In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Healthcare, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

Can I Trust LastPass with My Passwords? No! Our Unexpectedly Bad Experience with Them
Tips

Can I Trust LastPass with My Passwords? No! Our Unexpectedly Bad Experience with Them

by Adriana Cacoveanu on Oct 09 2018

“Trust LastPass at your own risk!” would be our answer. One based both on:

 

  1. this password manager's own “beefy” record of critical security vulnerabilities, cross-site scripting bugs, breaches and major architectural issues
  2. our bad experience with LastPass, as a client

     

And before we dig into the heavy load of evidence that we base our “case” on, allow us to expose some of their former clients' testimonials:

 

“I lost my entire LastPass passwords in March 2017. It was a disaster for me. I have had LastPass since the beginning, can you imagine all the passwords saved over the years?

I think you should do some research on LastPass and the changes, the bad changes that have happened with LastPass” (Barbara's comment, 5 Best LastPass Alternatives to Manage Your Passwords)

 

“About a month ago when I tried to log in to LastPass I got the message that I had entered the wrong vault password - but I can assure you that nor I, nor my cat has changed it... When I contacted LastPass, they in a rude manner "taught" me that what I hadn't experienced what I had in fact had experienced, since it is "impossible", and their "help" consisted in giving me the clue to the main password to LastPass - i.e. the password, which I explained to them isn't valid anymore... “ (Robert's comment, You Should Probably Stop Using LastPass Temporarily)

“Around a month ago I switched from LastPass to Bitwarden as my password manager. To make sure my passwords were protected I deleted my LastPass account, now I get an email asking me to renew my subscription for my DELETED LastPass account. I wonder what else they stored about me... “ (user/dumah310, LastPass storing email from deleted account)

1. But First: How Does LastPass Work?

In plain language:

LastPass stores your encrypted passwords (and secure notes) in the cloud and secures them via a master password.

And the “master password” is both the strength and the main vulnerability of this password management service.

Now before I back up the above statement with our own experience with LastPass, here's an excerpt of an “enlightening” HackerNews post:

“Users must also devise a “master password” to retrieve the encrypted passwords stored by the password management software. This “master password” is a weak point. If the “master password” is exposed, or there is a slight possibility of potential exposure, confidence in the passwords are lost.“

2. 5 Security Vulnerabilities Over the Last 7 Years... and Still Counting

“How secure is LastPass from being hacked?”

I'll leave it to you to evaluate it while going through its “impressive” record of security flaws and vulnerabilities reached over the last years:

 

2.1. In 2011 a Cross-Site Scripting Vulnerability Was Detected  

In February 2011 Mike Cardwell, a security researcher, tracked down an XSS bug on the company's website.

Once “exploited”, this vulnerability could basically enable attackers to steal:

 

  • hashed passwords
  • the list of websites that users log into (along with the IP addresses, time and dates of their logins)
  • their email addresses
  • underlying cryptographic salts

     

LastPass fixed that bug within hours.

 

2.2. That Same Year A Second “Likely” Security Breach Was Identified

Later on that year, in May, the company's team spotted a new “anomaly” in both their incoming and outgoing network traffic. Therefore, suspicions arose that a hacker might have accessed their servers.

What kind of risks did this “abnormal activity” entail?

Well, the attacker could check thousands of passwords in a short period of time, using a combination of user emails, guesses on their master password and the salt.

As LastPass CEO confirmed it himself back then, in an interview for PCWorld.com:

“ You can combine the user's e-mail, a guess on their master password, and the salt and do various rounds of one-way mathematics against it. When you do all of that, what you're potentially left with is the ability to see from that data whether a guess on a master password is correct without having to hit our servers directly through the website.” 

 

2.3. In 2015 A Hacker Attack Compromised the Company's Servers  

Here's another answer to your “Can we trust LastPass?” question:

In June 2015 a post on the company's blog announced that their team had detected suspicious behavior on their network.

