Securely keep track of multiple passwords on multiple devices.
Whenever I talk about using different passwords to log in to different sites and how it’s important to make sure all those passwords are difficult to guess (and thus hard to remember), many people throw up their hands in frustration.
It’s too much to remember. Too much to keep track of.
Computers are great at remembering things for you. As a result, many popular programs will track your online passwords for you.
LastPass is what I use and recommend.
Become a Patron of Ask Leo! and go ad-free!
LastPass password vault
LastPass is an easy-to-use tool that allows you to use more secure passwords across all your accounts by saving them automatically and securely. It fills them in when you need them without your needing to remember anything other than your LastPass master password. It includes many additional features, such as multi-factor authentication, for even more security.
Installing and setting up LastPass
On the desktop, LastPass is primarily a browser add-on or extension. It integrates with your browser to capture log-in credentials to remember for you and automatically fill them in for you later.
When you install LastPass for the first time, you create a LastPass account using your email address and a password.1
Do not forget this password. Quoting LastPass:
“Please remember that LastPass never knows what your LastPass master password is — you are the only person who knows it. If you lose or forget your LastPass.com master password, we cannot recover it for you. So, it is critical that you never forget your LastPass master password.”
Yes, that’s correct, LastPass’s servers never see and do not know your password. I’ll explain more about that in a moment.
Your master password can be quite long. In practice, over 32 characters doesn’t add much to the level of security. What that means is that an easy-to-remember long password is more secure than a short, impossible-to-remember password. Think (but do not use) Correct Horse Battery Staple.
These credentials — your email address and master password — are used to access your password vault, where all other account information is stored.
How LastPass learns your passwords
Entering login credentials and password data into your LastPass vault is easy: you don’t. Instead, you sign in to whatever site you want it to remember, and LastPass saves it for you.
For example, you might go to your askleo.com account and sign in. After LastPass sees you’ve signed in, it displays a message asking if you would like to remember this password by adding it to LastPass. Click Add, and you’re done.
As you go about your day signing in to the sites you use, LastPass offers to remember credentials for each. As you click Add each time, LastPass builds the database of everything it’s remembered for you along the way. (It can also import what your browser has previously saved and passwords from other password management tools.)
How LastPass uses what it’s remembered
When you visit the login page for a service listed in your vault, LastPass may2 simply fill it in for you:
Notice the grey LastPass logo at the far-right of the username and password fields (it’s partially on top of the “eye” icon in the password field). I have multiple sign-in credentials for this site, so the number “2” is displayed.
As long as you’re signed in to your LastPass vault, signing in to any remembered site can be as simple as visiting that site and clicking its log-in or sign-in button.
Another option is to start at your LastPass vault. Click the LastPass icon added to your browser’s menu or toolbar.
Hover over one of the items, and it changes to a “Launch” button.
Click the button and LastPass will open a new browser tab, go to that site, and log you in.
All with one click.
Using LastPass for other things
Using password vaults for account credentials makes sense and is a powerful reason to use a tool like LastPass.
The same technology used to fill in sign-in forms can fill in other common forms as well. The result is that LastPass includes what they call Form Fill Profiles.
The most common example is your contact information: your name, address, and phone number. When shopping online, we’re asked for that information frequently. Set up a form fill profile in LastPass and, in many cases, LastPass will offer to fill it in for you.
The same is true with credit card information.
LastPass is all about storing information securely. Much like your login information or your name and address, LastPass form fill profiles can save your credit card information. When you encounter a site that requests your credit card, a couple of clicks later LastPass has filled it in for you.
Which do you consider more secure? Letting multiple shopping sites remember your credit card information or using LastPass to remember it in a single place under your control?
I choose LastPass.
Why LastPass is secure
One common criticism levied against any online service is that because they store your data, the service itself has access to the data, even if they encrypt it.
Not so with LastPass.
Only encrypted data is sent over the network and only encrypted data is stored on the LastPass servers. And LastPass does not know your password. They couldn’t decrypt your information even if they wanted to.
Your LastPass master password never leaves your machine. All the encryption and decryption happens locally, on your machine, even when visiting the LastPass website to view your vault.
What if you lose your master password? LastPass’s own FAQ covers that scenario. They do offer recovery options (that you need to set up before you need them), but nowhere do they say they can recover or reset your master password for you.
Think of it as encrypting a file using something like 7-zip or TrueCrypt and uploading that. Whoever has the file simply can’t get in because you haven’t given them the password.
What this means is that whatever data you store in LastPass cannot be accessed by LastPass employees. That also means they have no means to turn it over to anyone who asks, either legally or otherwise.
Your data is accessible only on devices you control and only with the master password that you keep secure. 3
Why LastPass is more secure
As great as their approach to encryption is, there’s one more feature available with LastPass Premium (well worth it) that sealed the deal for me.
Whenever I log into LastPass, it requests a code provided by the Google Authenticator (or compatible applications) running on my smartphone.
