How to secure your passwords with LastPass

March 22, 2014
Apps and Programs, How-To

A lot of our privacy and security content makes an important assumption. That assumption is that nobody can get into your account without breaking through some sort of protective measures, meaning you are only vulnerable due to either your activities or security holes on the web. The truth is, though, bad passwords are much more often your personal security’s weakest link.

Nowadays, most regular users of the internet have dozens of accounts at various websites. Except for those places where we sign in most often, it is hopeless to think we can remember a unique password for every single place where we have an account. Unfortunately, though, using the same password for multiple websites makes us much more likely to be harmed when we or one of the websites we signed up to is hacked.

Good password etiquette and our actual password usage are at odds

According to research by InstantCheckmate, the average person signs into 25 websites per day, using just 6 different passwords. 33% of people use the _same _password at every single site. The same amount write down all of this information in an unsecured note on their cell phone. Hackers need 3 minutes to crack the average password.

Likewise, the best passwords are simply hard to remember. There’s obviously a tough balance to strike here. On one hand, we want to be secure. On the other, we can only remember so much. Let’s go over a few things to live by for optimal password security:

The best passwords, by and large, are ones that are hard to remember.
You should not use the same password at more than one place. When one place you are registered at is hacked, you are only vulnerable at that particular site (until, of course, you change that password) instead of making available the password you use everywhere.
Cryptographers have a saying: it’s better to go around encryption than through it. This means hackers are more keen to look for people who have weak passwords than they are to try to crack other types of security; it’s just easier.

Shoot! That sounds hard to do. Don’t worry, we have an app for that. LastPass is an incredible program that works on almost every platform and browser that makes this process even simpler than it would be if you were using the same password for everything.

You’ll be happy to hear that LastPass is compatible on Windows, Mac, most Linux distributions, Android, iOS, Windows Phone, and Blackberry. For browser support, they have plugins for Chrome, Firefox, Safari, Opera, and Internet Explorer. We also found that they have a plugin for Maxthon, a Chinese-developed browser, though they don’t promote that much on their American webpage. Beyond its own browser-capable app on Android, it also has plugins for Dolphin Browser and Firefox for Android.

Quit using your browser to save your passwords

As you surf the web, one of the first things you’ll notice about LastPass is that it will be similar to your browser’s password manager in terms of filling in forms and asking if you’d like to have the browser remember the password.

On websites where you have accounts saved, you can click the asterisks on the right of the input boxes and choose which account you’d like to sign in with.

Unfortunately, your browser doesn’t do a great job of protecting these passwords and you can’t switch computers/devices without losing all of your saved data.

When you download LastPass, it will make it abundantly clear how insecure your browsers are at keeping your passwords. It mines through and scrapes all your saved password data from each browser; on one hand, this is meant to spook you into realizing how easy that was. On the other hand, it’s making it easy to migrate all of that information into your LastPass database.

Firefox is the only browser that offers a moderately safe way to keep your passwords, but that is only if you enable a master password. This is not the default, so most users have highly vulnerable log-in information stored on Firefox as well.

This is your default view of your LastPass “vault,” where all of your information is stored and accessible.

Make sure that after you import your log-in information into LastPass, you delete it from your browser! You haven’t done a ton of good if it still sits there, unprotected, after you begin using LastPass. You’ll want to tell your browser to quit asking to save passwords too, since that will probably get annoying.

A bad password protected by LastPass is still bad

While getting your passwords out of your browser and into LastPass helps keep you safe from password theft, it doesn’t fix a bad password. If you have the type of average password that a hacker can crack in 3 minutes, it doesn’t matter if you hide the information. Likewise, if you are registered to a website whose passwords gets hacked, all of your other accounts secured with that password will be vulnerable._

LastPass can make the process of making secure passwords easier, though. Whenever you go to a change of password form or a new account registration, LastPass can make a secure password on the spot for you. You can specify whether it contains numbers, special characters, the length, and whether the end product can be pronounced phonetically (useful for the few passwords you might need to know by heart).

There are various options you can apply to make your randomly generated password work for you.

After that, you can tell it whether you want it to overwrite your current account on that website or if you want to create a new one.

A newer feature from LastPass is their “security challenge,” which tells you how secure your passwords are individually and as a group. Why as a group? Well, like I’ve said, a great password that you use on every website is no longer so great. The security challenge, in addition to rating each password’s strength, will group all websites that have the same password together so you can see where you are most vulnerable.

The security challenge is available on mobile now, too!

More than just passwords

The thing that led me to finding LastPass wasn’t actually password management, though I was certainly in need of it. I wanted to keep some notes that would be password protected. These notes would have information like credit card numbers, social security numbers, bank account info, and things like that.

However, I wanted these documents to be handy. You can password protect compressed files like .rar or .7z (though these are easily cracked), but I use that info often enough I don’t want to extract and re-zip this note every single time.

LastPass also supports secure notes, form fills, documents, wi-fi logins, and more, making even more of your info both safe and handy behind its walls. When you go to check out on an online store, you can have LastPass automatically fill out your information. If you want your home wi-fi password to be as secure as it should be, you can store it in LastPass for safekeeping.

You can have your form fills attached to credit cards or just addresses.

