Whenever I talk about using different passwords to login to different sites and how it’s important to make sure that all those passwords are difficult to guess (and thereby, conversely hard to remember), many people throw up their hands in frustration.
It’s too much to remember; too much to keep track of.
Computers, on the other hand, are great at remembering things for you. As a result, there are many popular programs that will track your online passwords for you.
Become a Patron of Ask Leo! and go ad-free!
These days, I’m using LastPass because not only does it remember all those things for me, it does so securely across all my computers and devices. And it has an optional level of security that I’ve not see anywhere else.
Installing and setting up LastPass
On the desktop, LastPass is primarily a browser add-on. As we’ll see in a moment, it integrates with your browser so that it can capture login credentials to remember for you as well as automatically provide them when you use them later.
When you install LastPass for the first time, you create a LastPass account using your email address and a password.
Note: This password should never be forgotten. This is important because of this quote from the LastPass site:
Please remember that LastPass never knows what your LastPass master password is – you are the only person who knows it. If you lose or forget your LastPass.com master password, we can not recover it for you. So, it is critical that you never forget your LastPass master password.
Yes, that’s correct, LastPass does not know your password. I’ll explain more about that in a moment.
Your master password can be up to something like 255 characters long, even though in practice, more than 32 characters doesn’t add much to the level of security.1 What that means is that an easy to remember long password is more secure than a short, impossible-to-remember password of random or obfuscated characters. Think (but don’t use) Correct Horse Battery Staple.
These credentials – your email address and LastPass master password – will be used to access your password vault where all the other account information you might keep will be stored.
How passwords are remembered
Getting your login credentials and password data into LastPass is easy: simply login to whatever site you want it to remember. For example, you might now go to your Hotmail account and login.
After LastPass detects that you’ve successfully logged in, it displays a message across the top of the browser window, asking if you would like to remember this password. Click Save Site, adjust or add to the information being saved (if you want), click Save on the dialog that results, and you’re done.
As you go about your day logging into the various sites that you use, you’ll be given the option to remember the login credentials for each. As you click Save each time, LastPass grows the database of everything that it’s remembered for you along the way.
(LastPass can also import what your browser has previously saved and from other password management tools.)
How remembered passwords are used
There are two ways that LastPass remembered information is typically used.
When you visit the login page for a service, LastPass may simply fill it in for you:
Note that the username and password fields are outlined in red and have the red LastPass logo on the right. That’s LastPass at work.
In this case, as long as you’re logged into your LastPass vault, logging in to any remembered site can be as simple as visiting that site and clicking Sign In.
The other option is to display your LastPass vault (accessible via the LastPass icon that’s been added to your browser’s menu or toolbar):
Click on the site that you want to login to (in this example, “login.live.com” corresponds to the site to login to my Hotmail.com account), and LastPass will open a new browser tab, go to that site, and log you in.
All with one click.
Using LastPass for other things
We focus a lot on saving login IDs and passwords using LastPass and tools like it, but in reality, the same technology can be used for many other interesting and convenient things.
LastPass includes what they call Form Fill Profiles.
The same technology that’s used to fill in sign-in forms can actually be used to fill in other common forms as well.
The best example might be your own name, address, and phone number. Frequently, when shopping online, we’re asked for that information. Set up a form fill profile in LastPass with that information, and in many cases, LastPass will offer to fill in those pesky forms for you.
The same is true with credit card information.
Remember, LastPass is all about storing information securely. Much like your login information, LastPass form fill profiles can be used to save your credit card information. Now, when you encounter a site that requests your credit card, a couple of clicks later LastPass has filled it in for you.
Which do you consider more secure? Letting lots of random online shopping sites remember your credit card information or remembering it in a single place under your control using LastPass?
You can guess which I choose; LastPass.
Why LastPass is secure
One of the criticisms often mentioned with online services is that because they are holding your data online, the service itself has access to that data, even if they encrypt it.