I’ve discussed multi-factor authentication before, but the bottom line is that it’s not enough to know my master password to open up my LastPass vault. I must also prove that I have my second factor — my phone — in my possession by entering the random code that the authenticator app displays. Without both my password and my phone, I can’t get in.4
Besides Google Authenticator, LastPass Premium supports several multi-factor options, including the YubiKey and others.
LastPass free and premium
LastPass is free. You can use it on your PC and Mac or your mobile devices with no restrictions.
LastPass Premium includes additional security options plus the ability to use it on both desktop and mobile devices simultaneously.
LastPass hiccups
LastPass is not without occasional faults or inefficiencies.
The biggest issue I encounter is that occasionally I’ll visit a website where it should fill in my credentials, but it does not. This is a side effect of the complexity of web design, so I cut it some slack. I’ve seen this in other password managers, so I know it’s not unique to LastPass. It’s easy to copy/paste my saved information when this happens.
If you have a large collection of credentials, it can become confusing exactly which login applies to what site. LastPass allows you to edit the description, but it doesn’t require you to. After you’ve used LastPass for a while and have collected a few entries, go back and perhaps clean up the displayed descriptions, and consider using LastPass’ grouping function to help keep track of what’s what.
Using LastPass
There are several excellent password-management products out there, but my experience and understanding of how LastPass works leads me to settle on it as my password manager of choice.
Besides the password-saving and form-filling features I’ve noted and the additional security options and platform independence offered by LastPass Premium, LastPass includes additional features. They include secure password sharing, import and export of your data, an optional on-screen keyboard, password-creation tools, and even a security audit that reviews what’s good and bad about your own collection of passwords and login credentials.
If you’re serious about security — and I hope you are — I strongly suggest you use a password vault to relieve you of the burden of keeping track of many different strong passwords. That allows you to actually use many different strong passwords for the various sites on which you have accounts.
My choice is LastPass.
I recommend it.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Related Video
Footnotes & References
1: Images in this article are examples only, mostly because the interface continues to evolve and may look quite different in different browsers or situations.
2: I have to say “may” because websites are complex, and LastPass (and other password vaults) can’t always figure out all the different ways website designers have crafted their login process.
3: For a more detailed investigation of LastPass’s security model, read (or listen to) Security Now #256. About halfway down, Steve Gibson reviews LastPass’s approach to security.
4: Not strictly true. If I were to lose my phone, I would be able to log in using a one-time password that was set up when I enabled two-factor authentication. Obviously, one-time passwords must themselves be securely stored elsewhere. I happen to have them in a file in Dropbox, secured by BoxCryptor, for safekeeping.
Leo, excellent article as usual, and I am seriously considering using LastPass, I just have one question. If I use two factor authentication and get my phone stolen, what happens then?
Maybe a daft question, but it has happened to me before and it was traumatic enough just dealing with the lost contact details etc!
28-Aug-2012
Leo, although this really ought to be very obvious, it can’t hurt to add — don’t store your one-time passwords on your phone!
Like, “Duh!” :)
Store them on your desktop computer (encrypted, hopefully) or print them out and store the paper in the lockbox under your bed. :)
The main idea here is to keep the one-time passwords somewhere other than your phone, so that if the phone gets lost or stolen, the one-time passwords won’t be lost or stolen along with it. (!)
(I really do prefer to think that anyone intelligent enough to be reading Ask Leo!, isn’t going to do anything so stupid… but hey, one never knows, and everyone makes a colosssal blunder every once in two or three blue moons.) :)
What I do will probably scare some folks, but I’ve thought it through, trust me
.
I keep my one-time codes in the cloud. (!) Specifically in one of the Dropbox/OneDrive/GoogleDrive-like services, encrypted by BoxCryptor. That way they’re still quite securely stored, and available across all my machines.
Leo – give Cryptomator a look. Open source and easier to use than Boxcryptor. Good free support from their forum too.
I used it for some time a few years ago. It had problems at that time, so I switched.
I switched from BoxCryptor to Cryptomator on Leo’s recommendation when BoxCryptor free got too weird. I’m still using it and have had no problems,
I would strongly recommend people give Bitwarden a look before committing to Lastpass, which has had some breaches and other glitches over the years. I used Roboform for (to many) years before I did a critical deep-dive into password managers. This is the one I found to be the best. I have no connection to Bitwarden and receive no compensation from them.
LastPass data has never been breached.
Hi Another very good article. I have used Lastpass for some time now and find it very good.
However I have a little question !!!
It work’s for me perfectly on all Windows App’s. But how about all the other programs that also require a password ?? Will name just one which is Skype !!! As a granddad with family around the globe this is very important to me and lastpass does not save the password (At least not the free version) At the moment Skype and other passwords I just save in Secure notes so I suppose no real problem.
Even so I would like your opinion on the matter.