Premium features add big functionality at a low cost

For just $12/year, you can gain access to premium features, which we highly recommend. These are particularly useful if you want easy access to your LastPass info on your mobile devices. You can take everything for a test drive for 30 days before committing to the $1/month premium charge.

Here is a quick rundown of premium features:

Use of mobile apps on Android, iOS, Windows Phone, and Blackberry
More options for account security, including YubiKey and biometric authentication.
LastPass for applications – you can require a password to use certain applications on your computer.
Share selected accounts with other LastPass users, even if the other users are not premium users. This is great for shared Netflix accounts and the like. Control whether the other members can edit the info or just read it.

We think LastPass did a fine job of giving you a fully functional service for free while also making the very cheap jump to premium level worth every penny.

Wait a minute, how do I access my LastPass account? Does it save its own password?

LastPass gets its name from the idea that it is the last password you’ll ever have to remember. This password will have to be remembered by you and, obviously, it needs to be both very strong and very unique. You can consider making a physical note of it, but of course the consequences of that note falling into the wrong hands would be quite problematic. Be very careful, make a strong password, and don’t forget it! LastPass does not store your password, so if you lose it, you’ve lost access to your account.

You can use a few different methods for making passwords that are easy for you to remember, but are nearly impossible to guess. You can substitute letters and symbols for ideas, or even more simply, create a long password with a phrase you can remember plus numbers/symbols that have meaning only to you. This page on LastPass’s site generates a new list of random passwords every time it loads.

For those that wanted added security beyond the password, there are several methods for two-factor authentication and other enhanced security measures. For the uninitiated, two-factor authentication means there is some other means of verifying you are the person who is supposed to access the account beyond knowing the password. On LastPass, you have many options.

Before we get to two-factor authentication, there are some quick and easy options. First, you can tell LastPass how long your account should remain signed in between log-ins. You can require inputting your master passwords for each time you use it or after a pre-determined amount of time. You can also demand a re-prompt for password when you access certain passwords or information, such as each time you use the credit card. In the mobile apps, you can choose to use a pin number instead of your password.

You can use Google Authenticator, which you tie to a particular device that will generate a unique code every 30 seconds that proves that you are both in possession of your password AND your cell phone/tablet. There is also the simpler grid authentication, which involves you printing out/saving a randomly generated and unique grid of numbers and letters. When you sign in with your password, you will be asked to input the number or letter in specific locations on the grid.

Other options include programming any old USB thumb drive to have LastPass Sesame, which generates one-time passwords as a second line of defense. This means you would have to have the USB drive with you and a place to plug it in and use it every time you accessed your account. Even more advanced methods using the YubiKey, fingerprint scanners, or SmartCard readers can provide an extra layer of security. These are for people who are hiding very sensitive information or are otherwise willing to make a big sacrifice to time efficiency to protect their account.

You can use external devices as an extra layer of security for your LastPass vault.

Can LastPass be trusted with my information? Can hackers break in?

These are very important questions to consider. One of the reasons I suggest LastPass, even over the open-source KeePass, is its bullet-proof security. Not only does LastPass offer the aforementioned myriad ways to protect the user end of the account (your password and additional authentication methods), it is particularly immune to hacking.

LastPass uses AES-256 bit encryption, which is a fancy way of saying they use the same extremely secure type of protection for your data that the US government uses for high-level communication, like confidential documents. More importantly, the encryption happens on your computer. The reason this matters is that if your data had to go to LastPass’s servers to become encrypted, there are two issues: the first is that people snooping on your data connection would see your passwords if they managed to get to your data. The second is that this would give LastPass access to your data before it is encrypted.

While your data is ultimately stored on LastPass’s servers so that you can access your data across devices, the only data that is ever on the internet is fully encrypted. When you first put it on your computer, it is encrypted offline. Whenever you access it again from LastPass, you get the encrypted information from the internet and your password decodes the encryption offline (your device is still connected to the internet, it just isn’t using the internet for this specific task).

Encrypted data is absolutely useless without your username, password, and any other layers of security you may have added to your account. LastPass will never see your password and therefore can’t see your data, even if they wanted to. The AES-256 bit encryption has been around for over 10 years and professional cryptographers have only been able to narrow the speed with which it would take to crack AES-256 to 2.5 trillion years on a sufficiently powerful supercomputer; in other words, nobody is getting your info from LastPass without stealing your password. As I mentioned before, though, this means you’re the only person who can access your password. There are no resets with this stuff.

Privacy measures taken by LastPass include refusing to learn your master password even if you offer it, not taking any more personal info than is necessary for processing payment, and they allow you to opt-out of very basic data collection like your log-in history.

Do you use LastPass? Do you have any lingering questions or doubts about using a password manager? Let’s talk it out in the comments!

All images in this article come from LastPass.

COMMENTS

Note: Comments are provided by Disqus, which is not affiliated with Getting Things Tech.

Search

Support This Site

Bitcoin Donations:

18DP9TGdPN5usTKMRMfPk6Q2mSr4mAz8NJ

Litecoin Donations:

LPKQbDPykwjXr5NbXfVVQH9TqM5C497A16

How to secure your passwords with LastPass

COMMENTS

Search

Related Posts

Recent Posts

categories

Support This Site