Your LastPass master password never leaves your machine.
Not so with LastPass.
Your LastPass master password never leaves your machine. All the encryption and decryption happens locally, on your machine, even when visiting the LastPass website to view your vault. Only encrypted data is sent over the network and only encrypted data is stored on the LastPass servers.
Encrypted data for which even LastPass does not have the password. If you lose your master password … well, LastPass’s own FAQ covers that scenario. Nowhere in their response is the ability to recover it or reset it for you.
Think of it as encrypting a file using something like 7-zip or TrueCrypt, and uploading that. Whoever has the file simply can’t get in because you’ve not given them the password.
What this means is that whatever data you store in LastPass cannot be accessed by LastPass employees. That also means they have no means to turn it over to anyone who asks, either legally or otherwise.
Your data is accessible only on devices you control and only with the master password that you keep secure. 2
Why LastPass is more secure
As great as their approach to encryption is, there’s one more feature available with LastPass Premium ($12/year and well worth it, in my opinion) that sealed the deal for me.
Two factor authentication.
When enabled, as it is on my portable devices including my laptop, LastPass requests a code provided by the Google Authenticator application running on my smartphone whenever I login.
I’ve discussed multi-factor authentication before, but what this boils down to is that it’s not enough to know my master password to open up my LastPass vault – I must also prove that I have my phone in my possession by entering the random code that the Google Authenticator application displays for my LastPass account. Without both my password and my phone, I can’t get in.3
In addition to using the Google Authenticator, LastPass Premium supports several additional options including the YubiKey and a multi-factor application that you can run from your own USB key.
I’ve not seen two-factor authentication in other password vault applications and particularly appreciate LastPass’s range of choices for this additional level of security.
LastPass on everything
LastPass is free. You can use it on your PC and Mac with no restrictions.
LastPass Premium, as I mentioned above, is $12 per year as I write this. Well worth it for the additional security options available.
LastPass Premium also includes versions for just about any platform that you can imagine:
- iPhone & iPad
- Dolphin Browser
- FireFox Mobile
- Windows Phone & Windows Mobile
- Symbian S60
- HP WebOS
In other words, LastPass is on just about everything.
LastPass is not without its occasional faults or inefficiencies.
The biggest issue that I have with LastPass personally is that occasionally I’ll visit a website where I believe it should fill in my login credentials, but it does not. I realize that this is part of the complexity of web design, or rather in trying to accommodate every possible way a website could ask for a password, so I do cut it some slack. I’ve also seen this frequently in other password managers, so I know it’s not unique to LastPass.
If you have a large collection of credentials, it can quickly become confusing exactly which login applies to what site. The “login.live.com” situation that we saw earlier is just one example; in reality, it’s saved my Hotmail login. While LastPass does allow you to edit the description (i.e. you can change the “login.live.com” that’s displayed to be something more useful like
“Leo’s Example Hotmail Account”), it does not require that you actually do so. I definitely advise that after you’ve used LastPass for a while and have collected a few entries that you go back and perhaps clean up the displayed descriptions, as well as consider using LastPass’s grouping function to help keep track of what’s what.
In my time using it, I’ve become a bigger believer in LastPass than just about any other password management system. I realize that there are several excellent products out there, but my experience and understanding of how LastPass works leads me to settle on it as my password manager of choice.
In addition, the password saving and form-filling features that I’ve noted, as well as the additional security options and platform independence offered by LastPass premium, LastPass includes additional features such as secure password sharing, import and export of your data, an optional on-screen keyboard, password creation tools, and even a security audit that reviews what’s good and bad about your own collection of passwords and login credentials.
If you’re serious about security and I hope you are, then I strongly suggest you use some kind of a password vault to relieve you of the burden of keeping track of lots of different strong passwords, thereby encouraging you to actually use different strong passwords for the various sites on which you might have accounts.
My choice is LastPass.
I recommend it.