Ta in advance
28-Aug-2012
I currently use the free version of LastPass here too. Look on the left margin and you will see a variety of ‘folders’ named Password, Notes, etc. If you click the Plus (+) icon near the bottom-right of the window, you can add a new item to securely store whatever information you want/need to keep safely, and you can save it under any of the already-established folders, or you can create a new folder with a name that makes sense to you. Even though these items will not automatically fill in your username and password in the Skype app, you can fairly easily access your username and password using LastPass. I keep a variety of information on LastPass because it is encrypted on my computer before it is sent over the Internet to my vault.
Even though LastPass free has served me well over the years, and offers an incredible assortment of useful features, I am considering upgrading to the Premium version for some of the extra features it offers, such as those found in the Security Dashboard.
I hope this helps,
Ernie
O.K., I took the plunge and purchased the premium version of LastPass. It has a few features, not available in the free version, that make it well worth the price – In the Security Dashboard, I can see which launchers have ‘weak’ passwords so I can change them, and I can see any duplicated passwords. I had a few launchers for the likes of Microsoft and Google where one launcher went to my email, and a second launcher went to account settings. I removed the email launchers because I don’t use them anyway. Another great feature is that I can enable ‘Dark web monitoring’, then when/if any of my email account passwords appear to have been breached, I’ll be notified. To my way of thinking, anything I can do to reduce the likelihood of becoming a victim of crackers (black-hat hackers) is something I want to do :)
The trouble with Google two factor authentication is it assumes we all have mobile phones. I don’t leave my home very often, there is no mobile signal where I live, and although I do still have a mobile at the moment the day may come when I ditch it. A landline phone doesn’t seem to be acceptable to Google.
28-Aug-2012
Indeed, Michael almost all typical Authenticator Apps — there are many ones out there — have this same basic setup:
1. Go to the site where you want to estabish a two-factor login, and follow whatever process is needed to begin doing that.
2. At some point, you’ll be asked to specify which Authenticator App you’re using. Different Apps use different mathematical algorithms to generate a two-factor, so the site needs to know which App you’re using.
3. Next, the website generates a special key — a text string of randomly-generated characters. Copy it to your clipboard.
4. Now go to your Authenticator App and select the option to create credentials for a new site. You’ll be prompted for the site’s key.
5. Paste in the key you copied in Step 3.
6. Bam! You will see added a new site listed in your Authenticator App, with a new login factor created every thirty seconds. This is what you copy and paste when that site asks for your two-factor ID.
NOTICE the security here: The Authenticator App generates a new Login Factor mathematically and locally, based upon the initial key which the site randomly generated and supplied to you. Once set up, the generation of the two-factor take place entirely within the App itself — no connectivity required to generate the two-factor at all. :)
Usually, two-factors are time-based — the mathematics used to generate the two-factor incorporate the current time, to the nearest 30 seconds, into the process.
The site you’re logging into knows (because you told it which App you’re using) which algorithm is being used to generate the two-factor; it also knows what initial key it sent you, and the correct current time. From this, it does exactly what your own App does: it generates a two-factor. If it matches the one you send them, it knows that “you are you,” since only YOU have the correct initial key. Neat, huh? :)
Is their a provision that allows you to access you passwords if you are using a public or friends computer? tks
28-Aug-2012
About problem you mentioned (re-visiting a site and it does not fill), I realized that first time when we Save site in LastPass, it may save the googly garbagy loooong link (like https://mega.utor.com/ghdt/hdhdyhsgs_hddybdgddyy?jhdudhduhdloging.aspxhdjkhd8373664883) and then we we re-visit site, that is not the link we visit again!!
When I save a site in LastPass I always delete all those extras from link (and even S from https://) and make link as simple as possible (like http://mega.utor.com/ or http://utor.com/) then it covers all subsidiary links and subdomains that site may produce when I visit every time.
As a cautionary note, the ‘s’ in https causes your web browser to create a secure connection with the website the URL is taking you to. Shortening the link from the right end make sense (I do this myself) but removing the s in https is a bad idea because when you use the LastPass launcher to connect to the website, you are creating an unencrypted connection to the site.
Just so you know,
Ernie
Hi Leo,
I signed up for LastPass a few days ago based on recommendations I read from you and on Lifehacker, and I really think it’s great.
I have a question that I can’t resolve on my own: If I’m on somebody else’s (or a public) computer, how do you advise accessing my passwords for things like email, since I don’t have them memorized anymore? Is it risky to log in to LastPass (using their onscreen keyboard to avoid keyloggers) and use the online vault to access my passwords? I assume I’d have to do a copy/paste of my email password and then overwrite the clipboard afterward. Any thoughts?
Thanks for a really excellent website!
Brad
31-Aug-2012
I have been using LastPass for about 6 months and really like it. I used to use Password safe before. The only problem I’ve had is when a web site wants me to change my password. LastPass will generate a new one but since I don’t see the passwords I am not sure which is new password and the old. I end up having to call the site to reset my password because I can’t get it.
