In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Health Care, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

Can I Trust LastPass with My Passwords? No! Our Unexpectedly Bad Experience with Them

Can I Trust LastPass with My Passwords? No! Our Unexpectedly Bad Experience with Them

by Adriana Cacoveanu on Oct 09 2018

“Trust LastPass at your own risk!” would be our answer. One based both on:

 

  1. this password manager's own “beefy” record of critical security vulnerabilities, cross-site scripting bugs, breaches and major architectural issues
  2. our bad experience with LastPass, as a client

     

And before we dig into the heavy load of evidence that we base our “case” on, allow us to expose some of their former clients' testimonials:

 

“I lost my entire LastPass passwords in March 2017. It was a disaster for me. I have had LastPass since the beginning, can you imagine all the passwords saved over the years?

I think you should do some research on LastPass and the changes, the bad changes that have happened with LastPass” (Barbara's comment, 5 Best LastPass Alternatives to Manage Your Passwords)

 

“About a month ago when I tried to log in to LastPass I got the message that I had entered the wrong vault password - but I can assure you that nor I, nor my cat has changed it... When I contacted LastPass, they in a rude manner "taught" me that what I hadn't experienced what I had in fact had experienced, since it is "impossible", and their "help" consisted in giving me the clue to the main password to LastPass - i.e. the password, which I explained to them isn't valid anymore... “ (Robert's comment, You Should Probably Stop Using LastPass Temporarily)

“Around a month ago I switched from LastPass to Bitwarden as my password manager. To make sure my passwords were protected I deleted my LastPass account, now I get an email asking me to renew my subscription for my DELETED LastPass account. I wonder what else they stored about me... “ (user/dumah310, LastPass storing email from deleted account)

1. But First: How Does LastPass Work?

In plain language:

LastPass stores your encrypted passwords (and secure notes) in the cloud and secures them via a master password.

And the “master password” is both the strength and the main vulnerability of this password management service.

Now before I back up the above statement with our own experience with LastPass, here's an excerpt of an “enlightening” HackerNews post:

“Users must also devise a “master password” to retrieve the encrypted passwords stored by the password management software. This “master password” is a weak point. If the “master password” is exposed, or there is a slight possibility of potential exposure, confidence in the passwords are lost.“

2. 5 Security Vulnerabilities Over the Last 7 Years... and Still Counting

“How secure is LastPass from being hacked?”

I'll leave it to you to evaluate it while going through its “impressive” record of security flaws and vulnerabilities reached over the last years:

 

2.1. In 2011 a Cross-Site Scripting Vulnerability Was Detected  

In February 2011 Mike Cardwell, a security researcher, tracked down an XSS bug on the company's website.

Once “exploited”, this vulnerability could basically enable attackers to steal:

 

  • hashed passwords
  • the list of websites that users log into (along with the IP addresses, time and dates of their logins)
  • their email addresses
  • underlying cryptographic salts

     

LastPass fixed that bug within hours.

 

2.2. That Same Year A Second “Likely” Security Breach Was Identified

Later on that year, in May, the company's team spotted a new “anomaly” in both their incoming and outgoing network traffic. Therefore, suspicions arose that a hacker might have accessed their servers.

What kind of risks did this “abnormal activity” entail?

Well, the attacker could check thousands of passwords in a short period of time, using a combination of user emails, guesses on their master password and the salt.

As LastPass CEO confirmed it himself back then, in an interview for PCWorld.com:

“ You can combine the user's e-mail, a guess on their master password, and the salt and do various rounds of one-way mathematics against it. When you do all of that, what you're potentially left with is the ability to see from that data whether a guess on a master password is correct without having to hit our servers directly through the website.” 

 

2.3. In 2015 A Hacker Attack Compromised the Company's Servers  

Here's another answer to your “Can we trust LastPass?” question:

In June 2015 a post on the company's blog announced that their team had detected suspicious behavior on their network.

The result? LastPass servers got hacked and the cryptographically protected content compromised. And we're talking here about:

 

  • user passwords
  • password reminders
  • cryptographic salts
  • email addresses

     

2.4. In 2016 A Vulnerability that Enabled Reading Plaintext Passwords Was Exposed

Within a year, in July 2016, a new security vulnerability in the autofill functionality was identified and then detailed by the representative of DETECTIFY, an independent online security firm.

Basically, the article raised new suspicions about whether one could trust LastPass with their passwords:

The URL-parsing code of the LastPass browser extension — the HTML piece of code that was added to every page that the “victim” would visit —  was poorly written. Sloppy enough to enable a potential attacker to read plaintext passwords once the user landed on a malicious website.

