A few days ago I wrote my plea to those of you who may still be on the fence about using a password manager. I hope I’ve convinced you to at least give it some serious thought. If you’re ready to give one a try, today I’ll introduce you one of the many available password managers out there.
For the sake of full disclosure, this one happens to be the one I use, but I encourage you to do your own research and use the password manager that best suits your needs. Many people prefer to use password managers where your passwords never see the internet, while other people find the advantages of cloud storage worth the risk.
Password manager: LastPass
Where it stores your passwords: LastPass locally (on your own device) encrypts your passwords, and then stores that encrypted data in “the cloud,” a.k.a. somewhere else on the internet.
Security: Account data stored in the LastPass “vault” (including your passwords) is encrypted using AES. Connecting to the LastPass service can optionally be protected by 2FA for additional security against unauthorized logins.
Cost: It’s free to use the password manager’s basic features, like the browser extension and password vault. Multi-user credential syncing and the LastPass app access require paying for a premium plan.
Advantages:
- Passwords being stored in the cloud means they are centralized and easy to access from anywhere. (The encryption and decryption of your passwords happens on your device though, not in the cloud.)
- LastPass was purchased by LogMeIn last year, so it has corporate backing – meaning responsive help, as well as support for lots of applications and operating systems.
Disadvantages:
- Passwords being stored in the cloud means you are not 100% in personal possession of your own (albeit encrypted) passwords, you are trusting the security of all your passwords to another party. (LastPass was breached last year, thankfully no encrypted user information was accessed.)
- LastPass was recently purchased by LogMeIn… and many people don’t like the idea of their password manager being owned by a corporation.
How do I get a password manager on my computer?
There are a number of different ways to use a password manager. You can download a program for your computer, or you can install an extension for your browser. I strongly recommend the browser extension option, as this where password managers like LastPass are really helpful.
To set up your password manager, you’ll need to make your “master key” password. This is the password that protects ALL your other passwords in the password vault – so make it a good one. Make sure it’s unique, it’s complex, and most importantly, make it memorable.
Once you install the LastPass browser extension, as you go about your business online, you’ll see the password manager:
- Save your username and password to the password vault the first time you type it into a website
- Update your username and/or password in your password vault for a website you’ve previously visited
- Offer to enter your username and password to a website’s login form
- Offer to generate and save a secure, random password for you as you register as a user on a new website
When you’re trying to log in to a website, you’ll see the LastPass icon (three horizontal dots) appear in the username and password fields. Just click on the icon and click the credentials you want to use to log in, and LastPass will fill them in for you as long as you’ve been to that website before and saved your login to the vault.
Where are the passwords stored and how do I get to them?
Your password manager stores your passwords in a vault, and in the case of LastPass you can access it from any browser or device where you have the app or extension installed.
When your browser is open, if you ever want to access a password you’ve stored, just click on the LastPass extension icon (three horizontal dots) and click My Vault. You can also quickly search for saved credentials using the search bar that appears.
Some quirks to keep in mind
Sometimes when you’re trying to use LastPass to fill out a username and password, you might see only one field get filled in for some reason. Not all websites are as password manager-friendly as they should be, so this can be frustrating.
Thankfully, the workaround for this is pretty easy – just copy your username and password from the password vault. LastPass has quick shortcuts to make this happen in the browser extension:
- Click the browser extension icon (the three dots)
- Click “Show matching sites”
- Then click “copy username” or “copy password” as needed, and the information will be ready on your clipboard
Beyond the free features
I don’t want to be a walking commercial for LastPass, so I don’t want to sell you using a bunch of features you’d have to pay for. However, I will say that for all the potential downsides of a cloud-based password manager, the benefit of accessing your password vault on the go can be huge – depending on your needs.
In my case, I do pay for a premium LastPass subscription, which allows me to access my password vault from an app in addition to browsers on my home computers. Since I’m often on the road, having a mobile app for my passwords is a huge convenience.
That being said, it’s definitely worth trying out the free version first because you may find it does everything you need.
I recorded a quick video to demonstrate how I access the password vault on my phone to recall my login credentials.
If you’re comfortable with using a cloud-based password manager, LastPass might be a good option for you. But if you’d rather keep your own data local on machines you own, there are plenty of password managers like KeePass that keep your data away from the internet entirely.
I’ll cover KeePass in a future post, so you can compare and contrast the two if you’re still trying to decide.
