Client, website credentials (LastPass?)

I’m speaking to a potential client, and they want me to redesign their website, and they’re wanting to give me their login credentials for everything. However, they use LastPass, and want to “invite” me to “join” LastPass, in what I’m assuming is to share access to their website’s login credentials.

I just googled “LastPass” and apparently it has a very poor reputation:
https://www.reddit.com/r/Lastpass/comments/11fissj/is_lastpass_still_safe/

I switched to 1Password. The two main reasons I left LastPass are that they were not transparent about the breach and also that they do not enctypt URLs. Not encypting URLs, which 1Password and Bitwarden, was a majot failure by Lastpass because the hacker can use this information for targeted attacks even though though the hacker may be unable to decrypt the vaults. The attacker though already has all the email addresses associated with Lastpass accounts, and this combined with the URL information is a disaster waiting to happen.

I’m used to a client just giving me their password in a secure, normal way, and just accessing their website directly that way. Does “joining” LastPass with my email, and being connected to their LP account put me in any danger? I don’t like the idea of this, and from what I’m reading of LastPass, it sounds like I should avoid any connection it.

Ugh. I love graphic design, but I really dislike this aspect of it.

Any advice is greatly appreciated, as always.

Hmmm…if you only use it for their work, with their pre-existing password(s), and don’t adopt it as your password manager, I don’t think it puts you at additional risk.

2 Likes

Thank you! Sometimes I wonder whether I’m being paranoid, or exercising legitimate caution in regards to things like this.

I hate to bug you again, but if you have time and can answer this…
It’s asking me the following:

Join LastPass

Complete this form to activate your account

*Confirm Password *
Activate Account

It seems like I’m not using their re-existing passwords, but creating my own, with my own account. Am I still good to go, or should this give me pause?

As far as I can tell, the potential danger is in the risk of the LastPass servers getting hacked, and the hacker(s) gaining access to the “vault” associated with your account. I’m reasonably certain you get the option of using LastPass or not using it for each authentication you encounter. So just don’t use it for anything you don’t have to, and your vault will stay empty.

But then…

I’m also reasonably certain you shouldn’t have to use LastPass at all to access the client’s web server. It’s really nothing but a discrete, user-specific password manager that has nothing to do with accessing a user account on their server or any other. After rereading your original post:

I suspect that “invite” thing is a built-in LastPass feature aimed at spreading the user base. No one has to use it, but the client doesn’t know any better than to just think “inviting” you is the de facto way to get you into their server. All you need is a user account on their server. LastPass is superfluous. Are you in contact with the server admin? If so, I’d be surprised that they perpetrated the LastPass invite.

1 Like

Thanks for getting back to me so quickly.
I was kind of thinking the same thing in regards to LastPass. I mean…as long as they recently reset/recovered their passwords (which was their original issue) why do I need to register with LastPass? Can’t they just give me their password for their WordPress site and/or their Hosting site?

I don’t know who the “server admin” would be. Is it the client and owner of the website? According to them, no one is currently maintaining their website.

I would kindly dismiss them. I see trouble ahead. I have never been asked to “join” a website in order to do a redesign. I’m usually made a part of the Admin team.

2 Likes

It does feel “off.” I hate to come across as stubborn, but with other clients and myself, I have to take the utmost precautions. If I can’t see the need for it on the outset, why should I go in blindly, not knowing?

You are correct, sir. Another important thing about such clients with dubious reputations—you might find it difficult to get paid.

1 Like

I don’t have an opinion about LastPass because I’ve never used it. I also know nothing about this potential client proposing LastPass to share passwords or their reasons for doing so.

I can’t give you specific advice, but I’ll share a few thoughts.

Maybe it’s a little like Google Drive or Dropbox, where it’s possible to share specific folders (or, in your case, login information) with others who also have an account. I don’t know, though. If they use LastPass for all their passwords, it won’t make sense for them to give you all their LastPass login information, so maybe they’re simply sharing with you what you need to access the website. If that’s the case, it sounds pretty reasonable. I would undoubtedly turn down any notion of a client handing me passwords to things I didn’t need. That could come back to bite you.

Maybe LastPass isn’t the most secure or reliable service. I don’t know. However, I’m sort of with @Hotbutton on this; as long as you’re only using it to access their information, I don’t see any particular risk on your part.

Working with clients is often a matter of give-and-take. Sometimes you need to accommodate their way of doing things, and sometimes they need to accommodate yours. Sometimes you need to draw a line in the sand. For example, a boundary might be not responding to emails after hours or on weekends. Or it might be needing 50% payment up-front before starting a job. Or, in your case, if you’re really antsy about LastPass, maybe you need to insist they send you passwords according to your preferred secure and encrypted method. However, the insistence on using LastPass might also be a boundary for this “potential client” too.

However, the information you’ve supplied doesn’t set off any alarm bells for me. Then again, I don’t know the situation beyond what you’ve written.

It’s blasphemy to say, but I dislike dealing with client issues — it’s my least fun part of the job. I’ve heard other designers say that you’re probably in the wrong line of work if you don’t enjoy working with clients. Perhaps they’re right.

1 Like

Thanks Just-B.

Yes, it would be ALL their info. I was actually considering going along with it, because if they are paying me not to have to deal with the headache of that stuff, and they’re insisting…But, I’d be conditioning them to be irresponsible with their private info. And now that you mention it, I could be potentially responsible if they experienced any problems down the road in regards to other things.

Thanks again.

I told them, No. For your own safety, I can’t accept full access like that.

In regards to clients, I like working with them for the most part. What I dislike is the security aspect, and things like being offered their unnecessary personal info/access, or when they themselves do things like forwarding me unsafe emails and attached unsafe files from randos telling them “I can make your website MORE visible with BETTER performance…” Both we and the clients have to have our heads on swivel in this digital landscape.

I would love to have gotten into this line of work where we carried our resume of work in large portfolio cases, and communication was done in person, phone, or fax.

Again, thanks for the advice. And I hadn’t considered the getting-paid aspect of it.