Here at ProfHacker, we recommend a lot of web applications: WordPress, Prezi, Diigo, Reframe It, SideWiki, Dropbox, Evernote, and Mendeley are only a few we’ve covered. Experimenting with so many web services, however, means that we accumulate usernames and passwords for all the services we try—not to mention all the usernames and passwords most folks collect for email, online banking, campus CMSes, &c. What’s more, secure passwords are difficult to remember; they include a mixture of letters, numbers, and different cases, and they shouldn’t include real words or meaningful sequences of numbers (things bad folks could easily deduce). How then can we keep so many usernames and passwords straight while staying as secure as possible on the web?
One temptation is to simply use the same username and password for everything. This practice is dangerous, however, for the same reason it’s convenient. If someone finds out that one username/password combination, then they’ll have access to all of your accounts. Another option is to keep hundreds of sticky notes on your monitor and/or desk. The less said about this option the better. A better solution is the password manager, which Amy wrote about this past January. A password manager is a program that stores your usernames and passwords, allowing you to access them using one master password. Popular password managers include 1Password for OS X and KeePass for Windows. These programs detect when you’re visting a website for which they have a saved password, and then allow you to paste the correct username and password into that site using only your master password. Using such a program, you can create unique, secure passwords for every account you own, while only memorizing one secure key.
Ever since this glowing review in Lifehacker, I’ve been using Lastpass to manage my passwords. Lifehacker’s review goes into great detail about how to use the service, so I won’t belabor that here. Lastpass also provides a series of screencasts that walk users through all the service’s features. Here is their basic introduction:
Instead of detailing how Lastpass works, then, I’ll briefly explain why I prefer Lastpass over other password management solutions.
I like many of Lastpass’ features. I like its secure password generator. I like the way it detects and fills in forms based on the profiles I’ve created. I like the way it can automatically log me in to my most frequented sites. Lastpass is most compelling to me, however, because it’s universal. This is also Lifehacker’s first reason for using the service, and it’s a good one. Lastpass isn’t a program that you install to a particular computer. It’s a web service that you access through browser extensions. Lastpass offers extensions for all the major browsers—Firefox, Safari, Chrome, even Internet Explorer—so users can access their passwords, generate secure new passwords, fill forms, &c. from whatever computer they happen to be using (even if those computers run different operating systems) and whatever browser they happen to be running on that computer.
For example: I just got a new computer from my school. Two of the first things I did were install Chrome, my current favorite browser, and then install the Lastpass Chrome extension. Once it installed, I clicked its icon, signed into Lastpass using my master password, and my login information was immediately available for all of my saved sites. Lastpass can even help on computers that I don’t own. I can access my password vault through Lastpass’ website (though users should be careful about doing this on public computers in labs, libraries, and so forth). Once a password is saved or changed in Lastpass on one of my computers, that information is available from all of my computers, and I save time looking it up.
If you haven’t explored a password manager yet, I encourage you to do so. They make it much easier to secure your online life, and then to manage that security. For professors and teachers interested in using and experimenting with technology, that flexible security is invaluable. The basic version of Lastpass is free, but you can pay $1/month for the service’s premium features, which include mobile clients for all the major smartphones, an ad-free interface, and a few other perks.
A caveat: a password manager is only secure if you regularly change its master password—preferably every few weeks. Otherwise using the password manager becomes nearly as risky as using the same username/password combination for every site—if someone finds your master password then he or she will have access to all of your other sites’ information. Changing and remembering one master password is still more convenient for me than remembering 20 username/password combinations, and so I update my LastPass key frequently. If you take anything away from this article, though, let it be this: we could all stand to beef up our online security.
[Creative Commons licensed photo by Flickr user darwinbell.]
Follow Profhacker through your favorite RSS reader: 
13 Responses to Managing Your Passwords (and Making Them More Secure) with Lastpass
cardinalham - August 3, 2010 at 3:32 pm
If this is a web service, does that mean that I would be storing all my account names and passwords remotely, on someone else’s server? It seems to me that demands a certain amount of trust that the LastPass server is secure. Also, what if LastPass goes under in two years’ time taking my passwords with it?
george_h_williams - August 3, 2010 at 4:15 pm
@cardinalham: Good questions. According to the information on their web site, what LastPass stores on their servers is a strongly encrypted file with all of your information in it, and you’re the only one with the key to decrypt that file. Additionally, your encrypted information is saved on the computers you use, so if LastPass suddenly disappears, you (presumably) still have that data and the means to decrypt it.
rolandleblanc - August 3, 2010 at 4:28 pm
^ what he said. If you want to find out if it’s trustworthy, just do some searches. There are news articles on tons of different websites stating how reliable and secure LastPass is.As George said, your master password is never sent to LastPass so they never know what it is. Just the encrypted data is transferred and stored on their server.