31-Aug-2012
Good enough for me.
Recomendations and fixes I get from LN are always spot on
I got Lastpass after you recommended it ages ago. Most of my friends now use it. Those that don’t usually have to get their mother to tie their shoelaces. I can’t understand anyone not using it. Great for travelling. I have over 80 passwords and get Lastpass to generate passwords for me usually a mix of characters generally 18 to 20 in length. Keep up the good work Leo.
Read article, read security article on spinrite’s site, and downloaded it.
it SEEMS very neat.
HOWEVER, could you PLEASE address this problem – on EXPORT to CSV file, i CANNOT export the custom form fields that I create or that LastPass creates.
to me, this is the biggest bummer there is.
EXPORT exports the first page of data for a LIST item, but does NOT EXPORT the 2nd page of a list entry, the custom form fields.
can you or other users address this, and provide fedback?
thanks
31-Aug-2012
downloaded it, and trying it.
(I posted comment last evening, but not sure if it got lost, not showing up)
ONE BIG DEFICIENCY – inablility to export custom fields.
if you create a site, and fill in just the normal site field values – those can be exported to a CSV file.
BUT, if you capture a site, and it creates custom fields, those values or fields are NOT exported to CSV, AND they are NOT exported to even the encrypted file that LastPass Pocket uses.
So, you are captive to using the browser format, and if for what ever reason they go defunct or you don’t like that program and decide to change, you can’t get custom data out of the database.
I LIKE the design of the program, but I HATE it (and hate OTHER programs) when you can’t do a simple export of all the data within the database.
any otehr feedback from others, if I’m doing something wrong and not understanding how to export (spent 8 hours on machine last evening researching this, forums, google search,e tc…) please let me know
thanks
nick
Nick – check out Bitwarden – super easy to export all your data as csv or json file. Also free and open source.
I have several Twitter accounts and found that LastPass would not always populate the login fields.
After reviewing the LastPass records in my vault, I found that changing the URL protocol from https to http fixed the problem.
I still have a few sites that won’t auto-fill (e.g. Magnatune), and have to resort to copy and paste via the LastPass drop-down.
I have used LastPass for a few years now and find it very useful.
It struggles with my UK bank websites, which all require multi-level logins. They need an identifier and password on a first screen, then 2 random dropdown digits from a 4-digit PIN, then a random piece of personal information from a range of 6 items. LastPass can cope with the first screen, not a chance for the second and a bit of a fiddle for the third data.
I have just bought an Android smartphone and tried LastPass on that. It is not integrated into the browser, but comes as a separate app. That cannot cope with the above scenario.
So, in summary, LastPass is great when it works, but is not a solution to all approaches to my bank websites. So I have to use passwords that I can remember myself – a great pity.
Leo, you did not mention that LastPass also stores its database locally, so that it can be used offline to access any other information you may have stored there – e.g. telephone banking passwords.
If it’s ‘on your machine’, then what happens if you get a new computer, or if your current machine fails/is stolen etc? Can you access LastPass from a cloud off the web?
Leo;
Thanks for the fine work you share.
Could you give some of your thoughts on Password Safe?
Again thanks.
David
@Z Berkeley
Yes, LastPass stores a copy of your passwords on their servers (the Cloud). Because of that I can use it to sync my passwords on all of my computers and my smart phone. Since it’s on the LastPass server, you can open it using your email password combination. Therefore, it’s essential to have a long strong master password for LastPass.
I tried lastPass and liked it enough to pay for the Premium upgrade, While i agree there are some limitations, I wouldn’t be without it now.
Also Leo you referenced Steve Gibson in your column, That episode was what led me to try the program. I actually subscribe to Security Now and find it an equally good source of info like your’s Leo.
If you haven’t already seen it i highly recommend you get episode #366 The Death of Clever.
He talks about passwords and hackers, I found this episode quite alarming!
I have been using Norton 360 for years which does about the same thing (for passwords) as Last Pass. Or not?
Hi, Leo
I wanted to ask a follow-up question of sorts to an answer you gave another commenter re: two-step authentication with LP. My question is not about that but about one-time passwords that you referred to….
Isn’t there a sense in which OTPs can somewhat defeat the purpose ? I mean, for my email accounts — and certainly for my LP account — I want to have good, long passwords so that the accounts will not be compromised by guessing or hacking my password. As it is my LP account should be fairly secure with the long password I have for it, since any would-be hacker must guess or crack the ONE valid password I have out of however many millions/billions of possible combinations.
But if at any time I enable the use of OTPs (for LP or any of my email accounts) doesn’t that in a way give the hackers a larger bull’s-eye ? If I’ve got a list of 50-100 OTPs, that might, indeed, make it easier for ME to login once-and-only-once at library computer or somewhere. But as long as those OTPs are valid, it’s also providing more targets for hackers, no ?
