Review: LastPass – The Last Password You’ll Have To Remember

Originally posted Oct 17, 2010 Ok, so last time I talked about security and how tough it is to pull off that level of safety. Well one tool that has done more than all the rest of them together for me is LastPass. I could write an entire book on LastPass but I’ll spare you all from that. 🙂

What Is It?

LastPass, oversimplified, is a multi-faceted program that lets you keep all of your passwords in an extremely safe manner. In the simplest terms it is a password vault type utility but it is much more than that! To use LastPass you install it (more later) and then any time you need a password you just log into LastPass with one password and it either provides the password to you or it securely inserts it into the website you are accessing.

###How to Get To It? There are many ways to get your passwords. LastPass has plugins for every major browser except Opera (due to how they do things). Firefox, Safari, Internet Explorer, and Google Chrome all have plugins to serve your passwords when needed.

In addition to that you can log in to the LastPass website to access your passwords and if you have a Premium account you can get to them via mobile apps for most devices. So, you can see you are never apart from your passwords as long as you have an Internet connection.

What Can I Store?

LastPass is mostly a password vault for websites. Everything from your bank to your Twitter account has a password and you don’t want someone getting any of them. LastPass stores information so that when you are ready to log in to, say, Twitter, it asks for the master password and then fills in the blank for you.

But wait, there’s more! LastPass also has what they call “Secure Notes”. These are places you can store just about anything textual you want to keep safe. Things like passport numbers, bank account numbers, credit card information, etc. In fact there is even a new feature which provides templates for the most common items that helps make sure you put in everything you’ll need. Have you ever written down your credit card number and forgotten the 3-digit number on the back? I have and it is annoying! LastPass Secure Note Templates have a place for that so you won’t forget next time!

How Safe Is It?

According to the user manual, and confirmed by various security people, the following are all things LastPass does to protect your data:

*        All sensitive data is encrypted on your computer, not at the LastPass server. The data can not be “sniffed” by a hacker reading packets and can not even be decrypted by LastPass themselves.

*        The encryption algorithm they use is acceptable for US Government top-secret data.

*        LastPass doesn’t even know your password. They store what is called a hash of the password which is compared when you log in, but can not be reversed to get the original.

  • There are many extra layers of protection you can add such as:

  • Multifactor Authentication – not only do you need the password, but also a physical component (paper grid or usb key) to open the vault.

  • Logoff when the browser is closed or after a set idle period. A compromise you determine between logging in for every password and having it available while you are working.

  • Require password reprompt – certain sites or notes can be set to ask for your password when accessed, even if you are already authenticated.

  • Clear clipboard after use.

  • Kill other sessions on login – Yet another safety check in case you have a minimized browser logged in or log in from multiple places.

  • Powerful features such as one-time passwords which gives you a list of passwords that will work one-time only so even if a computer has a keylogger and sees your LastPass password, that password will never work again. Very useful for logging in at a site you don’t have complete control over.

  • Virtual Keyboard – lets you click out the password with the mouse so a keylogger has nothing to log.

There are many more features but, in my opinion, the strongest I haven’t already listed are strong, unique passwords and not using the browser password manager. The password manager in your favorite browser is not too difficult to capture and move to another system where they can take advantage of your stored passwords. The other point is best illustrated by a story I remember.

It was about 1985 or so, my memory is inexact as far as dates, and there was a group of young people who ran the most popular Bulletin Board System (BBS) in the US. They had come to the realization that A. people give personal information such as name, address, phone, etc, to a BBS when they register and B. most people use the same password multiple places. The BBS was a front for their real purpose. They would get a user’s personal information, find out where they worked and then try the BBS password in the work computer. Brilliant in a dark sort of way.

The truth is that if you use the same password in more than one place then you are risking the same thing! Every password you use should be both unique and secure. Don’t use Spotty for your password! LastPass can generate a wide variety of passwords depending on your needs including uppercase letters, lowercase letters, numbers, special characters, and of any length you choose; I just generated one with 800 characters! Now that’s overkill, but for your bank account that allows 32 characters it’s nice to be able to take full advantage of that.

Here’s a little experiment in math. I know, math, yuck, but it’s easy, I promise.

If you have a password that is 1 character long and it can only be a lower case letter then you have 26 possible passwords. Add upper case and it becomes 52. Add digits and you have 62. So, this far we have 62 passwords we have to try to get your password at the worst case! If it is ‘a’ we’ll get it on one.

Now, let’s expand that to just two characters with the same rules: lower case only is 26 x 26 or 676 characters. Add upper case and it’s 2704 characters. Add digits and you have 3844 possible combinations!!!

You can see that by adding one extra character to your password you made it take a hacker 3,844 guesses to get your password instead of only a measly 26! This number grows in a similar manner as you add characters. If my college math and my calculator are both working properly that means that an 8-character password of upper, lower and digits will be 218,340,105,584,896 possibilities!

Imagine if you could use 12 digits! Even with modern computer speeds a password that long is not practical to try to hack unless it’s the nuclear launch codes or master password to the Federal Reserve computers. If you change that password once every 3 months then only astronomical blind-luck will get them in – they may as well just type random gibberish to try to get in.

So, why did I say all that? To say that LastPass will give me the ability to use the largest and most complicated password my bank can handle. If Twitter only has 8 character passwords then you can set that too. Letters and digits only, that’s fine, just uncheck the special character box. It will work with every site I have access to and that’s everything from banks to blogs.

What Else Does LastPass Do?

Another very powerful feature is the form-fill feature. If you choose to, LastPass will even fill in the blanks with your address, phone, or any other information you add to it when you get to a form requesting those things. You can even set up different profiles with your work address and your home address if you like.

The other thing that is a life-saver that I’ve not yet mentioned is that all of these passwords are synched across all different ways to get to LastPass. If you are at work and sign up for a new website LastPass will ask if you want to save that info. If you say yes and then go home or pull our your mobile device the password will be there for you! No more “I forgot my password” emails or emailing yourself passwords that could be intercepted.

There are lots more features but this is already almost 1500 words and I’m sure you are waiting for the end by now.

I’ll leave you with this. If you use passwords online and want a safe and convenient way to keep them then you have to check out LastPass!

Best wishes! Jim Sewell / @Deverill

Leave a Reply