Not my real name
LastPass got hacked several times, and when your “business” is “security”, that’s not a good thing, any security expert that recommends this service should reconsider their career.
On the other hand, you have Keepass, not only free but also open source, in convination with cloud services, you can easily integrate it with both iOS and Android devices, probably Windows Phones too. EU announced last week that it’ll start auditing Keepass in order to certify/increase its security.
P.S.: Security blog powered by WordPress… yes, really.
treFunny
@Not my real name
why so dark today?
I started using LastPass and need to take the full dive into it… as the user stated above there are always reservations on my side when using an “online” password solution…. but its 110% better than A. Re-using passwords and B. remembering 100-200 passwords
hyperar
Reusing password is a major security problem, but handing your entire password collections to hackers is way more dangerous.
TattooedMummy
Surely it’s the same thing, If I use a single (or maybe two ) passwords for everything and that is discovered, it’s the same as al my 100 passwords being hacked in a password manager…difference being the password manager probably has better security than many silly sites used for games or chat.
Maria Varmazis
As they say, perfect is the enemy of good. If the options are either having people reusing the same insecure password everywhere, or use a service like LastPass (warts and all), I choose the latter. I’ll be doing a KeePass article soon, so people who may not be familiar with password managers can get a sense of the breadth of options out there.
SkolVikings (@skolvikings)
I prefer RoboForm. The main reason is that, unlike LastPass, it can work as a sort of dual bookmark/password manager utility. For instance, if I want to log in to my bank account, I can click on the RoboForm toolbar and either search or browse to my bank passcard. One click on that causes my browser to load my bank’s login page, RF then automatically logs me in. You can somewhat do the same in LastPass, but it’s buried under more menus and thus takes longer to access. Just my 2 cents and YMMV.
Maria Varmazis
Interesting! I’ll need to give that one a try. Thanks for the tip!
Paul Moore (@Paul_Reviews)
Great article Maria!
One issue re: LastPass which crops up occasionally, is the lack of privacy. For example, every URL you visit is stored, in plain text, by LastPass Corporate (or LogMeIn now). They are not encrypted/obfuscated in any way… and are collected for “marketing purposes” and “to facilitate favicon support”.
If you’re mindful of the privacy (and potentially, security) impact, that’s fine… but it’s certainly not clear, even when you dive into the small print.
From a privacy standpoint, I’d prefer to keep my browsing history private and not in the hands of a company which has been breached numerous times. To add insult to injury, LastPass Corporate refuse to answer repeated questions on the safety & integrity of this info throughout all their previous breaches. If you’re able to shed some light on this, I’d be very interested to hear their reply.
From a security standpoint, think how many times you’ve visited a “password reset” link which doesn’t expire like it should… typically with a “one-time” hash appended to the URL. Once you’ve changed your password, that URL (including the full query string) is sent to LP Corporate and saved. Anyone with the link can reset the password again… which is great until it happens to be your ISP/email provider, then every account falls.
Roboform is nothing more than a toy in this arena. A “my first password manager” as it were. The underlying crypto is weak, the implementation is hilarious in places and their response to a responsible disclosure was a marketing/PR disaster.
For a good privacy/security balance, you’ll struggle to beat 1Password.
Thanks.
Jason
I’ve been using LastPass for about 3 years now and it works flawlessly. I’m aware of the privacy concerns, but for me the benefits outweigh setting up an alternative.
Abbe Sillie
ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business which should desirably be protected by all different strong passwords unique to each account. Needless to say, the strength of the master-password is crucially important.
Steve
Looking at an article on theregister today, not sure that I will be using lastpass –
Zero day hole can pwn millions of LastPass users, all that’s needed is a malicious site
Paul Ducklin
We’ve written that one up here for anyone who’s interested…
https://nakedsecurity.sophos.com/2016/07/27/lastpass-password-manager-zero-day-bug-hits-the-news/
Rohit Prakash
I have been using Clipperz from last eight years. It is a simple single page app which primarily uses javascript crypto. You can also create an offline copy and store on your hard disk. You need to enter your credentials to decrypt the data.
I also evaluated SpiderOak Encryptr, but the keys are stored encrypted on SpiderOak servers.
Recently I started using LastPass as an additional password manager. There security model seems to be OK because key is stored as encrypted locally.
For my online password managers I use cryptographically strong long password.
For offline use, KeePass is a very rich password manager.