So, in general, and specifically for the security of a password manager, would you say it’s wise to keep one’s list of valid OTPs way down, like at least in the single digits ?
Or am I misunderstanding something about OTPs in all this security business ?
Thanks ! :-)
I use Lastpass and have over 270 sites stored and I only have 2 OTP,s activated why would you need anymore, when used just generate a couple more but keep them safe.
@Scott
The one time passwords usually work in conjunction with a normal password. It is a form of 2 factor authentication. Factor 1 is your user password. Factor 2 is the one time password which can be on a list, sent to your phone or generated by a onetime password calculator. In most cases, your user password can be as long as you want it to be. 2 factor authentication.
I had an issue with a banking login site one time, and I e-mailed Lastpass about it. I was answered pronto, that it would be fixed with the next update, and it was. Great service for free.
Thanks for article and link to Steve Gibson podcast. I’m sold on the security regarding Lastpass not being able to decrypt my passwords and the 2 factor auth. But, how about the database file of passwords that’s created and stored locally on my PC? If stolen PC or if there’s malware, how easily can a good hacker break into my Lastpass database file on my hard drive?
@Larry
The same encryption is used on the passwords stored on your hard drive
Quick question regarding password strength. In the article you refer to the xkcd site which suggests an 11 character randomly generated password (such that LastPass might generate for a website) was weaker than the four word phrase using common words. Based on that should we not use the Lastpass auto generator for passwords and instead create our own pass phrases or are we ok so long as we set “minimum characters” to 12 (or more) and let it auto generate?
18-Apr-2013
Hi, Leo – truly appreciated your article reviewing LastPass; had a couple of questions: (1) Does LastPass work with Internet Explorer in it’s “InPrivate Browsing” mode? (asking about this because, in my experience, Norton Security Suite / Norton 360 doesn’t and neither does Comcast/Xfinity Constant Guard); and (2) Does the “Multifactor Authentication” available with LastPass Premium work with an older plain vanilla cellphone that can receive SMS and Text messages, or does it require the more sophisticated ‘Smart’ phones with either Android or Apple op. systems?
I’ve tried to use LastPass with InPrivateBrowsing in IE and it doesn’t seem to work.
The second part of your question is unclear. You should be able use any cell phone to receive the text message containing the one time password, but you can’t use LastPass on that phone as it is incapable of accessing the Internet.
Mark, thanks for the clarification on my 2nd question; I may opt to use the multifactor authentication with my old tech cellphone for some of my banking and investment websites. ___ Incidentally, a number of these sites have already employed a type of two-factor authentication whenever I try to access them with a computer they did not recognize (where I can usually opt to have a Text message sent to my cellphone with a 5 digit ‘code’ or an email with same or, in some cases, to receive a phone call which probably would have a pre-recorded message with the code to use). It’s interesting, though, when this happens repeatedly with some of those websites, because I’ve cleared my Cookies… and, apparently, in not finding the expected cookie, the bank’s website assumed I was trying to gain access with a new or different computer.
Not sure about IE (see Mark’s comments about not getting it to work there, though), but I use it in Chrome’s equivalent Incognito all the time.
Lastpass’s two-factor options are here: https://helpdesk.lastpass.com/security-options/multifactor-authentication-options/ – I’m not seeing straight text-messaging as an option, which implies smartphone – or some other kind of device – may be needed. There are hints of SMS support through other applications but I haven’t been able to nail it down in a quick search.
Am I correct in understanding that as long as my computer is on and I’ve logged into LastPass with my master password, any site I visit will be auto logged in without any further intervention from me?
On my main laptop I have all my browsers set NOT to remember anything, which means that on every site I visit I MUST enter a password to get in. It appears to me that anyone else going to my computer could get into my sites simply because LastPass will auto fill my user name and password without any further prompting.
Is there a way to set LastPass to ask for the master password for every site I visit? Or do I need to resolve that by signing out of LastPass every time I move away from the computer?
You can easily set LastPass to require the LastPass master password every time you to want to log on to a website. This can be done on a website by website basis. For example, I have LastPass ask me for my master password for my bank and other financial logons.
Last pass can be configured to auto-login on a site-by-site basis – or not. It can also be configured to request the master password on a site-by-site basis – or not.
Thanks to both of you. I see you’ve now addressed this in your newest article dated April 4th published in newsletter of April 8th. My password list is getting longer and I need to stop using my Excel sheet with semi-coded passwords, but I know you’ve said “If your computer is not physically secure, it’s not secure”, so I don’t want to make it easier for anyone who tries to exploit an insecure moment.
If you are in a situation where someone might be able use your open LastPass to log into your websites, you can also set LastPass to require the master password for all of your logins. It’s more work as you have to type in the password for every login, but it’s the same master password every time, so you get quite quick at typing it in each time.
Which can be an issue for some, like me, as I age I get more and more fat finger syndrome. Maybe at some stage I’ll have to use 2 fingers, or maybe only 1 finger typing for the master password.
