LastPass is a free, secure, cloud-based password manager with a suite of features.
Why use a Password Manager
For a quick intro to internet security 101, the easiest way to “hack” into a website is not finding that one tiny loophole in the code that exists for 3 minutes if the conditions are just right… No, it’s simply to guess or steal a valid user’s login information via phishing, having a keylogging virus on the computer you used to access the site, or by “listening” to an insecure website (i.e. without the protection of a valid SSL Certificate from a trusted authority).
There are several ways to increase the likelihood that your secure information won’t be snatched by the bad guys:
- Don’t let the bad guys know where the login form is (e.g. Hide your WordPress Login URL)
- Don’t login via HTTP, only via HTTPS (hard to detect sometimes unless you’re web savvy — look for the padlock in the browser address bar, but that’s not always the whole story)
- Don’t type or copy/paste to login because key logger viruses can detect the URL you’re on and the keys you type, and your copying (i.e. clipboard) can expose all your copying activity, including passwords
- Don’t store your passwords in an Excel spreadsheet (Excel password protection is a joke) or a text file or any other insecure method on your computer
- Don’t carry your passwords around with you in written form in your wallet, purse, or insecurely on your mobile device
So what SHOULD you do? Get a cloud-based password manager, like LastPass.
Why use LastPass
LastPass gets its name from attempting to be the last password you’ll ever need to remember.
Here’s the basic workflow:
- Sign up for a LastPass account
- Install LastPass to your desktop/laptop
- Go through the auto-import process to copy all the passwords from your browsers into LastPass
- Delete passwords from your browsers and replace their password managers with the LastPass browser add-on/extension
- Sign into the LastPass toolbar in each browser
- Browse the web like you normally do
- When you visit a site that you’ve added login information for in your LastPass account (i.e. your LastPass Vault), it’ll prompt you to login, you click to login, and you’re logged in without copying, pasting, typing, or even needing to know the password you just used
Some of LastPass’ key features:
- You only need to remember one email address and password, ever.
- LastPass doesn’t even have your login information so make sure you never forget and have a contingency plan for the worst case scenario
- Password generator so you can come up with crazy passwords (less likely to be guessed) and you don’t even have to remember them
- Automatic form filling, including credit card numbers, expiration dates, and CVV code
- Secure notes, for when the secure content isn’t just a website or a username / password combination (any content can be stored)
- Cloud-based so your LastPass Vault syncs to all your devices (sometimes there’s a delay when adding a new site in one browser and using the browser toolbar in another browser)
- Share logins with other LastPass users (since email isn’t a secure way to send sensitive information, you never know who’s listening to your phone calls, pieces of paper can get lost, and spreadsheets aren’t for passwords)
- Import and Export functionality
- Identify duplicate and/or weak passwords in your LastPass Vault so you can know to change them
- Free credit monitoring
In June 2013, a month before this post was written, a New York Times article was written about Dashlane 2.0. I link to it only to provide you with their list of alternatives to LastPass: Roboform, KeePass, 1Password, and Dashlane. When my mom (who I helped move from insecure spreadsheets to LastPass via CSV import) sent me that article, my first thought was that it was very one-sided (possibly a paid review for Dashlane) because it just so happened to come out at their 2.0 release and because LastPass outshines Dashlane in every way except aesthetics.
My main reason to recommend LastPass over Dashlane or the others is because it’s the one I’ve been using for years and have helped many others successfully transition to. I’ve never had a LastPass security scare, and Dashlane requires its Premium version ($19.99/year as of this writing) to enable syncing across all devices and for web access, which I believe are necessary in this day and age (and which are free with LastPass). If you start with LastPass, you can switch to Dashlane in the future if you choose to.
Here’s a LastPass introductory video to help put all these details together:
For more LastPass videos, visit their YouTube Channel.
LastPass knows that Choosing a Password Manager is an Important Decision, and I think they’ve got the right mix of features and security, and its free version is fully functional and doesn’t constantly nag you to go Premium.
All users can attach files to Secure Notes, but Premium users get 1 GB of attachment storage space, and free users get 50 MB (20x more space for Premium).
All users can share sites, but Premium users get a few more options when sharing with someone else:
As a Premium customer, I’ve found it beneficial to have the LastPass app on my phone so I don’t have to constantly login to the mobile site if I need to authorize Facebook, Dropbox, email, or another login. And sometimes it’s just more convenient to login to the LastPass app, search for the site, and click “Launch” instead of copying and pasting into Safari or another mobile browser.
Additionally, the additional sharing features are nice for my purposes, but most people probably don’t need them (hence, the Premium version).
