your content fresh with new features Another reason why Drupal maintenance matters is related to scalability. Drupal websites can grow together with your business goals. Constant feature and module updates allow Drupal users a high level of customizing capabilities that helps businesses keep up with the changing needs of the customer.  With Drupal 8, integration is much more affordable, so if you haven't migrated yet, you might want to contact a Drupal agency to help you decide whether an upgrade is the right choice for your business.  The user behavior has dramatically shifted in the last year, which is why content optimization, new features, and enhancements allow brands to stay fresh and align to this changing environment.  SEO optimization Ranking high on Google and other search engines is crucial for your website to stay relevant. An excellent Drupal maintenance team has SEO experts that provide Drupal SEO audits and optimization.  “Good SEO work only gets better over time. It’s only search engine tricks that need to keep changing when the ranking algorithms change.” – Jill Whalen   How to tell when you need Drupal maintenance If you're not yet convinced that you need Drupal support and maintenance services for your website, here are some indicators that you can't postpone it any longer without hurting your business: Your website is slow, and you have received complaints about its loading speed. Your web traffic has dropped considerably. You experience more security breaches. Your content and design are outdated. Links, buttons, or forms are not working.   These are some of the red flags of poorly maintained websites. If you recognize these warning signs as part of your website, it's definitely time to start planning your maintenance strategy. What do Drupal maintenance services and support include? A useful maintenance model covers: Security and module updates Third-party integration support Regression testing  Bug diagnosing, fixing, and testing Hosting infrastructure maintenance Hack, malware, down recovery   Partner with the right Drupal maintenance and support agency When thinking about hiring a Drupal maintenance team, you need to consider your needs. At Optasy, we cover a wide range of website maintenance requirements and can create a customized maintenance and support plan to support your website's specific needs.  How does this sound to you? Have you made up your mind whether it is worth investing in Drupal maintenance services or not? If yes, then contact a reliable, dedicated support partner like Optasy and see how our Drupal maintenance services can keep your website up and running.  Photo credit: geralt on Pixabay.     ... Read more
Raluca Olariu / Mar 02'2021
4 Key Things to Know When Optimizing Your Drupal Website for Mobile
  Approaching a mobile-first strategy for your Drupal website is imperative. Since 52% of all website traffic comes from mobile devices, businesses that want to strive must ensure that they optimize their site for mobile.  Why is mobile optimization important? A website designed for desktop use can be non-functional on a phone or tablet. Building a mobile-friendly site that looks good regardless of how users access it is no longer optional for companies that want to deliver high-quality digital experiences.  "If I were to start Drupal from scratch today, I'd build it for mobile experiences first and desktop experience second." - Dries Buytaert, founder and lead developer of the Drupal CMS There are plenty of benefits and competitive advantages of implementing a mobile-first approach to your Drupal website. We'll name a few: Positively impacts search ranking Improves loading times Increases visibility across all devices Enhancing mobile performance for Drupal websites is not rocket science, but if you're a rookie in web development, hiring a Drupal developer to help you implement some of the steps highlighted in this article may be the safest strategy.  Without further ado, let's start to learn how you can optimize your Drupal website for mobile use.   1. First things first: you need a mobile menu.  Start your mobile optimization journey by installing a mobile menu that enables navigation links to be displayed accurately on narrow screens.  A popular style for mobile menus is the 'hamburger' icon. This type of menu is substituted by a symbol with three horizontal lines when the screen narrows to a particular width. When clicked on, the icon displays the mobile-friendly main menu of the Drupal website. Want to use this type of menu? Start by installing the Responsive Menus module and download the tar.gz.file.  In your dashboard, open the Extend tab and select the Install New Module button.  Lastly, use the file browser to upload the tar.gz file. You should now be ready to use the module to customize and style your website's menu.  Remember that you can also hire Drupal developers at any stage of your optimization process to help you streamline your operations.    2. Don't ignore code minification.  One of the top priorities for mobile site functionality is quick loading times. As CSS or HTML files can get bulky, removing unnecessary elements from your website's code can help it render more fastly.  There are a few steps for successfully minifying your code: Install the Minify module  Download the tar.gz file and unarchive it Move the resulting folder into your website's Drupal modules section.  Enable the module from your dashboard You also have the option to enable the minify module to start working automatically. This will assist your Drupal website in loading quicker on mobile devices and thus improving the user experience.    3. Browser cache implementation for mobile-friendly Drupal websites. The next step in optimizing your Drupal site for mobile is to implement browser caching, which allows a user's browser to store data, so it doesn't have to repeatedly download the same files.  This reduces latency if, for example, your site has an extensive background image. The browser caching allows the picture to be stored on each visitor's device, so it doesn't have to be downloaded every time the user visits your site.  Browser caching is a built-in tool in Drupal, and although you can configure it in your control panel, we recommend that you consult the official guide before doing it or hire a Drupal developer to help you.    4. Consider image optimization.  