If your computer is at home, you might not find it necessary to enter the password each time. I just mentioned that in response to the question of what to do if a computer can be used by someone else while you are logged on. I only use that in cases of sensitive accounts.
I use KeePass (http://keepass.info) – free, open-source, also supports 2-factor authentication, and you can get it for your mobile device. There are two versions – one you can install, and a portable one (my preference). I couldn’t even begin to go over all the features – I’ve never used LastPass though I’ve heard good things about it, too – you probably wouldn’t really go wrong with either one, but I couldn’t recommend more highly that a person consider KeePass. (And no, I’m not affiliated in any way – I just love it and recommend it to everyone I can.)
Same here. I use Keepass, I understand it enough for my needs, plus it does have heaps of advanced options that I don’t even pretend I might know what they are.
But, it works for me. Last Pass I found very confusing, but that was about 5 years ago. Read about Keepass, tried it and Yeeeee hawwww, works for me.
yes i have lost my mpw; however, LP autologsin, so it does have the correct mpw. is there then a way i could view it? when i use a second browser, LP wants the mpw and does not auto login. that is also true when i go to the chromebook. and when i think have got it right and get “invalid pw”, i don’t know which is invalid, the siite, or LP’s master.
am i just stuck and need the drastic reset? thanks always.
If you lose your LastPass Master Password (I assume that’s what you mean by mpw) then there is no way to recover it. You’ll need to start over. This is documented on the LastPass site, and is a side-effect of their security measures – even they don’t know your password.
You can go to LastPass.com and click “Sign in” then click “Click here if you forgot your password”. Enter you email address you use to log into LastPass and click “Email hint” The password hint you entered when you set up LastPass will be mailed to you. This might jog your memory. If that doesn’t work, right underneath the Email hint there is s link “* Note: if your hint doesn’t help you, you still may be able to use Account Recovery”. Try clicking on the Account Recovery link and further instructions will be sent to your email address. I’ve never tried this, but I imagine it should work in most cases.
Really good article, I personally really like Dashlane, it seems a bit more userfriendly than those you describe
What prevents someone accessing your computer from being logged into your sites automatically by LastPass?
I think I will encrypt my password list and keep it on a USB stick so that it isn’t on my computer.
Same issue with Dashlane. Guess all password managers have the same shorcoming. So will go with Boxcryptor for file based encryption.
LastPass encrypts your passwords with the master password you use to log on to LastPass with. LastPass only has the encrypted version of the password file. It is only decrypted by your computer never on the server. Your method is, of course safer, but I personally trust the LastPass encryption model. The cost of cracking a strong password is much more than the yield they would get hacking small fish like most of us as they would have to spend several hours to crack each password.
Paul,
I do that too.
I created a text file (called “Projects-To-Do” which is better than ‘Here-are-all-my-passwords and bank account information’)
Which in fact contains all my passwords for various forum, shopping sites, bank accounts etc etc.
That is then kept on a at least two flash drives.
When logging on to sensitive sites such as a bank, I use that text file and copy/paste the information into fields, that way there is no way any keyboard loggers know what I typed.
– B!LL!
I stand corrected on the copy/paste thing as noted by LEO in the post below, however I only ever use my OWN computers (at home), never use computers at Internet Cafes or use my laptop/tablet at Wi-Fi’s such as McDonalds for important things like banking.
P!ease, oh please, oh please tell me that this text file is encrypted (and preferably by something slightly stronger than Rot13)!
And BTW, keyloggers can (and will) pick up pasted info.
Ah, rot13. I remember you well.
Nu, ebg13. V erzrzore lbh jryy.
https://rot13.com/
How come i can use LastPass from several pc’s, if encryption is locally? If LastPass knows only my credentials after encryption, then logging on from a second pc would produce a different encrypted ‘blob’ and LastPass should not be able to authenticate that. If the encryption key used on the 2nd pc is the same, then there is no use in encrypting it at all.
Your data is encrypted once, and then copied to all the computers via LastPass’s servers in its encrypted form. It’s only decrypted locally when you specify the correct password.
Local encryption and decryption means that the password file is encrypted and decrypted on the local computer not in the cloud. The encrypted LastPass password file is stored on LastPass’ servers.
Ok thanks, the master password also is used for generating the encryption key. That explains it.
Another question is exactly when the password list is decrypted on my pc and how long it stays decrypted. I hope only when a password is actually needed and not from the moment i activate LastPass in my browser add-on?
And is it safe to let LastPass remember the master password (on browser add-on activation)?
I believe it decrypts only as needed, but don’t quote me on that. Whether or not it’s safe to let it remember the master password is a function of the overall security of your machine. If you feel the machine is secure, then it’s what I do. On the other hand if the machine could be compromised or stolen, then I do not (like my laptop, with which I travel).