The result? LastPass servers got hacked and the cryptographically protected content compromised. And we're talking here about:

 

  • user passwords
  • password reminders
  • cryptographic salts
  • email addresses

     

2.4. In 2016 A Vulnerability that Enabled Reading Plaintext Passwords Was Exposed

Within a year, in July 2016, a new security vulnerability in the autofill functionality was identified and then detailed by the representative of DETECTIFY, an independent online security firm.

Basically, the article raised new suspicions about whether one could trust LastPass with their passwords:

The URL-parsing code of the LastPass browser extension — the HTML piece of code that was added to every page that the “victim” would visit —  was poorly written. Sloppy enough to enable a potential attacker to read plaintext passwords once the user landed on a malicious website.

 

2.5. In 2017 a “Major Architectural Problem” Was Discovered 

In June 2017 Google's security researcher Tavis Ormandy made a new discovery:

A security vulnerability in the LastPass Chrome extension (that applied to Firefox and Edge, as well), which, once exploited, could enable a hacker to steal passwords or engage in remote code execution.

He described it as a “major architectural problem” to point out that this time we weren't facing some... signs of carelessness, but a hole in LastPass' security shield instead.

“How safe is LastPass?” Users started to ask themselves again and many even started looking for alternatives.

 

3. About Our Own Unexpectedly Bad Experience as a LastPass Client 

Let us share with you some glimpses of our rough experience as LastPass users. 

I would start by saying that:

Yes, the worst-possible scenario did happen to us. We've apparently lost all the passwords “safely” stored in our LastPass account.

There are zero chances to retrieve them, to export them to another password manager or/and to get a refund, considering that we had paid for one year in advance.

How did it all begin?

With us trying to log into our account, as usual. But, we got this “welcome” message instead:

“Invalid password”

We next tried to reset our master password, using their reset password form. With no success, though:

“LastPass account recovery failed for... Your current web browser did not save account recovery data on this computer. Please try account recovery again with every browser and on every computer you...”

And then the “dialogue of the deaf” began, with:

Us stating that we did NOT reset our password, for it was not possible and the LastPass support team claiming that we did restart it.

And telling us that there's no option but to:

 

  1. create a whole new account
  2. say goodbye to all our passwords "safely" stored there for good; there's no chance to export that user sensitive data to another password manager service
  3. lose all hope of getting a refund for the money we had paid in advance, due to their “No refund policy”

     

In short: if for some mysterious reasons, one day LastPass doesn't recognize your current master password anymore and you're not allowed to reset it either... you're doomed.

Now, can you guess what's our answer to this question:

“Can we trust LastPass?”

 

4. Bottom Line: Should You Trust LastPass?

“Trust this service at your own risk!”

For one day, no matter whether you've:

 

  • disabled the auto-fill functionality
  • enabled a two-factor authentication (for both LastPass and your other critical accounts)
  • chosen an "invincible” master password for your LastPass account
  • kept both your software and your machine “spotless clean” and up-to-date
  • used one different password per account

     

you still run the risk to find yourself locked out!

 

Just talking from experience...

 

