LastPass Password Manager Reviewed and Security Best Practices

How do you keep track of the dozens of passwords and account details of the sites you use?  Post-it notes? A spreadsheet? The Firefox password manager?  Or maybe you're still using the same password for every site?

If you fall in to the latter category, just imagine what could happen if someone had a weekend with this password: the key to your digital life.  They'd try every site which provided anything of value to gain: PayPal, online banking, Facebook, etc. 

If this password is the same as your primary webmail account, they'd now have access to most of your accounts by way of the I lost my password function most sites use.

Now that there are free services like LastPass, there's no reason why you can't create unique, strong passwords for all of your most sensitive online accounts and have them synchronized across multiple browsers, devices, and platforms.

LastPass is a multi-platform password management tool that I've been using with great results for over a year -- available for Windows and Mac and featuring extensions for Firefox, IE, Chrome, and Safari.

When you run the Windows installer, LastPass extracts all of the passwords you had trusted your browser to keep safe. It then asks if you'd like to move them over to LastPass; a clever gesture that proves these tools are insecure.  The next step is a prompt asking you if you'd like to disable these password collectors -- for security reasons now glaringly obvious.

On its own, remembering passwords is handy, however the real value lies in re-setting all of your passwords from simple dictionary words to random letters, numbers, and special characters -- strong passwords.

I changed my PayPal password from chrisrules to something like !@qWEhRp)98Y, which clearly is more difficult to figure out ("Chris rules" is clearly a terrible password as it is self-evident and obvious to all).

LastPass can generate strong passwords for you, ensuring there isn't a repeatable pattern; so strong even you don't know it.  In effect, LastPass becomes a key chain and each of these passwords are like individual keys, impossible to reproduce, guess, or lose.  You couldn't reproduce your house key's pattern of bumps and ridges from memory, but once you have the entire keychain in your hands it's effectively like knowing all the keys.

How is this secure?

Considering the backbone of LastPass is a web application, it should be concerning to learn your information is stored in a datacenter and when requested, traveling to your LastPass clients over the internet as needed. 

However, this risk is mitigated by encrypting your sensitive data using your Master Password on your machine, and only transmitting data encrypted via 256-bit AES.

In short, LastPass never touches your data without first being encrypted and doesn't maintain or have access to your Master Password.  This ensures that even if LastPass itself was compromised, your data would remain safe.

LastPass provides a balance between remote data access and security by allowing users to employ multifactor authentication (USB token or one time Key Generator) to protect unauthorized access to your account. 

Security settings can be configured to only grant access to your account through the web portal (LastPass Vault) OR via a new instance of the browser plugin only after entering your Master Password and a one-time key, generated by an app called Sesame (which can be stored on a USB drive). 

There is also the option of using a 3rd party USB key, YubiKey. Either USB option provides 2 layers of security if needed.

Even using a fantastic tool like LastPass, your security can be compromised by weak passwords, both for LastPass and your primary email account (it even happened to Twitter) so it's important to take care when choosing and managing these two passwords. 

Password guidelines:

• Unique - Not used for any other account.
• Strong  - Using letters/numbers/special characters, not dictionary words.
• Unavoidable - Your password recovery options should be extremely inconvenient for a hacker, the best setting would be to require a secondary password which is also strong and unique.  A better method is a secondary email address but make sure it is active and secured.  The worst setting would be a simple "security question" like mother's maiden name as the answer could be found online.

LastPass provides a "secure notes" function which is handy for desktop application passwords like remote desktop, FTP clients, and GoToMeeting (the long term roadmap is to include application support, so stay tuned).

The Auto Form Fill feature is also very handy. I created two profiles, one for online shopping which includes my credit card data and shipping addresses for buying stuff; my other profile is for work, which lists my work address, desk phone, title, and work email, for entering work-related online forms without giving out my mobile number or home address.

Additional Resources:

• LastPass website
• Google Accounts password recovery security settings
• Password tips from Lifehacker