Here’s an instance of hating it! I use Firefox Beta versions. Came home from a week away, new Firefox installed itself and eliminated Lastpass. They have not kept up with Firefox and Lastpass is now not compatible with it, specifically Version 57. So I have to make SURE Firefox does not update itself on my desktop as it did on laptop and carry my phone version around with me to be able to access my passwords, as mostly I use the laptop for day to day computing. I have complained, no solution yet from LastPass, and Firefox doesn’t care!
Lastpass has an update — if not already, then very, VERY soon.
Personally, I would never use a service like LastPass. First of all, any information that is stored on the LastPass server(s) is subject to hacking. I don’t care if that information is encrypted. We have learned again and again that absolutely nothing is completely secure on the internet. Secondly, any service that is available in the cloud can go away without notice. I keep all of my files and passwords on my local system (redundantly backed up of course).
Needless to say, I disagree. Strongly. EVEN IF someone were to hack into LastPass’s servers and get the data stored there (which has never happened) all they would get is strongly encrypted noise. There is simply no practical way that a hacker would gain access to the contents of my vault. Period.
OF COURSE services go away without notice. Or sometimes they just go down for a bit. While I would bet money on the former never happening for LastPass, I know that the later has happened. That’s why a) LastPass works without an internet connection at all — your vault is still accessible, and b) I so strongly recommend backing up the contents of your vault — be it LastPass or any other — in a differently-secure method. (Meaning plain text contents, then secured some other way.)
This fear is preventing people from using long and strong passwords, and using different passwords on every site. It’s these two things that – when not done – put people at far greater risk than using a well known vault like LastPass.
hi, i read your comments on password managers and was concerned about my using password safe witch is almost like keypass. so i wrote a note to them at their site. i got a return reply as follows:
pwsafe.org
Sun, Feb 24, 2:11 PM (2 days ago)
to {removed}@gmail.com
Hi John,
Not quite:
1. Some password managers keep unencrypted password in memory longer than strictly necessary.
2. One can argue if this makes the password manager “unsafe”, since if an attacker can get to the memory of your PC, it’s effectvely “game over” anyway (given that level of access, there are easier ways to access your protected passwords)
3. PasswordSafe was *not* among the password managers reviewed in the article.
4. PasswordSafe *does* encrypt the passwords in memory, so it probably would have passed the review in the article.
Cheers,
Rony
On Sun, Feb 24, 2019 at 8:55 PM wrote:
john clas ({removed}@gmail.com) writes:
hi, i just read that password safe and other password managers are unsafe due to unencrypted passwords in memory. is this correct? long time user.
Basically my position as well: if a hacker has access to your RAM, it’s game over anyway. They have easier ways, then, of accessing your data.
MSN **isn’t** a web browser. Its a web portal, i.e. a web page linking to multi other pages and websites.
Browsers are Internet Explorer, shouldn’t be using these days however, Opera, Firefox, Chrome, Waterfox, Brave browser, Vivaldi et al.
True about Internet Explorer. Microsoft is removing support and is recommending that people switch to the Edge browser.
At the time of Ken’s comment six years ago, I believe that the MSN browser still existed. It was nothing more than IE rebranded, but it was called “MSN”.
My biggest concern with RoboForm is that at the time I left it they had no export function — you were LOCKED in to using it, or you had to start over from scratch with a new tool should you ever want to change. It also means there’s no backup solution that doesn’t also involve RoboForm itself. I’d love to hear that’s changed.
Great article, Leo. Do you still use LastPass?
I do. Every day.
LastPass Android App Contains 7 Trackers
https://www.pcmag.com/news/lastpass-android-app-contains-7-trackers?utm_source=email&utm_campaign=whatsnewnow&utm_medium=image
This is info users should be aware of.
That one surprised me as well when I saw it. SIGH
Thanks Leo for another well written article. In the no too-distant past, every time I would read one of your online articles like this one, you would always display a large ad for Last Pass. After looking at those ads for a long time, I finally subscribed to Last Pass Premium. I’ve been a very satisfied user ever since.
Not long after I subscribed you QUIT advertising for them, and I wondered if you no longer supported them because of something negative. Knowing so very little about computers, I get much of my computer information from you.
So I was so glad to read this post from you today, even if you originally posted it in 2012.
Hi Leo,
I’m now a former LastPass user after some changes were made to the way the browser extension handled logging in. The option to remember the master password was removed after an update. My wife and I both use Yubikeys, and, because of physical limitations, my wife would have the username and master password pre-filled when logging into LastPass then authenticating with her Yubikey to get into her vault, rather than struggling to type her master password. Even LastPass tech support didn’t realize the change had been made. After working with them showing what had happened and that it affected all browsers (Chrome, Edge, Firefox, Opera and Vivaldi), I found out that the feature was not going to be brought back.
