Securely keep track of multiple passwords on multiple devices.
Whenever I talk about using different passwords to log in to different sites and how it’s important to make sure all those passwords are difficult to guess (and thus hard to remember), many people throw up their hands in frustration.
It’s too much to remember. Too much to keep track of.
Computers are great at remembering things for you. As a result, many popular programs will track your online passwords for you.
LastPass is what I use and recommend.
Become a Patron of Ask Leo! and go ad-free!
LastPass password vault
LastPass is an easy-to-use tool that allows you to use more secure passwords across all your accounts by saving them automatically and securely. It fills them in when you need them without your needing to remember anything other than your LastPass master password. It includes many additional features, such as multi-factor authentication, for even more security.
Installing and setting up LastPass
On the desktop, LastPass is primarily a browser add-on or extension. It integrates with your browser to capture log-in credentials to remember for you and automatically fill them in for you later.
When you install LastPass for the first time, you create a LastPass account using your email address and a password.1
Do not forget this password. Quoting LastPass:
“Please remember that LastPass never knows what your LastPass master password is — you are the only person who knows it. If you lose or forget your LastPass.com master password, we cannot recover it for you. So, it is critical that you never forget your LastPass master password.”
Yes, that’s correct, LastPass’s servers never see and do not know your password. I’ll explain more about that in a moment.
Your master password can be quite long. In practice, over 32 characters doesn’t add much to the level of security. What that means is that an easy-to-remember long password is more secure than a short, impossible-to-remember password. Think (but do not use) Correct Horse Battery Staple.
These credentials — your email address and master password — are used to access your password vault, where all other account information is stored.
How LastPass learns your passwords
Entering login credentials and password data into your LastPass vault is easy: you don’t. Instead, you sign in to whatever site you want it to remember, and LastPass saves it for you.
For example, you might go to your askleo.com account and sign in. After LastPass sees you’ve signed in, it displays a message asking if you would like to remember this password by adding it to LastPass. Click Add, and you’re done.
As you go about your day signing in to the sites you use, LastPass offers to remember credentials for each. As you click Add each time, LastPass builds the database of everything it’s remembered for you along the way. (It can also import what your browser has previously saved and passwords from other password management tools.)
How LastPass uses what it’s remembered
When you visit the login page for a service listed in your vault, LastPass may2 simply fill it in for you:
Notice the grey LastPass logo at the far-right of the username and password fields (it’s partially on top of the “eye” icon in the password field). I have multiple sign-in credentials for this site, so the number “2” is displayed.
As long as you’re signed in to your LastPass vault, signing in to any remembered site can be as simple as visiting that site and clicking its log-in or sign-in button.
Another option is to start at your LastPass vault. Click the LastPass icon added to your browser’s menu or toolbar.
Hover over one of the items, and it changes to a “Launch” button.
Click the button and LastPass will open a new browser tab, go to that site, and log you in.
All with one click.
Using LastPass for other things
Using password vaults for account credentials makes sense and is a powerful reason to use a tool like LastPass.
The same technology used to fill in sign-in forms can fill in other common forms as well. The result is that LastPass includes what they call Form Fill Profiles.
The most common example is your contact information: your name, address, and phone number. When shopping online, we’re asked for that information frequently. Set up a form fill profile in LastPass and, in many cases, LastPass will offer to fill it in for you.
The same is true with credit card information.
LastPass is all about storing information securely. Much like your login information or your name and address, LastPass form fill profiles can save your credit card information. When you encounter a site that requests your credit card, a couple of clicks later LastPass has filled it in for you.
Which do you consider more secure? Letting multiple shopping sites remember your credit card information or using LastPass to remember it in a single place under your control?
I choose LastPass.
Why LastPass is secure
One common criticism levied against any online service is that because they store your data, the service itself has access to the data, even if they encrypt it.
Not so with LastPass.
Only encrypted data is sent over the network and only encrypted data is stored on the LastPass servers. And LastPass does not know your password. They couldn’t decrypt your information even if they wanted to.
Your LastPass master password never leaves your machine. All the encryption and decryption happens locally, on your machine, even when visiting the LastPass website to view your vault.
What if you lose your master password? LastPass’s own FAQ covers that scenario. They do offer recovery options (that you need to set up before you need them), but nowhere do they say they can recover or reset your master password for you.
Think of it as encrypting a file using something like 7-zip or TrueCrypt and uploading that. Whoever has the file simply can’t get in because you haven’t given them the password.
What this means is that whatever data you store in LastPass cannot be accessed by LastPass employees. That also means they have no means to turn it over to anyone who asks, either legally or otherwise.
Your data is accessible only on devices you control and only with the master password that you keep secure. 3
Why LastPass is more secure
As great as their approach to encryption is, there’s one more feature available with LastPass Premium (well worth it) that sealed the deal for me.
Whenever I log into LastPass, it requests a code provided by the Google Authenticator (or compatible applications) running on my smartphone.
I’ve discussed multi-factor authentication before, but the bottom line is that it’s not enough to know my master password to open up my LastPass vault. I must also prove that I have my second factor — my phone — in my possession by entering the random code that the authenticator app displays. Without both my password and my phone, I can’t get in.4
Besides Google Authenticator, LastPass Premium supports several multi-factor options, including the YubiKey and others.
LastPass free and premium
LastPass is free. You can use it on your PC and Mac or your mobile devices with no restrictions.
LastPass Premium includes additional security options plus the ability to use it on both desktop and mobile devices simultaneously.
LastPass is not without occasional faults or inefficiencies.
The biggest issue I encounter is that occasionally I’ll visit a website where it should fill in my credentials, but it does not. This is a side effect of the complexity of web design, so I cut it some slack. I’ve seen this in other password managers, so I know it’s not unique to LastPass. It’s easy to copy/paste my saved information when this happens.
If you have a large collection of credentials, it can become confusing exactly which login applies to what site. LastPass allows you to edit the description, but it doesn’t require you to. After you’ve used LastPass for a while and have collected a few entries, go back and perhaps clean up the displayed descriptions, and consider using LastPass’ grouping function to help keep track of what’s what.
There are several excellent password-management products out there, but my experience and understanding of how LastPass works leads me to settle on it as my password manager of choice.
Besides the password-saving and form-filling features I’ve noted and the additional security options and platform independence offered by LastPass Premium, LastPass includes additional features. They include secure password sharing, import and export of your data, an optional on-screen keyboard, password-creation tools, and even a security audit that reviews what’s good and bad about your own collection of passwords and login credentials.
If you’re serious about security — and I hope you are — I strongly suggest you use a password vault to relieve you of the burden of keeping track of many different strong passwords. That allows you to actually use many different strong passwords for the various sites on which you have accounts.
My choice is LastPass.
I recommend it.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: Images in this article are examples only, mostly because the interface continues to evolve and may look quite different in different browsers or situations.
2: I have to say “may” because websites are complex, and LastPass (and other password vaults) can’t always figure out all the different ways website designers have crafted their login process.
4: Not strictly true. If I were to lose my phone, I would be able to log in using a one-time password that was set up when I enabled two-factor authentication. Obviously, one-time passwords must themselves be securely stored elsewhere. I happen to have them in a file in Dropbox, secured by BoxCryptor, for safekeeping.