 

2.5. In 2017 a “Major Architectural Problem” Was Discovered 

In June 2017 Google's security researcher Tavis Ormandy made a new discovery:

A security vulnerability in the LastPass Chrome extension (that applied to Firefox and Edge, as well), which, once exploited, could enable a hacker to steal passwords or engage in remote code execution.

He described it as a “major architectural problem” to point out that this time we weren't facing some... signs of carelessness, but a hole in LastPass' security shield instead.

“How safe is LastPass?” Users started to ask themselves again and many even started looking for alternatives.

 

3. About Our Own Unexpectedly Bad Experience as a LastPass Client 

Let us share with you some glimpses of our rough experience as LastPass users. 

I would start by saying that:

Yes, the worst-possible scenario did happen to us. We've apparently lost all the passwords “safely” stored in our LastPass account.

There are zero chances to retrieve them, to export them to another password manager or/and to get a refund, considering that we had paid for one year in advance.

How did it all begin?

With us trying to log into our account, as usual. But, we got this “welcome” message instead:

“Invalid password”

We next tried to reset our master password, using their reset password form. With no success, though:

“LastPass account recovery failed for... Your current web browser did not save account recovery data on this computer. Please try account recovery again with every browser and on every computer you...”

And then the “dialogue of the deaf” began, with:

Us stating that we did NOT reset our password, for it was not possible and the LastPass support team claiming that we did restart it.

And telling us that there's no option but to:

 

  1. create a whole new account
  2. say goodbye to all our passwords "safely" stored there for good; there's no chance to export that user sensitive data to another password manager service
  3. lose all hope of getting a refund for the money we had paid in advance, due to their “No refund policy”

     

In short: if for some mysterious reasons, one day LastPass doesn't recognize your current master password anymore and you're not allowed to reset it either... you're doomed.

Now, can you guess what's our answer to this question:

“Can we trust LastPass?”

 

4. Bottom Line: Should You Trust LastPass?

“Trust this service at your own risk!”

For one day, no matter whether you've:

 

  • disabled the auto-fill functionality
  • enabled a two-factor authentication (for both LastPass and your other critical accounts)
  • chosen an "invincible” master password for your LastPass account
  • kept both your software and your machine “spotless clean” and up-to-date
  • used one different password per account

     

you still run the risk to find yourself locked out!

 

Just talking from experience...

 

