Like most Internet users, I can admit that my online passwords haven’t been as strong as they should have been. I’ve been using a rotation of 6 passwords for the last several years. Some are short, some are longer, some are very secure, some not so much. I knew that having the same half-dozen passwords was a bad plan, but I didn’t have a way to remember more than 100 unique passwords. Like a naïve teenager driving way over the speed limit in their first car, I always figured I was invincible, and nothing bad would ever happen to me.
For the last few months, the tech news reports seem to have a new site every day that’s been hacked and had its user data stolen. With the reality of how easy it is to have your username and password stolen, I knew that I had to start using better passwords. The thought of going through every site I’ve ever signed up for, one at a time, and manually changing my password almost made my head explode – not to think about then having to have a secure way to store and recall all those passwords as needed. Yikes!
I started looking at desktop based password managers like KeePass, which I was using for a while, but was never totally happy with it for the same reasons I wasn’t happy with the many password managers I’d tried over the years. Mostly that it seemed like too much work to sign up for a site in the browser, open a different application, copy all the details in and save them and then to login having to open the application, find the password, copy it to the browser, and login. What a pain in the butt! Yes, there are a few plugins for these password managers to integrate them into a browser, but none that I tried were very elegant or user-friendly.
I was talking to a group of friends one day about secure passwords, and one of them mentioned LastPass – a password manager that stored your passwords in the cloud so they were accessible anywhere, integrated right into the browser. It was safe, secure, and best of all…free!
Before I give my all of my secure passwords to LastPass, how secure is it? That was my first question and hopefully yours too.
From the LastPass website:
On Windows, LastPass helps find insecure passwords stored on your computer so you can store them securely in LastPass and remove the easy access by malicious software. LastPass uses SSL exclusively for data transfer even though the vast majority of data you’re sending is already encrypted with 256-bit AES and unusable to both LastPass and any party listening in to the network traffic — the amount of data is trivial so the extra encryption doesn’t hurt. Our policy of never receiving private data that you haven’t already locked down with your LastPass master password (which we never receive and will never ask for) radically reduces attack vectors. We use firewalls and best practices to protect the servers and service, but our best line of defense is simply not having access to data even if someone got in. If LastPass can’t access it, hackers can’t either.
There is a lot of really great technology behind LastPass that makes it secure and easy to use, but I am not going to look “under the hood” in this review. For a great look at LastPass from a security perspective, security expert Steve Gibson of Gibson Research Corporation (GRC) reviewed LastPass on episode 256 of his weekly netcast Security Now. Steve gives a better security rundown than I can.
I was really shocked to hear how insecure the saved passwords in your web browser are, which made me thankful to move to LastPass.
Getting started with LastPass is so simple. Go to the LastPass website, and download the LastPass application for your operating system. During the install and setup process, you’ll create a free LastPass account, and then LastPass will find all the web browsers on your computer, and install the LastPass plugin for it. Then, LastPass gives you the option to import all the passwords you already have saved in your browsers, which is a really great feature to get you started, since for most people that’s where your passwords are already stored (if you use another password manager, you’ll be able to import from that too). After importing your passwords from the browser, you are given the option to then remove the passwords from your browser if you wish (which I’d suggest), as well as disable the browser’s built-in (and insecure) password manager, so you can use LastPass exclusively (if you want the browser to manage your passwords again, you should be easily able to turn it back on in the future through the browser’s settings menu).
Using LastPass is easy. It integrates almost seamlessly into your web browser and does all the work of looking up passwords for you. I am going to run through a few of the basic functions of LastPass, but for a full video library showing how to use the application, check out the official LastPass Screencasts.
Entering Your Password
Once you’ve got LastPass all setup, it’s so easy to use. In most modern browsers (Internet Explorer, Firefox, Chrome and Safari), you’ll get a red LastPass icon added to your browser window – usually next to the address bar. When you visit a site that you have saved login info for, LastPass will automatically fill in your username and password waiting for you to push “Submit”, and you can even set LastPass to automatically log you into some sites if you want. When more than one login is detected for a site (multiple Gmail addresses perhaps), LastPass gives you a list of accounts it knows about. Click on one, and it will populate that info into the login form.
Saving a Password
When you sign up for a new site, LastPass will generate a new secure password for you if you want (more on this later), and once the sign up is complete, with a simple button click you can have LastPass store your login info. It couldn’t be any easier.
Generating Secure Passwords
Besides just logging in and saving new sites, LastPass can also generate you a new, secure password when you need one. Weather for a website, or offline application, I use the built in password generator to give me secure passwords on the fly. It’s as easy as just using the keyboard shortcut ALT + G and LastPass will show you a random password.
You have a lot of options you can play with if you want to, such as passwords size, the number of numbers you want in your password, if you want special characters included and if LastPass should use ambiguous characters. This helps you create the type of password you want, but can still easily change on-the-fly for those stubborn sites that don’t allow special characters.
As much as you may be tempted to generate crazy 64 character passwords with 20 numbers, just remember that one day you may have to manually enter these passwords, so stick with a password schema you could enter if you needed to.
Along with your passwords, LastPass will let you store secure notes. These are essentially plain text files that have all the same encryption and benefits of LastPass. These can be great places to store credit card info, passwords for offline access, the code for your home security system, the location of a hidden key at your Mom’s house, or anything else you may want to keep secure.
My biggest worry was that once I put all my passwords into LastPass, I wouldn’t have easy access to my passwords when I was offline, or not able/not trusting the computer I am on to access the LastPass site on my account.
If you buy the premium version of LastPass ($12 a year), you get access to a free mobile app. It is available for all major mobile platforms.
I am running the Android version of the app. What you get is a LastPass application that gives you access to all your passwords, and a built-in web browser, so you can automatically be redirected to your website.
I don’t use the LastPass app’s built-in browser. I just use it as a password lookup tool mostly. Dolphin HD is my browser of choice, and it has a great plugin that implements LastPass right into that browser.
On Android, LastPass also gives you a special keyboard. It is the stock Android keyboard with a special LastPass button on it that if you’re online and press that button, LastPass will do its thing and fill in your login info for you.
Tip: I don’t use this keyboard by default as I am not a big fan of Android’s keyboard. If you want to use this keyboard to enter a password, long press on the text box, and Android will let you select an input method. Select the LastPass keyboard, use the LastPass feature, then go back to your preferred keyboard.
I love LastPass! LastPass has made me a lot more secure online as I am now using strong, unique passwords for most of my sites (and working to transition over the ones that aren’t). With all of the hacking and stolen data we’ve heard about as of late from Sony and others, having a secure password is important now more than ever.
Once you move to LastPass, you will want to go back to all of the sites you’re using, and start changing your passwords to something more secure. Start with the sites that use duplicate passwords. LastPass comes with the LastPass Security Check that shows you which sites use duplicates, and how secure they are. This is a great place to get started.
If you really love LastPass, I’d urge you to pay the $12 annually for a premium account. That’s only a buck a month! With the paid plan you’ll get access to the mobile apps so you can take your passwords anywhere.
Before LastPass, I was never a fan of password managers, and now I can’t live without one. If you’re not using LastPass, why not?
Let me know what you think of LastPass. I’d love to hear your thoughts, experiences and feedback.