LastPass – a review

lastpass music security websites

For many years I was accumulating username / password combinations for a ridiculous amount of websites. Often I would use the same basic password, or a semi-strong password on these sites. I was building a user account security debt.

Then I read about LastPass and knew my problems had been solved. LastPass is a website that allows you to store securely a series of username / password combinations for the websites that you are a member of. So what? Well it has this neat browser plug-in that will manage the generation of strong passwords, creating a unique for each site and will make the whole website logon process seamless. The beauty of it is I don’t even know what these secure passwords are, LastPass takes care of it all for me.


So how does it work?

You create an account with LastPass and establish a really strong password. As the marketing blurb says, “The Last Password You’ll Have to Remember!”. Now you can just use the website to store username / passwords if you want – simply go to https://lastpass.com and use the web interface. This would be a small step in the right direction, but if you install the browser plugin (available for IE, Firefox, Chrome, Safari, Opera and a host more) then when we visit a website and login, LastPass will prompt you to save the credentials for that site if this is the first time you’ve logged in.

Saving those credentials means next time you visit the site LastPass can either auto-login for you, or just auto-fill the username / password fields (you decide). At this point if you haven’t changed any of your passwords, you’re just simplifying your life by not having to remember passwords.

If you really want to be secure, let LastPass generate a strong password for you. When you’re logged into a website elect to change the password for your account. The browser plugin is smart enough to detect most ‘change password’ forms and prompts you to generate a new password. You can specify the options and re-generate the password if you need to:

image

If you accept the password then LastPass fills out the form for you automagically and saves it away in it’s store. Next time you logon to this website LastPass pulls out your stronger password and uses it. I encourage you to go and do this on every website you are a member of if you’ve just started using LastPass and had fallen into the bad habit of the same password all over the place.

Even if you’re ‘same password’ was strong, what if some imbecile web developer had stored your password in clear text and the database was compromised somehow? By using LastPass to generate a different password for each website you become a member of you’re reducing the damage that can be done if one account is compromised as those credentials will not work elsewhere.

So LastPass also generates passwords when you register for websites as you’d guess, which saves you having to think of a new one each time. Really handy stuff, and you never have to waste brain space on remembering the new password.


But how secure is it?

Well you’re just using one password to log in to a store full of ALL your user credentials. You obviously want to make that one password very strong. LastPass claims that the store is encrypted / decrypted locally, that the even LastPass does not know your password. I have managed to use LastPass offline so this appears to be true – you can unlock it while offline.

If you frequently use PCs that may not be secure (e.g. internet cafes, you’re parent’s spyware infested Windows XP machine, other public kiosks) then you can generate ‘one time use’ passwords in advance. You generate these and store them somewhere safe (like print them out and put them in your wallet). If you find yourself using a suspicious machine but really need to get something out of LastPass then log in with one of these ‘one time use’ passwords which only work… one time. Alternatively there is also a mechanism to log on with an on screen keyboard in an attempt to avoid any keyloggers that may be running on the machine.


How much would you expect to pay for all this?

Amazingly this is all free. There is a Premium option that allows some additional features, mainly oriented towards smartphone users but even this is just $1 per month.

My only criticism of this is that it’s probably a bit too tricky for the person with poor PC skills to use – the ones who probably need the most protection. It works seamless most of the time, but sometimes you find yourself with duplicate passwords after registering for a site, or the updated password hasn’t over-written the original entry just created a new profile for that website. These little things are easy to resolve for an advanced user, but would trip up and frustrate the casual user with poor computer skills.



Conclusion

This is a winner just for the fact that it makes life easier. The added security is the the super-delicious icing on the cake. If you care about keeping your information safe then do check this out, I recommend it.