OMG I did it! – Security Blog #6

Okay, so I’ve been so proud this last 2 weeks because I finally got a -more than- decent score in LastPass Security Challenge. The first time I took the quiz I had more than 40 sites (There were more of them, but I already had the duplicate/same domain configuration working), and I obtained a well deserved 12%, in the lowest 7%, but at least my Master Password was excellent (At least something wasn’t horribly wrong).

26965409864_0508284796_k
“pw_xato-net_02-06” by Mark Burnett (CC https://creativecommons.org/licenses/by/2.0/). Taken from https://www.flickr.com/photos/mark_burnett/26965409864

Now, I can truly be proud to say that after some heavy work I got, after inserting 5 new sites, a 96%. This puts my account in the top 1% of Last Pass users. YAY!

So,  it was really a heavy task to change the passwords of almost 50 sites. It was really horrible and exhausting (Maybe because I tried to all of the necessary changes in one sitting). But I can share some stuff I’ve learned to the rest of the world:

  • Last Pass offers a method that automatically changes your password in the supported sites (Usually it only works with the big ones). I found that method extremely ineffective. It takes what feels like years, to let the program found the adequate buttons, text fields and then generate the password. I don’t know why did this happen. Maybe because I have some pages in Spanish and Esperanto, and the program failed to find the buttons (if the method is made using the value of the button and not the ID, or something like that).
    I mean. My problem was with the time it took to accomplish those tasks. Not that it didn’t work. I don’t have any problem leaving Last Pass to change your password in the background while you do something else. Then there isn’t any con for you. (Remember that you will need to manually select each site that you wish to auto-change).
  • Manually changing your passwords was a pain in the butt… sometimes. Why? Because of three reasons.
    1. Sometimes, Last Pass doesn’t detect the new password fields. So how can I take advantage of the password generator, if it doesn’t appear where I need it to be. I then need to use the generate password feature in the extension button of the explorer.  Which is, in fact, the second reason.
    2. If you have the necessity of using the “generate password” inside the extension button, and if you want to write edit the password (Which is a feature you supposedly have), you will suffer. Why? Because the dumb system stores the texts that you have managed to type in. I was going to post a GIF where I showed this ugly implementation, but then I realized that the stored list has passwords that you actually use on some sites! I mean, if supposedly Last Pass is trying to make me use different passwords for each account, then don’t show me my used passwords. But specifically, don’t store them in a list that impedes the insertion of a new password to test or the generation and tweaking of a different one. So I encourage you to try this by yourself so you can actually understand.
      The problem is that instead of letting the user write a new password to test, it will change the value of the field to the stored text in the list (I sincerely don’t know how I managed to get those in) that starts with the key you just typed, like a form.
      And if you manage to actually make Last Pass stop changing your text, you can only add more characters to the end of the string. You can’t move the text cursor somewhere else because, bad luck, it will change the entire string that it’s being displayed.
      And after that, if you think that that password you have would fit your needs, then, good luck copying that into the reset password field (Remeber that you only got here because, from the start, Last Pass didn’t detect that you were actually trying to change the password). Because when you release the ctrl+c keys, Last Pass will change the text to the string that starts with c in the list. And your clipboard will still remain empty, and your perfect password lost.
    3. Okay, so let’s say that Last Pass actually detected you are changing your password. And let’s say that you manage to generate a new one, either automatically (Without even touching a thing), or semi-automatically (Giving the generator some parameters). Sometimes, after you click the update password button in the site, Last Pass will prompt you to update also the entry in your vault. But, this is only sometimes! And how am I to know that if you can detect that new password field for a particular site, doesn’t mean that you will be able to tell if I actually updated the password?!
      If this feature didn’t exist, then I wouldn’t care. But the problem is that sometimes it does work. And it’s beautiful. But when it doesn’t, how am I to update myself the Last Pass vault entry, if I don’t have any clue of the new password! It only leaves me with the option to click on the “I forgot my password” on the site. Generate another password and remember to copy it. Then, and this is just ridiculous, if Last Pass doesn’t automatically detect the new password this time, I manually updated it in the vault.

And those are my complaints of Last Pass. I still have one HUGE complain. During this process of changing the passwords, I found out that there are sites that handle this request easely, and others that makes it impossible to the user to reach its goal. Some of them let you change the password only if you click on the “I forgot my password”. But there is one site that is thw worst of all.
dish.com.mx – I mean… they don’t event let you change your password. So I clicked on the forgotten password button, to then realize that they just sent me my password via email. OMG. That is so badly implemented. In fact I made a public complaint in Twitter. But they account is mostly offline.

And I guess that its everything I have to share about my experience. If you feel like asking something, please do.

Cheerio.

Miguel Montoya
Esperanto enthusiast
ʕ•ᴥ•ʔ

Anuncios

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión /  Cambiar )

Google photo

Estás comentando usando tu cuenta de Google. Cerrar sesión /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión /  Cambiar )

Conectando a %s