peril - August 3, 2010 at 6:32 pm
Last pass has gained some attention lately, but it’s remote nature strikes me as a bad idea. I’m not one to be overly paranoid, but the topic of the day is security- and what’s more secure than your password list? (rhetorical… I hope :P)I’ve come to use 1Password (Mac, Win, Mobile) and it’s been great. It features the autofill tools for nearly all major browsers (enter your master pw and it loads the user/pw of the site). It also features sections of the app designed to store sensitive information such as serial keys, notes or files that should be kept secure, as well as account information for logging into other computers / servers.I’ve always been down on password managers (as an IT guy, we like to call them ‘single points of failure’) but with a secure master key 1Password’s database is nearly unhackable (I’ve tried… and not to brag, but I know my way around a security protocol or two), its amazingly functional, and best of all (hey, I’m a mac user) 1Password is really a pretty app on all it’s platforms.IT also creates bookmarks (securely within itself) for all your sites, so instead of going to “Gmail.com” you can go to “Gmail and auto-fill” and 1P will load the site and enter your information (provided you correctly inter the 1P master password).Finally, if you like, 1P supports another Prof Hacker fav: Dropbox.com for syncing to your portable devices, backing up, whatever you like (but it’s totally optional).Ok so that all sounds like a bit of sales pitch, but 1P has really won be over and I was a massive skeptic. ;)
ryancordell - August 3, 2010 at 10:42 pm
I had some of the same reservations, peril. I guess convenience trumped all for me (for good or bad). I tried 1P a few iterations ago and just couldn’t make it work the way I wanted it to. Of course, that was pre-Dropbox syncing, so…
infogoon - August 4, 2010 at 10:23 am
“What’s more, secure passwords are difficult to remember; they include a mixture of letters, numbers, and different cases, and they shouldn’t include real words or meaningful sequences of numbers (things bad folks could easily deduce).”This isn’t really true any more. Most information security people will tell you that you’re far better off with a passphrase than you are with a password. For example, which of these is more secure?”The ZIP code for Beverly Hills is 90210.”"Gh;osah;au7f8412″Both of them have upper and lower case characters, numbers, and punctuation – the password complexity is equal. But the first is longer, meaning that a brute-force guessing attack will take much longer to succeed. And it’s also a heck of a lot easier to remember.We used to say not to use real words in passwords, back when a password could only be eight characters long, in order to encourage maximum entropy. Now that technology can handle longer credentials, those old guidelines are not as applicable any more.
ryancordell - August 4, 2010 at 2:58 pm
Thanks, infogoon. I’ll look into that. I like the idea of a passphrase.
ryancordell - August 4, 2010 at 2:59 pm
It would still be difficult to remember different passphrases for 50 different websites–or difficult to keep them straight. Better (for me at least) 1 passphrase in a password manager.
christian_d - August 4, 2010 at 3:00 pm
I can’t praise LastPass enough. After using LastPass for a few weeks, I junked RoboForm Pro and all other password and secure note managers. Quite simply, it blows the competition out of the water with a killer combination of usability and convenience, without sacrificing security. Now, whenever and wherever I log in, I have all my passwords at my fingertips–with or without a network connection. It just works.We rely on a steadily increasing number of web-based services, and we each use them on multiple computers (home, work, laptop, smartphone) and locations (i.e. your office, a professor’s office). LastPass handles this smoothly, without required additional synchronization or encryption tools, and it does so across a wide array of platforms (Windows, Mac, Linux, smartphones) and browsers (Chrome, Firefox, IE, Safari, and a few others).It doesn’t make sense to worry about LastPass security, and then talk about syncing encrypted password files with DropBox or Goodsync or whatever tool you use. Either way, a bundle of your encrypted passwords has been copied to the Internet.For those who fret excessively about security, Passpack is competing service that offers similar features higher security–and notably less usability and convenience.
daveblue - August 5, 2010 at 1:16 pm
Are there circustances where 1Password and LastPass don’t work – say in an upgrade of the OS? I been burned with software that suddenly crashes the system after an upgrade or simply fails to work at all requiring time wasting calls to “support.”
tee_bee - August 6, 2010 at 9:06 pm
I just downloaded and installed LastPass and have found it incredibly valuable. I plan to spend a weekday getting all my financial sites (bank, TIAA-CREF, credit cards, mortgage) into shape so that I can store passwords on this site.I do worry about the security aspects, but I suspect that LastPass is still more secure than my google docs spreadsheet that I used before. And since passwords change, this spreadsheet is grossly out of date anyway. As far as daveblue’s question goes: my sense is that if the software goes bang or missing as the result of an OS upgrade, one would reinstall the LastPass client/plugins and get all that goodness back into the browsers (it worked seamlessly with Chrome, Firefox, and Chrome, BTW). Last feature I really like about this is that it reveals what passwords and usernames are stored in the database, so at least I can write those down and stick them somewhere “secure.” Too many times we end up with odd usernames because it won’t take smith, johnsmith, johnqsmith, or easy variants, so we end up with usernames like johnsmith60609 or something. At least this is a way to help keep track of things like that. The minor security risks posed are far outweighed by the convenience and increase, frankly, in security provided by this tool. That’s my risk perception. YMMV.
txlogic - August 9, 2010 at 3:21 pm
Excellent recommendation, but why on earth do you think that “a password manager is only secure if you regularly change its master password”? A password manager is secure as long as you have a strong master password that no one else knows or can come to know (short of beating it out of you). So long as you take commonsensical steps to prevent anyone else from coming to know it, there is absolutely no need ever to change it; strong passwords don’t magically become less secure over time. Indeed, a policy of changing passwords regularly is just the sort of thing that *leads* people to insecure password practices like choosing weak passwords that are easy to remember and/or writing their new passwords down.Bottom line: Choose a very strong password, memorize it, keep it to yourself, don’t write it down, and keep your virus definitions up to date if you’re a Windows user. Change your password only if you have reason to think it might have been compromised, e.g., if you had to use it on a public machine.
steven_senlamy - August 19, 2010 at 2:33 pm
Lastpass is a great app! Also Sticky Password which I use. I use it because of the support of applications like Skype, ICQ etc.