Simplify password management [for free] with LastPass
Friday, June 29, 2012 at 8:00PM Every couple of weeks, we hear about another site being hacked and user account information being stolen. Security evangelists are constantly asking the community to choose complicated passwords and to not reuse the same password for multiple sites.
The biggest complaint I hear is that the above makes remembering passwords impossible. But guess what… you don’t need to remember them because of a fantastic free tool called Lastpass. Lastpass is a strong and easy to use password manager that offers 85% of its functionality for free and has plug-ins for most modern browsers.
Why do you need it
We want you to use complicated password of 10 characters of more which include uppercase and lower case letters, numbers and symbols. Plus we want you to use unique passwords for each site you register with. And you should be changing your passwords at least once every 90 days. Enough said. That is why you need a password manager.
Installation
If you use Internet Explorer, Chrome, Firefox or Safari, you simply choose the universal installer and the program takes care of the rest. For other browsers, you simply go to their download page and choose your browser specific plug-in. This second option is also interesting if you move from one browser to another later, you can simply download the appropriate plug-in for your browser, log-in with your credentials and voila (you have all your passwords within 60 seconds).
The Vault
After installing the plug-ins and rebooting your browser, you will see a new Lastpass icon. A grey icon means you are not logged in (while a red one means you are). If you click on the red icon, you can go to your password vault where all of your passwords are securely stored. As expected, you can organize your passwords in folders and groups, share/delete/edit individual passwords and search for the entry for any specific saved site.
It is beautifully simple
Whether you use the free or paid version, you get the same level of security and protection. Paid users get access to the mobile apps, removal of ads, faster support and the ability to use two-factor authentication to secure your LastPass login (using a YubiKey or USB key with special identifier). I use the free version and have enabled two-factor authentication with LastPasse’s Google Authenticator integration.
You install the free Google Authenticator for iphone or Android, then enable it for Lastpass using a uniquely generated QR code from the LastPass settings tab, which looks like this:
And everytime you log in from that point on, you will be asked for your LastPass password and then the unique Google Authenticator code (that changes every 60 seconds):
This means that even if someone steals your LastPass master password, without this unique Google authenticator code (that changes every 60 seconds), they won't be able to log in. We call this two-factor authentication because:
- It uses something YOU KNOW (aka the master password)
- and something YOU HAVE (which is the unique token code generated by your smartphone app)
Conclusion
Your LastPass passwords are encrypted and stored on their servers which means you can access your passwords from any internet connected computer (via the LastPass add-on or you can even use their site as the Launchpad for use on a friend’s PC).
This is a fantastically simple yet extremely powerful tool to protect your passwords and therefore your online life. The tool can auto-generate strong passwords when you register for new sites or change your password on an existing site (usually will even detect this automatically). It has a form fill feature where you can create different profiles with different information (personal, business, etc) and you can then use LastPass to auto-fill website forms. It has free two-factor authentication support via Google Authenticator.
I can’t recommend it enough. I use it every day and it is one of the first apps I install on every computer I own.
Screenshots
The vault
Site edit dialog box
Reader Comments (2)
Hi thanks for writing this article. Don't really trust this company after two security breeches. May try it again but not sure.
I don't trust ANY company storing ALL my passwords, especially if they also store the encryption keys that are used to encrypt those passwords: the risk of a breach is far too great. That's why I use KeePass (or KeePass Password Safe), a free/open-source local password manager. You can put all your passwords in one local database, which is locked with one master key (1 factor authentication) or a key file (2 fact auth). So you only have to remember one single master password or insert the key file (on a disk or a USB key, it's kinda like a token) to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
KeePass is available in “Classic Edition” or in “Professional Edition”. KeePass Classic Edition runs on Windows, and they have a portable version which you can run off a USB key! KeePass Professional Edition runs on Windows, Linux and Mac OS X! They also have native apps for Blackberry (and PocketPC, PalmOS, and a J2ME version for java compatible mobile phones, for whoever still use them), and also third party apps for Android (KeePassDroid) and iPhone. Because your password vault is stored in a locally encrypted database file, only you have physical access to the "vault" (unless your device is stolen, which is no biggie because the thief still needs your master password and key-disk).
If also supports "auto-type" of usernames/passwords, both for browsers (websites) and applications, but that involves launching the KeePass app first, finding the relevant entry (has convenient search window), and pressing CTRL+...
In addition, you can sync your local database between various computers using services such as Dropbox or Sugarsync (in which case your database is "double" encrypted), to make sure whatever new passwords you add on one device also appear on the other...