Websites that contain many large image files can have longer loading times on mobiles. You don't want that if your goal is to provide high-quality experiences for your mobile users. Therefore, you can start optimizing your images to accelerate your site's performance. How can you reduce the size of your photos without jeopardizing their quality? It's actually easy. Drupal's ImageAPI Optimize module helps you manage your images before uploading them onto the website.  You only have to download the module's tar.gz file, install, and enable it in your dashboard. To automatically optimize your images for mobile devices, make sure to select ImageAPI Optimize as the default toolkit.  When creating responsive images, the amount of space an image fills on the screen is significant. Drupal lets you use @media rules to modify images depending on each user's screen size. This high level of personalization is allowed by the Breakpoint and Responsive Images modules.    Why Drupal 9 might be the best option for a mobile-first approach The latest version of Drupal provides optimized modules and features for mobile devices that enhance the user experience and address modern customers' needs.  Among the key benefits of Drupal 9 for mobile optimization are: Improved speed of content delivery Responsive design for various screen's widths  Editing content on mobile is easier  In conclusion, if you want to deliver high-quality, personalized user web experiences in the modern era, optimizing your website for mobile devices is a must. Optasy can help you build a mobile-first approach that satisfies the need for speed and high functionality that today's mobile users expect.  Image credit: deeptuts on Pixabay... Read more
Raluca Olariu / Feb 22'2021
10 Best Headless CMS in 2020, That Cover Most of Your Requirements (Part 2)
Ready to compare the features of 5 other best headless CMS in 2020? We've got them ready for you to just dive in and: survey the key reasons why you'd choose one over the other discover each one's main use cases narrow down your options … and pick the one that matches your requirements. What Is the Best Headless CMS in 2020? 5.6. Directus An open source tool for managing and delivering content across an entire network of platforms and devices. And here are some of the top reasons for choosing Directus: it provides your editorial team with an easy to use admin app for managing content it can be in the cloud or self-hosted it provides API for your development team to fetch content 5.7. Netlify CMS  One of your top 10 headless CMS options, an open source one, that you get to add to any static site generator of your choice. A React single-page application that provides you with an easy to use UI, playing the role of a… wrapper for your Git Workflow. Basically, when using Netlify CMS your content gets stored in your web app's git repository (as markdown files), close to your codebase.   "How does a Netlify CMS Gatsby setup work?"   It's pretty straightforward: You enter your content via that user-friendly interface, then Gatsby uses it to come up with the right pages for your web app. Why would you use it? it fits both large and small-sized projects, with fewer pages to create, to add content to, to edit, and to manage you get to review/preview your content and make changes in real-time, and even control entries status in editorial workflow mode it provides you with an easy-to-use UI, with just 3 tabs: workflow, media, and content you're free to use it with any static site generator you get to extend its functionality: add your own UI widgets, editor plugins, customized previews, etc. 5.8. GraphCMS     An API-first content management system, a GraphQL-native one, that allows you to distribute content across multiple digital platforms. And not just anyhow, but… within minutes. Your developer team gets to create content APIs in no time, whereas your content team gets all the tools they need for a smooth editor experience.   Source: capterra.com GraphCMS vs Contentful: Main Differences GraphCMS works best for enterprise and mid-market companies, enabling them to build highly scalable applications GraphQL is its underlying technology: an open source query language for APIs, that's been growing more and more popular among developers Contentful targets top global brands, helping them distribute digital content experiences across complex networks of markets and channels REST is its underlying technology: a programming paradigm for distributed systems And here are 2 good reasons for choosing GraphCMS as your go-to headless content management system:  you get a CMS that's client-side and JAMstack compatible you get to tap into the benefits of a JAMstack approach to development (JavaScript & Markup & API) 5.9. Cosmic A cloud-hosted headless content management system that provides you with both GraphQL and REST APIs. But what makes Cosmic one of the best headless CMS in 2020? Why choose the Cosmic Headless CMS?  it ships with features like content modeling, media management, localization, and webhooks it grants you a smooth editor experience with its WYSIWYG  editor, that you can use to incorporate (by embedding code) third-party services like Typeform and GitHub. it integrates smoothly with AWS, Slack, Algolia, Stripe, HubSpot 5.10. Kentico Kontent A cloud-based content delivery API that turns your structured content into content that's easy to be "consumed" by any device or digital platform that you might use as a front-end delivery layer.  Why would you choose it over other great options of headless CMS? you get an AI chatbot when using Kentico Kontent it provides webhooks and custom elements that make third-party integrations a lot smoother you get content management API enabling content consumption And we've come to… the END of the list of 10 best headless CMS in 2020. Which one checks the most features off your list? Now, if you're facing a "Headless Drupal 8 vs Contentful" dilemma, we're here to: help you identify the one that works best for your business and your requirements make your headless CMS-based project work Just drop us a line!   Image by tdfugere from Pixabay   ... Read more
Adriana Cacoveanu / Sep 26'2020