I have been a LastPass advocate for some time, however I’ve been remiss in not dedicating an entire blog post to it. It’s time to remedy that. I have usernames and passwords to over 400 websites. Each of those passwords should be complex and unique. How often do you reuse your passwords?
LastPass is a password manager – and a vault for saving other kinds of data, like credit card information. Use it for free, or pay them $12 a year for the mobile app; if you have a smartphone, it’s well worth the price. By letting LastPass manage your passwords, you can get rid of all of your sticky notes/little black book – and stop letting your browser save your passwords. Let LastPass generate random passwords for you. Share your passwords with trusted LastPass users, like your spouse; if one of you changes a shared password, it’s automatically changed for the other person. Store your credit card information in LastPass.
What it can do.
When I visit a website where I need to enter my username and password, LastPass automatically enters it for me. I have LastPass installed on the three major browsers I use (Chrome, Firefox, Internet Explorer), so my passwords seamlessly follow me regardless of which browser I’m using.
When you first install LastPass, the program will pull your usernames and logins from your browser. Anything you have saved there will automatically be moved into LastPass.
This is the menu from the LastPass web browser extension. From here I can go to my “vault” which holds all of the data I have saved in LastPass. “Recently Used” gives me a list of websites LastPass has recently accessed. Clicking on the links takes me to those sites. “Sites” gives me clickable links to all of the websites I have LastPass passwords for arranged by categories (folders) I’ve created. “Secure Notes” lets me save any kind of text I’d like, like my home WiFi access code. “Fill Forms” has my saved personal data, like phone number, address, and credit cards. I have different form profiles for my address, such as one with my home contact information and another with my work contact information. I have different form profiles for each of my credit cards. That means that when I’m ordering something online, I don’t have to search for my wallet. I just select the credit card I want to use, and, BAM, the information is entered.
Because I have LastPass installed on my laptop, in “Preferences” I have chosen to have LastPass “logoff when all browsers are closed and Chrome has been closed for” 10 minutes. Honestly, if my computer were stolen, the very first thing I would do is hop on the internet, say, with my smartphone, and change my LastPass password. If I’m traveling where the risk of losing my computer is greater (although I’ve never lost one yet!), I turn on multifactor authentication. (See below for more on this!)
When you need to create a new password, use “Generate Secure Password.” You decide the parameters, and LastPass will generate a password. If the bar is in the green, you have a strong password. LastPass will automatically paste it into the web form you’re using, and it will automatically save the password.
When I’m away from my computer, I can access all of my LastPass data through the LastPass mobile app or by logging into my account at LastPass.com.
Now you’re getting nervous, right?
“That’s a lot of private data you’re giving them. Do you really trust them?” Yes, yes I do. Because LastPass doesn’t actually have my data. They don’t even have my LastPass master password – if I forget my password, they can send me the hint I used when I created my account, but they can’t send me my master password because they don’t have it.
The short version. LastPass encrypts all of the data you have stored in LastPass on your local machine. Your LastPass master password is the key to decryption. If someone were to break into the LastPass servers, all they would get is gibberish. They can’t decrypt your passwords without your master password.
You can read more about LastPass security. Want to learn even more? Here is what Steve Gibson had to say about LastPass in 2010 on the Security Now podcast (watch below).
For those who want extra security, enable LastPass’ multifactor authentication. With this, you need two keys – one key is something you know (your master password) and the other is something you have (e.g., your smartphone). I use Google Authenticator, but there are others. On my phone I installed the Google Authenticator app. When I log into LastPass, I enter my password, and then I’m prompted to enter a code. I run the Google Authenticator app on my phone, and there will be a code for LastPass. The code is only good for 30 seconds, and then a new code will appear. Once I enter the correct code, then I will be logged into LastPass. Even if someone did get my master password, they would need to have my phone, too, to get into my secure data.
Now think about how many usernames and passwords you have saved in your browser. All someone has to do is open your browser…