LastPass Tips and Tricks
Primary tip: When signing up for LastPass, use your primary personal email address (e.g. GMail). You can have personal, business, and other identities and/or groups within identities to keep all your logins organized (see list of links above). A good rule of thumb is to use the same email address you have for Dropbox and other mission critical services that cross over the separation of personal and professional.
Like any software, there’s a bit of a learning curve, especially with a new category of software. Don’t worry, you’ll get it in no time as you force yourself to use it consistently (because you know it’s the right thing for you to do and the consequences of taking the initially easier way out could be detrimental). After you get the hang of it, you’ll benefit from the extra security and appreciate the time savings!
Here’s the LastPass Getting Started Video to show you the ropes:
And here are some quick links for you to continually refer back to:
- Download LastPass (it will auto-detect your device and browser and suggest the correct download file)
- LastPass Screencasts, Video Library
- LastPass User Manual (Full User Manual as downloadable PDF)
- LastPass FAQs
- LastPass Sharing (Safari users first need to Generate Sharing Keys via LastPass.com before people can share sites with them)
- LastPass Multi-Factor Authentication
- LastPass Browser Extension Preferences
- LastPass Offline Access
- LastPass Groups, Identities, and Quick Access *** Valuable Feature ***
- LastPass Security Statement
- LastPass Uptime Status
- LastPass Changelog
- LastPass Blog
- Lifehacker news and tips for LastPass
With all those LastPass goodies listed above, you’re well on your way to getting LastPass to work for you in a short amount of time.
Let me also invite you to take the LastPass Security Challenge (after you’ve setup your account and imported all your passwords; LastPass thinks everyone should have at least 50 in their Vault).
It can automatically change your passwords to sites that are known to have been compromised since you last changed your password. It will give you a score to tell you how “secure” the passwords in your Vault are. Warning: It’ll make you feel like your online security is woefully inadequate — and, statistically, it will be correct — and then you can thank me and LastPass for getting you to take your first steps toward improving your score!
Should You Select “Remember Password” or Not?
When logging in, there’s an option to “Remember Email” and “Remember Password” and everyone asks if they should check those boxes.
Short answer: Personally, I do.
Let me offer 3 reasons why I think it’s okay to do so:
- If your device (on which you’ve checked the “Remember Password” box) is stolen (e.g. laptop), you’d most likely know it was stolen because you wouldn’t have it. In which case, you just login to LastPass.com from any computer and change your Master Password (i.e. the password you use to login to LastPass). If they open your browser, LastPass won’t be logged in anymore because the password won’t match.
- If it was utterly insecure, LastPass wouldn’t offer it as an option; trust me. They’re all about security.
- It’s annoying to keep typing in that perfectly-crafted secure but memorable password, especially if you’re typically in an environment that isn’t extremely mobile to where your device is left lying all over the place, asking to be snatched. And if you are constantly in airport terminals or other bustling places with people looking over your shoulder, then it could be considered more secure to “Remember Password” so they’re not watching your fingers type in that ultra-sensitive password (the password to all your passwords), especially if you’re a 1-finger typer.
How I Use LastPass with Clients and Others
If you’ve read all the information above, hopefully you’re convinced that…
- You need a password manager
- You should choose LastPass as your password manager
Because I always keep security in mind with all of my technology services, I never want my actions to be the reason for a security breach (which could lead to lost records, lost business, embarrassing events, and worse). That’s why, when I create email accounts, website login accounts, SFTP logins, and more, I require my clients to receive their login details from me via LastPass.
When receiving login details from clients, friends, or family, ideally they would share them with me via LastPass, but often I find that those who don’t have other weak security practices like weak passwords and duplicate passwords. So I take them via email, written on paper, or via carrier pidgeon, but I return things better than how I received them. Often these accounts are deleted shortly after signing up with me (e.g. website or email hosting) so the security threat lasts for a shorter duration of time.
Since most (if not all) logins I share back to clients are theirs to keep, I “give” (not just “share”) the logins with them. This allows them to see (not just use) the password. Therefore, they could choose to store the password elsewhere and totally abandon LastPass. However, I do my part to deliver the secure information securely.
I can’t think of a situation where, once we got LastPass setup, the person didn’t see the benefit of using it and sticking with it.
Bottom line is that LastPass allows me to work securely with clients, manage many clients’ secure login information in a very organized manner, and to help them be more secure in their personal lives after learning the ins and outs about LastPass.
LastPass FTW! (FTW = For The Win)
Feel free to leave comments below with any questions, suggestions, or success stories.