ModemLoper came up with the name.
So here’s a frustrating experience. My office uses LastPass to share passwords for things. Secret things. They send me an ‘invite’ for the Enterprise account with my company email. I go to log in with the first-time password thing, and it says I need to make a new password. Sure, because email isn’t secure, so I make a new password the same way I have for the last year. I open up 1Password, make a new account there (LastPass – Work) with the login as my.email@myoffice.com and generate a password. So I have a password stored there you see. I then copy that password and paste it in, twice, to change the password.
I want to note some things here. I did not have a message about how my master password was super important at this time. In fact, it just said to enter it twice. Also remember this was for an ENTERPRISE account. Not a normal user. Okay?
So I do that, it says yay log in now! I take the same password, paste it in, no go. Oh, okay, maybe a butterfly farted. I’ll just reset it. Guess what I can’t do? The password ‘Hint’ was useless, since my password was along the lines of dyEno4FfW4EsED and I’d set the hint to “1Password” like you often do. Also there’s no ’email me my password’ or ‘reset my password’ thing I can use. Probably because email isn’t secure. The email where they’d emailed me a temp password just before to create my Enterprise account.
At this point I tweeted obscenities. I have an account but I can’t use it. I can’t reset the password. I can’t recover the password. I don’t have a ‘One Time’ use password because I never got to the point where it let me create that sort of thing. Ditto with ‘reverting’ my vault. There was nothing to revert to so I couldn’t do that. The official answer was to delete my account and start over. There was more swearing. Most of it public use of the F-word on Twitter.
But I did delete the account, made a new one, and this time it said “Hey, this master password thing is super important!” and took me to a second screen where I have to re-enter it. Oh, and yes, I used the same password I’d made before. It worked this time. My coworker resent the invite to join our Enterprise account. I do so, set up Two Factor Authentication, trust my laptop, and he shared the folders.
As I spell out the drama to him, I realize that this may be happening because I didn’t have an account before. That is, I went ahead and used the account and password from the email. Don’t believe me that they sent a clear-text password? Here:
I redacted the account, even though you could guess it. Four hours pass. I get a tweet from the LastPass CEO:
https://twitter.com/joesiegrist/status/403649508715667456
to which I replied:
https://twitter.com/ipstenu/status/403649761212784640
Everything’s fine now, and my takeaway from this is ‘Make an account before joining an Enterprise’ because clearly their ‘sign up through your enterprise’ thing is buggy. The whole interface is a little janky, and I find that their statement of how they cannot possibly reset your password to be weird:
Recovery for LastPass is not the same as other services you may have previously used – due to our encryption technology, LastPass does not know your Master Password, so we cannot look it up, send it to you, or reset it for you. This means your data remains secure from threats, but also means that there are limited options when you forget your Master Password.
I gather they mean “There’s no way to change your password without knowing your current password.” And really this is the ultimate security, isn’t it? No one but you can change it without knowing your master password. The problem with this, and really all these things, is that if I have one master password, it must be easy for me to memorize and remember at the drop of a hat.
Which means my master password is my least secure password. Check the sticky notes on my monitor.
Comments
3 responses to “LastPass? LostPass!”
I’m having tangentially related trouble. Apparently you can link a personal account to an enterprise account to simplify your logins. That’s cool. Only when I try to do that (in their settings dialog) nothing happens.
If I open up the browser’s developer tools and watch the network traffic, I see an ajax request go out when I click the button and, lo, it comes back with an error that doesn’t get picked up by the JS.
Interestingly, the error says that I need to give it a one-time-passcode since I have multifactor set up on the personal account…but it apparently doesn’t know how to handle that *and* its suggested fix is to update to the most recent browser extension (this is their website I’m using directly, not a browser extension…).
@Kyle Marsh: This is, in part, why I use a perma-separate account for work and personal. It’s not just that I don’t trust the system to not cross the streams.
I had issues with the Enterprise account too. Somehow all my personal passwords got lost once I was not a member of the shared account anymore. I don’t remember how it happened exactly though.
We use Meldium for sharing accounts and password between team members.