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

Magento vs Shopify 2020: Which Platform Should You Use for Your eCommerce Store? And Why?
A bit stuck? Are you looking to roll out your online store, but… you’re struggling with a Magento vs Shopify 2020 dilemma? Which solution works best for the size and the type of your eCommerce business? Which one covers most of your feature needs? In today’s post you’ll get your answers to the following questions: How are they different? Why would you choose Shopify over Magento? What are its strongest selling points? What are the cons of Shopify? What are the pros and cons of Magento vs Shopify? Which eCommerce platform works best for your type of business? 1. What Are the Major Differences Between Magento and Shopify? The main reason why you’re torn between Magento and Shopify is that: You don’t have a clear picture of the essential differences between them. So, let me expose them to you: 1.1. Magento is an eCommerce solution for enterprise-level online stores. It’s robust and flexible enough to power fully customized eCommerce websites, built from scratch — that you can further expand to fit your growth plan — by teams of Magento developers. 1.2. Shopify, on the other hand, is self-managed.  You don’t need any specialized skills — or server-side techs — to set up a Shopify store.  A front-end developer and a designer, at most, will do. “How easy is it to use Shopify?” Shopify is best-known for being beginner-friendly.  In short, the “Magento vs Shopify” dilemma comes down to: Flexibility and customization vs Ease of use. Which one's more important to you? 2. Magento vs Shopify 2020: Why Would You Choose Shopify? What makes Shopify a candidate for the title of “the best solution for creating an eCommerce website in 2020"? Here’s why Shopify could be the better choice for your online store: you have no (or limited) coding skills the idea of having a huge app marketplace at your disposal to browse through sounds tempting to you you need to get your e-Store up and running… now: the drag-and-drop website builder allows you to set up a new store in… minutes it’s an end-to-end eCommerce solution that you’re looking for, one that enables you to roll out and manage your online store with no technical experience it’s easier to use: its interface is famous for being particularly user-friendly you run a small or medium-sized eCommerce business page loading time is critical for you: Shopify’s just… fast Overall, it’s much less of a headache than Magento and usually the go-to option for small eCommerce business owners, with no web development experience, who need to get their websites rolled out fast. 3. What Are the Cons of Shopify? What could make you hesitate to choose Shopify for your eCommerce website? For there are, indeed, some limitations to consider before going for this particular platform:   You’d be trading some of the control over your online store for… ease of use and the convenience of setting up your eStore quick and easy, with no technical expertise   You do get a huge collection of plugins to choose from but… they all come with a price tag on; one that you’ll need to consider when planning out your budget   You won’t be able to customize every single aspect of your website. By comparison, Magento puts no limitation on the configurations that you can make to your site   Shopify provides you with weaker SEO features   It charges a transaction fee per… sale   4. Why Would You Choose Magento over Shopify? When dealing with a Magento vs Shopify 2020 dilemma, what could make you opt for Magento? Lots of reasons... Here are the strongest ones:   It enables you (or your team of Magento developers in Toronto) to customize everything about your eCommerce website, from theme to checkout process, to main menu, to email template, to...   You get to build custom functionality for your website, that’s not available on the market   You have lots of extensions available to choose from — Magento being open-sourced — and to customize your online store   You benefit from its strong SEO capabilities   You get to tap into its multi-store functionality: Magento enables you to manage all your online stores from one central dashboard   “In fact, according to eCommerce Platforms research Magento SEO scores 95 out of 100, and that is great result!” (source: Cart2Cart ) In short, you’d want to go with Magento because it enables you to build pretty much anything that you might need for your eCommerce website. 5. What About the Cons of Using Magento? For you need to be aware of the disadvantages of using this eCommerce solution, as well, before you make any decision. Now, here are the most… discouraging ones:   Building a fully customized website in Magento takes time and requires web development experience and Magento expertise; you can’t get away without a team of back-end Magento developers to handle the whole process and all the customization wok   You do have a large and thriving community to rely on, but no 24/7 dedicated support (like you have with Shopify)   You’ll need to optimize your Magento website on a regular basis to make sure it keeps performing at its best   You’ll need to take into account the cost of all the extensions that you might want to add, of the web hosting service, and the Magento expertise needed   6. Magento 2 vs Shopify vs... Shopify Plus: Which One’s the Best Fit? Considering that, starting June 2020, Magento 1.0 is no longer supported, your Magento vs Shopify 2020 dilemma turns into: “Magento 2 vs Shopify”. What new features does Magento 2 bring to the debate? simplified navigation (even) better customization capabilities better performance a more admin-friendly panel drag-and-drop layout editing improved checkout  “And what about Shopify Plus?” you might then ask yourself. Here are some of the enhancements that Shopify Plus ships with, so you can see for yourself whether it’s the best fit for what you’re looking for:   It gives you greater control over your online store: you gain more customization freedom   It’s robust enough to handle more than 10,000 transactions per minute, which makes it a viable alternative to Magento 2 for enterprise-level eCommerce businesses   You’re free to edit your checkout page (a feature that’s not available in Shopify)   You get your own launch manager: basically, a dedicated Shopify Plus team will handle everything for you, from implementing the custom Shopify theme that you need to code writing   7. Which Commerce Platform Works Better for Your Type of eCommerce Business? Now that you have a clear(er) picture of the pros and cons of Magento vs Shopify, how do you know which one’s the best fit for you? For your business goals and size? It’s simple: just pick the answer(s) that best fits your scenario from the following ones: You’ll want to use Magento if: you have a large product catalog your customization  needs are… above the average (i.e. complex product configurations): you want a fully customized online store built from the ground up you need a commerce platform robust enough to support your entire network of vendor/supplier fulfillment channels you have qualified Magento developers in your team (or the budget to hire some professionals, who know what they’re doing) You’ll want to use Shopify over Magento in 2020 if: it’s a small to medium product catalog that you need to set up being able to integrate/cross-sell on multiple platforms is a crucial feature for you you need to get your storefront online as quickly as possible Does this head-to-head help you with your Magento vs Shopify 2020 dilemma?  