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

DrupalTips
How SEO Helps Your Website Grow

How SEO Helps Your Website Grow

  Search engine optimization (SEO) is a powerful tool for helping your website grow and reach its full potential. SEO involves optimizing your website to make it easier for search engines like Google to find and rank it in their search results. By using SEO techniques such as keyword research, content optimization, link building, and more, you can increase the visibility of your website and attract more visitors. With the right SEO strategy in place, you can drive more traffic to your site and generate more leads and sales. In this article, we'll discuss how SEO can help your website grow and become successful. What is SEO? SEO stands for Search Engine Optimization, and it is the process of optimizing a website to make it easier for search engines like Google to find and rank it in their search results. SEO involves a variety of techniques, such as keyword research, content optimization, link building, and more. By using these techniques, you can increase your website’s visibility and attract more visitors. SEO helps your website become more visible in the search engine results pages (SERPs), which can lead to more traffic, leads, and sales. Benefits of SEO for Website Growth Let's have a look at some of the top benefits of SEO for website growth: Increased visibility: SEO helps your website become more visible in the search query, which can lead to more traffic and leads. Improved user experience: SEO also helps enhance the user experience of your website by making it easier to navigate and providing relevant content. Increased brand awareness: SEO can help boost brand awareness by making your website more visible in the SERPs, which can lead to more people recognizing your brand. Higher conversion rates: SEO can also help increase your website's conversion rate by making it easier for visitors to find what they are looking for and take the desired action. More organic traffic: SEO can help you drive more organic traffic to your website, which is free and highly targeted. Keyword Research for SEO Keyword research is an important part of SEO, and it involves finding the right keywords to target for your website. Keyword research helps you identify the words and phrases that people are searching for when looking for products or services related to your business. By targeting these keywords, you can increase your website’s visibility in the SERPs and attract more organic traffic. When doing keyword research, you can use specialized software to make the job easier. Content Optimization for SEO Content optimization involves optimizing your website’s content to make it more relevant to search engines. Content optimization includes optimizing titles, meta descriptions, headings, images, and other elements of your website’s content. Many companies rely on a solid blog approach to boost their content optimization strategy and highlight their SEO efforts. Link-Building Strategies for SEO Link-building is another top SEO strategy, and it involves creating backlinks to your website from other websites. Backlinks are links from other websites that point to your website, and they can help improve your website’s visibility in the SERPs. There are a variety of link-building strategies you can use to build backlinks for your website. These include guest blogging, directory submissions, social media marketing, and more. Conclusion SEO is an important part of website growth, and it can help you increase your website’s visibility in the SERPs, attract more organic traffic, and boost your conversion rates.  In the competitive digital world, brands that harness the power of SEO are on top of the game.  If you, too, want to integrate SEO into your web development project and are looking for professional advice, don't hesitate to contact Optasy. Optasy is a web development company that provides complete web development and maintenance services that support business growth.  Photo credit: Unsplash.  ... Read more
Raluca Olariu / Feb 14'2023
Tips
Website Security Best Practices

Website Security Best Practices

  Website security is an important consideration for any business or organization with an online presence. With the ever-increasing threats posed by cybercriminals, it is essential to ensure that your website is secure and protected from malicious attacks. Implementing best practices in website security can help protect your website from hackers, malware, and other malicious activities and security issues. This article will discuss some of the best practices for website security and how you can stay away from cybercriminals and improve your security posture.    "Cybersecurity is a shared responsibility, and it boils down to this: in cybersecurity, the more systems we secure, the more secure we all are." - Jeh Johnson Overview of Cybersecurity in 2023 The cybersecurity landscape heads towards a privacy-first approach to information security in 2023. Also, aligning regulations globally will allow businesses to gain more security and data protection.  There are growing voices that give their positive vote to passwordless authentication, which will presumably eliminate the risk of password breaches and amplify organizational security.  However, the rise of the Internet of Things (IoT) devices will likely increase security risks for organizations and expose more security vulnerabilities.  So how can websites cope and become more agile and accessible in this uncertain cyber landscape?   Best Website Security Practices in 2023 At the moment, the best website security practices involve a combination of proactive measures and reactive responses. Proactive measures include implementing strong authentication methods, encrypting data, and regularly patching software. Reactive responses include monitoring suspicious activity and responding quickly to identified security threats or security breaches. Strong Authentication Multi-factor authentication is one of the most important best practices for website security. It involves using two or more factors to verify a user’s identity, such as strong login credentials, and a biometric factor like a fingerprint or facial recognition. This ensures that only authorized users can access the website and its data, protecting it from unauthorized access. Additionally, strong authentication can help protect against phishing attacks, which are attempts to gain access to sensitive information by posing as a legitimate website. Encryption Encrypting data is another significant best practice for website security. Encryption scrambles data so that it can only be read by the intended recipient, making it more difficult for hackers to access sensitive information. It also helps protect against man-in-the-middle attacks, which occur when a hacker intercepts data as it is being transmitted between two parties. Software Patching Software updates are another important best practice for website security. Regularly patching software helps protect against vulnerabilities that can be exploited by hackers. It also ensures that the latest security features are in place, making it more difficult for attackers to access sensitive information. Monitoring and Response Reactive responses like monitoring suspicious activities or responding quickly to identified threats are two valuable tools for website security. Monitoring for suspicious activity can help identify potential threats before they become a problem. Responding quickly to identified threats can help minimize the damage caused by malicious code. Conclusion Keeping websites secure in 2023 involves a combination of proactive measures and reactive responses. These best practices are just some measures you can take to protect your digital assets. If you want to go more in-depth and opt for complex ways to secure your website, don't hesitate to contact Optasy.    Photo credit: Pixabay.... Read more
Raluca Olariu / Jan 25'2023
DrupalTips
Top Drupal Debugging Techniques