I started looking at alternative password managers and decided to check out Bitwarden. Bitwarden has most, if not all, of the same features as LastPass, although it isn’t quite as user friendly. Bitwarden is free to use for up to two users. The free version is available to use on multiple devices, Android and PC, unlike LastPass. To enable use of advanced 2FA, emergency access and other features, the fees are $10 for an individual and $40 for up to 6 users, less than LastPass.
Bitwarden allows for both import and export of data. Users can also share passwords. Setting up Bitwarden will take some time, as the user has to setup an organization and then setup individual and shared vaults.
Two features of Bitwarden sold me. First, the browser extensions, desktop app, and Android app can be linked to Windows Hello. I went passwordless on my Microsoft account and I can log into Bitwarden using my Microsoft PIN. Accessing my vault in a web browser still requires logging in with username, master password, and in my case, my Yubikey. This feature is a big bonus for my wife.
Second, on my Android phone, Bitwarden will fill in logins on other apps. And it is easier to setup on the phone than Lastpass was.
I think Bitwarden is a good alternative to LastPass, especially for those on a budget.
Whenever LastPass changes something, like their pricing structure some time ago, I hear of a lot of alternatives being suggested. Bitwarden is probably the one I hear most often. Glad to hear it’s working well for you.
In addition to the website password management, I am using the secure notes feature of LastPass as a gateway to my estate plan and all financial accounts. The Emergency Contact is my executor and access is currently delayed by 48 hours. Everything seems to be set up OK, but I wonder if it would really work. Is there some way to test this feature without actually turning over the keys to the kingdom? It seems like something worth checking periodically in case something in the program changes.
I’ve been using the free version of Lastpass several years now. I like the program but am frustrated often because when I try to log into an account it just sits there and doesn’t fill in anything. I’m thinking of going Premium to see if that will remedy the problem.
I have gone into the Knowledge base and was able to get my bank account to fill in but many others still do not work. Any suggestions? Thanks.
Premium shouldn’t help.
This is a problem that all password vaults have. Some websites are coded to prevent password vaults from working, and some are coded in obscure ways that password vaults can’t auto fill.
If you right click on the little LastPass icon in the password or username field, in that menu, or in a sub-menu, will be options to copy the username or password to the clipboard. Do that and then paste in the corresponding field. Lastpass will clear it from the clipboard in something like 30 seconds.
If you copy your password from LastPass and you have a clipboard manager enabled (Windows 10 and 11 have a built in clipboard manager), be sure to delete it from the clipboard manager after pasting.
If you have a clipboard manager enabled and you copy a password, you should delete the password from the clipboard manager after pasting the password.
If you are using the Windows built-in clipboard manager:
Press the Windows Key + V.
Click the ellipse (3 dots) on the upper right of any clipboard item you want to delete.
Select “Delete” to remove that item or “Clear all” option to permanently remove all from your clipboard history.
LastPass does empty the simple clipboard after 30 seconds. I also use “Clipboard Help+Spell” which would need to be cleared separately as you suggest. Fortunately it’s local only (not a share-across-machines thing).
Hi Leo,
I have been reading your Newsletter for some years and enjoying you advice (specifically when I used to have a PC, but also now that I have completely changed over to Mac).
On my Mac, there is a password manager which does all the things that LastPass does (in relation to password storage only – ie: prompting and autofilling, etc…. aside from the other stuff that LastPass can provide).
The technicians at Apple have reassured me that the Mac password manager is sufficient (I’m assuming that passwords are encrypted like the LastPass strategy). However, I continue to be impressed by your advice re LastPass (which I believe is available to Mac-users).
Would you agree with the advice Apple have given me in relation to suggesting and storing complex passwords on Mac?
I use LastPass on my Mac and on my Android, iPad and Linux machine. LastPass is a browser plugin and works on all compatible browsers regardless of the operating system.
It depends on which password manager they’re referring to. I can think of a couple. But the bottom line is that if it works for you, I’m confident in Apple’s solution.
The BIG thing that makes it a non-starter for me is that I want my passwords to be available on all my devices, including non-Mac devices. LastPass works on all the devices I use – PC, Mac, Linux, Android, and now an iPad as well.
I just came up on the fact that lastpass only works for web based products. I use an app for my email called emClient. I called the support people about this and they told me what was going on. I’m a tad disapointed that in everything I read never indicated apps wouldn’t work.
Am I missing something?
Not at all. This true for all password vaults — they’re primarily about signing in to websites (and in some cases mobile apps).
But they still “work” for other programs. Simply copy/paste your credentials out of the vault manually as you need them. I do this all the time.
LastPass works on most Android apps. It doesn’t run on programs running on your computer. Email programs can store email account passwords. Just be sure you use a password to log into your email program.
Thank you for your patience with me, Leo and Mark.
I already thought the cut/paste thing was the way to go. So far that is the first app that has thrown me a monkey wrench. Looking over my old list of pass words (don’t ask the number I have) it appears to be the only one like that.
One or two other apps I have have ;migrated over to web based apps.