No matter which one’s the “winner”, the next question stays the same: “How do I get my Shopify/ Magento website built and suited to my needs?" Just drop us a line and we’ll have either our Shopify or our Magento expert team assigned to your eCommerce project! Image by Photo Mix from Pixabay  ... Read more
Adriana Cacoveanu / Sep 18'2020
5 tips to pass your Acquia Site Studio (Cohesion) Certification Exam
A few weeks ago, I had the chance to take the Acquia Site Studio (formerly Cohesion) Certification exam. In this post we are going to discuss why I took this exam and more importantly, how I passed it and became an Acquia Certified Site Studio Site Builder. Optasy and its commitment to quality through knowledge You already know that quality is part of the corporate culture of Optasy. For us quality is a key factor to protect our clients' investments and guarantee them a high ROI. But having a good QA department is not enough. Actually, it's often too late when the QA team detects an issue. At Optasy we prefer to ensure quality at the early stages of our projects, analyzing deeply the needs of our clients and transform them into effective digital experiences but we also know that the quality of the code we produce comes from the experience and the skills of our developers. That's why Optasy has an internal 'skill knowledge acquisition program' to help its employees (optasians) to acquire new skills or improve them. This program gives to each optasian one day off per month (paid by the company) to study a particular field. As a way to ensure knowledge acquisition and validation, optasians also receive paid leave to study and give their Acquia certification exams. This includes the exam cost too, that’s why many of the optasian developers are actually Acquia Certified developers or Acquia Certified site builders All things considered, it was a pretty easy choice for me to take the exam, not only do I get to improve my skills, but I get paid for it too! What are the Acquia certification programs? Acquia is a preferred Optasy partner that delivers a cloud-based digital experience platform built on Drupal that enables organizations to build experiences that scale. Acquia is committed to facilitating certification programs allowing developers to validate their Drupal skills year after year. Acquia certification exams are administered at Kryterion Testing Centers in more than 750 locations across the globe. Exams are also available as online-proctored tests and are often offered at DrupalCons across the world. What is Acquia Site Studio? Acquia Site Studio (formerly Cohesion) is a low-code solution for building and editing Drupal sites. As an Acquia partner, our team got the chance to become an early adopter of the technology.  Acquia Site Studio is a sort of layout builder on steroids without writing any line of code. Not only can you build layouts or templates, but also you can build whole websites from the headers to the footers, and everything in between, like components and widgets, just by using the interface. No code required! It's a kind of atomic design system (like Pattern Lab) where you can create and preview CSS style guides, components, template layouts, page layouts or view layout from a visual user interface with simple “drag and drop”. And all of this within your Drupal site! To be fair, Acquia Site Studio is an amazing tool allowing designers and marketers to create and modify any layout component without calling the development team. If you’re a designer with no coding knowledge you’ll be able to create totally unique layouts based on your designs using intuitive drag and drop layout builder. If you're an editor, you may choose the layout you want to use and add all the pre-designed components you wish. Want to add a slider or a 'Related Articles' block? You drag and drop it in your layout! 5 tips to successfully pass your Acquia Certified Site Studio exam As other Acquia Certification exams, the Certified Site Studio exam requires both experience and knowledge. Though the test is not difficult, it’s not something you want to run into unprepared. From my experience, the questions ranged from a very low to medium range of difficulty, there were barely any difficult questions. This exam validates your ability to: Understand the features and functionality provided by Site Studio Install and configure Site studio environment on new or existing websites. Build a website using Site Studio style builder, components and website structure design elements. The official description of this exam can be found on Acquia's certification overview page. But in short: The tests are all multiple choice. They don't require that you actually configure a Drupal site or write any code. They are available in person at a testing center, or at home by installing the exam software on your computer. The price was $155 (In my case, Optasy paid for the test) Get a good understanding of Drupal Layout Builder As I mentioned earlier, Acquia Site Studio is a Layout Builder on steroids and many concepts are the same, so having some experience with this Drupal module will help you a lot, like the inline editing tools or the concept of drawing element into the layout. This is not mandatory, but I felt really comfortable with Site Studio having this previous experience. Read carefully the contents of the exam On Acquia's certification overview page you'll find the blueprint of the exam like the following: But below it, you'll find the content itself. Read it carefully and repeatedly. This should be your guideline during your study. This will help you focus on what really matters but also to recap and structure your notes. Read and study the documentation