Top Drupal Debugging Techniques

  Debugging is an essential part of developing any website, and Drupal is no exception. Debugging in Drupal can be a complex process due to the complexity of the system and its many components. However, with the right techniques, it is possible to identify and resolve issues quickly. In this article, we will discuss some of the top debugging techniques for Drupal that can help you troubleshoot your website more efficiently. We will cover topics such as using the Devel module, using Xdebug, and other helpful tips and tricks. With these techniques in hand, you'll be able to recognize and repair any problems on your Drupal site quickly.     Using the Devel Module for Debugging The Devel module is a powerful tool for debugging Drupal websites. It provides a suite of tools to help you quickly identify and resolve issues. The Devel module includes features such as the ability to view database queries, generate dummy content, and debug PHP code. It also has an API that allows developers to create custom debugging tools. Using the Devel module can be helpful when trying to identify the source of an issue. It can also be used to generate dummy content for testing purposes.     Utilizing Xdebug for Troubleshooting Xdebug is a powerful debugging tool that can be used to troubleshoot issues on Drupal websites. It provides detailed information about the code execution, including stack traces and variable values. This can help developers quickly identify the source of an issue and resolve it more efficiently. Xdebug also has features such as breakpoints, which allow developers to pause the execution of code at certain points to inspect the application's state. This can be helpful when trying to identify and fix complex issues.     Leveraging Drupal's Logging System Drupal's logging system is a powerful tool for debugging websites. It provides detailed information about the events that occur on the website, including errors and warnings. This can be helpful when trying to identify the source of an issue. The logging system also allows developers to set up custom log levels, which can be used to filter out unnecessary information and focus on specific types of events. This can help developers quickly identify and resolve issues.   Using the Drupal Console for Debugging The Drupal Console is a command-line interface that can be used to debug Drupal websites. It provides commands for inspecting the database, generating dummy content, and running tests. This can be helpful when trying to identify and fix issues quickly. The Drupal Console also has an API that allows developers to create custom commands for debugging purposes.   Have You Completed Your Drupal 10 Migration? The release of Drupal 10 marks a major milestone for the platform, and it is important to ensure that your website is up-to-date with the latest version. Migrating to Drupal 10 can be a complex process, but it is essential for ensuring that your website remains secure and performs optimally. When migrating to Drupal 10, it is important to test the website thoroughly and use debugging techniques to identify and resolve any issues. The Devel module, Xdebug, and Drupal's logging system can all be used to troubleshoot any problems that may arise during the migration process. Don't forget to ensure that all of the modules and themes used on the website are compatible with Drupal 10. It is recommended to use the Update Status module to check for any available updates and apply them before migrating to Drupal 10. Additionally, it is a good idea to create a backup of your website before beginning the migration process in case something goes wrong. By taking these steps, you can ensure that your website is properly migrated and running smoothly on Drupal 10.     Conclusion Debugging in Drupal can be a complex process, but with the right techniques, it is possible to debug your website faster and easier. If you need more advice on your next web development project or on your Drupal 10 migration, our team of experts is here to help you. Contact us for more details.   Photo credit: Unpslash.... Read more
Raluca Olariu / Jan 16'2023

Need a new Project?

Dare us to shape and boost your idea(s)!

Start a Project

(416) 243-2431

Contact

(416) 243-2431

Toronto Downtown

First Canadian Place,
100 King St. W. Suite 5700, Toronto

Toronto West

2275 Upper Middle
Rd. E, Suite 101
Toronto

New York

1177 Avenue of the
Americas, 5th Floor,
New York