While there are really good videos on the Acquia Academy site about Site Studio, watching all of them won't be enough. If you don't have prior experience with Site Studio, it's a good starting point. But it definitively won't give all the knowledge you need to pass the exam. Reading the documentation should sound obvious, but you'll really need to read and study all the documentation in depth. Don't leave anything behind cause the exam covers all the aspects of Site Studio, from the basics to more advanced topics. This will also give you the right vocabulary to understand the questions of the exam, since sometimes they can try to trick you changing just one word. So the technical vocabulary has an important role, and that's where the documentation comes into play. Write down some notes after reading each section. This will help you a lot during the recap! Train on the Acquia Site Studio demo environment You can request an online demo environment for free at the bottom of this page The main benefit is that you won't need an API key or an Agency key, so you can test Site Studio for free, the environment acts just like a normal Drupal website. and the site will be all yours to experiment on. This site will be your friend during your study, you should test everything you learned in the documentation here. Do it several times and try different cases. The night before the exam, after reading back your notes, try to build a site from scratch in this environment to recap all the main concepts. This is key! Don't forget the 'Miscellaneous concepts and features' part These three concepts are not placed in one section, they are dispersed in the documentation. Study and practice all of them because you'll have a question about each one. They are only three, it doesn’t sound like a lot but they are worth 15% of the exam! That is a quick and easy win! A bonus tip What really worked for me was to read a section, practice the concepts of this section in the demo environment, read again the same section and take some notes. The day after, read all the notes of the previous day, do the same 7 days later, reading back your notes and practicing again on the demo site. That way, 80% of what you studied will stay forever in your memory. Conclusions Acquia Certification Site Studio Site Builder can be a good way to validate your skills and knowledge There are barely any difficult questions Study all the documentation because the exam is based on it, but also because the exam will cover all of it. Practice a lot, recap a lot. ... Read more
Karim Boudjema / Aug 27'2020
Why Cloud-Native Apps? How Exactly Can Cloud Native Applications Benefit Your Business?
For it all comes down to this: what's the return that you'd get from switching to this new way of developing applications? Why cloud-native apps? How does migrating from cloud-hosted to cloud native applications translate into clear benefits for you? For your own business? We've listed them, then... shortlisted them to the 6 biggest benefits that you can expect from developing cloud native apps. Or, if you wish, the top 6 reasons why you'll want to use a cloud-native architecture from now on. But First: What Are Cloud Native Applications More Precisely? They're collections of independent, loosely coupled microservices, each one performing a single service or business function. Unlike the traditional "monolithic" app architecture, where you have a single... block. So that whenever you needed to apply even a small change, you had to interrupt the entire app. And it's precisely this intrinsic constraint of the monolithic approach — translating into limited scalability and flexibility — that has made the cloud-native model so "tempting": it allows you to develop and deploy each microservice independently so, whenever you need to apply changes, you're no longer constrained to wait first for all the components to get updated you can incorporate the new features (in many cases, suggested by users themselves) and deliver the app to your audience right away #1: You Get to Incorporate User Feedback into Your App in... Real-Time Why cloud-native apps? Due to their high availability: You get to make real-time changes to your applications... on the fly. ... to respond to users' expectations of specific new features and functionalities faster than with the traditional app development model. "Continuous improvement" is the key phrase here:   You're free to add and roll back new features and enhance its performance... constantly. On the go. #2: You Benefit from a Higher Developer Productivity And this is another one of the key cloud native application benefits. The cloud-native architecture: speeds up the development process helps your team save time, that they'd otherwise need to spend trying to solve various infrastructure issues and handling critical business requirements instead enables easy remote access to their system, irrespective of their location #3: Why Cloud-Native Apps? Because You Can Build, Update, and Deliver them Faster The cloud-native approach enables you to scale your resources and comply with user demand way faster than the monolithic approach: You get to bring new features online — requested by your users — more quickly. To roll out changes and start marketing your app much faster. In short, you get to be more responsive to user demand and more relevant with the updates you make to your app in… real time. #4: You Save Time and Money From all the cloud native applications advantages, cost-savings must be the most tangible one. And it’s pretty obvious if you come to think of it: Since the cloud-native approach to developing applications allows you to build and release them much faster, you’re practically left with more time. More time to focus on your other revenue-generating tasks. #5: You Can Make or Roll Back Small Changes Without "Freezing" the Entire App Why cloud native applications? Because you can minimize downtime when you need to update your app. #6: You Get to Run Your App on Multiple Platforms Cloud native applications run on both public and private platforms without you being forced to make any major changes. For “flexibility” (along with “efficiency” and “high availability”) is another word for cloud-native. So, Why Cloud-Native Apps? It’s simple: You get to innovate faster and to react to users’ changing needs and trends... faster. Do you already have an app idea and you just need the right team to, ask the right questions, grasp your vision, and… make it happen? Just drop us a line, let’s hear all about it and let's... build it! Image by Ashish Bogawat from Pixabay ... Read more
Adriana Cacoveanu / Aug 15'2020