The Easy, Any-Browser, Any-OS Password Solution

Whenever we talk passwords, we always preach the same thing: Use strong, difficult-to-remember passwords, and different passwords for every site. Easy to say, extremely difficult to do through sheer willpower. I've tried many password-remembering systems, and this is what I've stuck with.

To paraphrase photographer Chase Jarvis, the best password manager is the one you have with you. Of all the password management utilities out there, I consider LastPass the most elegant compromise between convenience and security, and if you're not using it already, I recommend you start. It's mostly free, plugs into nearly any browser or smartphone, is KeePass compatible, and just works.

Why LastPass?

Why not just use KeePass for all my passwords and be done with it? It's secure, open-source, extensible, and lots of people swear by it.

I like KeePass. KeePass is friendly and locks down pretty tight. But when it comes to filling in web passwords, I want the path of least resistance — and I want to convert my friends and family into more secure practices, too. LastPass offers a few advantages over KeePass:

  • Universal: KeePass has a nice collection of extensions and plug-ins, but they're all over the place when it comes to support, updating, and platforms. LastPass offers extensions for Firefox, Internet Explorer, Chrome and Safari on Windows, Mac and Linux. There are a few gaps (Opera, mainly), but they're covered in large part by free auto-filling bookmarklets (covered below) and desktop, USB and mobile software, offered to LastPass' premium subscribers.
  • Simple: LastPass has a multitude of options, settings, tools and other knobs to twiddle, just like KeePass. If all you want, though, is a better kind of universal password manager that remembers your log-ins, simply install the browser extension, log into LastPass, and let it do its thing. It automatically prompts you to save passwords and form data — though you can turn that off — and fills out username/password fields, with an easy switch to another login name.
  • Secure, yet dummy-proof: My one fear with systems like KeePass, where I'm keeping my own database and, potentially, safe-keeping my own encryption key file, is that I'll do something stupid and delete that file, or forget that ultra-secure master password. Sure, sure — you're a superhero of forethought and memory, and would never do such a thing. Me, I've had too many brushes with Dropbox sync screw-ups (my own fault for tinkering, usually) and memory gaps to leave it up to myself to serve as my own knight to protect the Holy Grail. LastPass uses a single master password to log into your account, sure, and if you lose that, you have to jump through quite a few hoops to get it back. But it is, technically, recoverable.

The short version of LastPass' safety and privacy setup, and its technology is that the only thing stored on LastPass' servers is a heavily encrypted bundle of your passwords and the sites they belong to — a form of host-proof hosting. They don't have the encryption key to your passwords, you do, and the encryption and decrypting all takes place on your own computer, where a backup copy of LastPass' records is always kept. If LastPass became evil, or got hacked, the nefarious doers would have to buy one of Google's server farms to break into its users' passwords. And the service strongly encourages using strong, secure, randomised passwords with websites, and it ends the use of insecure password storing by browsers.

Lastly, but just as important to many of our readers: yes, LastPass lets you import from KeePass, and many, many more password management apps and sites. Heck, if you only want to use LastPass for your web passwords and still keep your more intense security concerns in KeePass, go ahead. You can actually store non-web passwords and data in LastPass, but we'll get to that in a bit.

Intrigued? Even just a little interested? Here's how LastPass can make your web browsing, or maybe the browsing of a friend with really weak passwords, more convenient and secure. Go ahead and create an account if you'd like, but LastPass actually recommends creating that account from a browser extension or software download.

Browser Extensions

The primary means of getting your username and passwords into your web sites. They're all slightly different, but work basically the same: you click an icon, log into LastPass with your One True Password — making sure not to set your extension to remember that password — and then just got about your browsing. When you hit sites that ask for a username and password that you already know, LastPass will drop down a tiny little toolbar and ask if you want to save them. If you need a new username and password, you can have LastPass generate a random, highly secure couple, save them, and never worry about remembering them again.

Here's LastPass' (somewhat clinical) explanation of how their extensions work, demonstrated on Firefox:

Bookmarklets

As we've previously shown, when you're on a system where you can't install your LastPass extension, or if you only like to occasionally fill in a form or login/password field, you can use LastPass bookmarklets to get at your stashed-away passwords. They work on nearly any browser with decent JavaScript capabilities on most any platform.

Secure Notes

Let's say you're looking for a universal password, PIN and other security data database, like KeePass and its ilk. If you find LastPass convenient, you can store any data as a Secure Note, and it gets the same kind of password-protected, blindly encrypted treatment as your passwords. Helpful for those "virtual keyboard" passcodes that banks often use, telephone PIN numbers, and other non-simple security schemes.

Mobile Apps & Site

Small screens, tiny keys and microscopic text fields are a reality of many smartphones. Even if your phone handles password input well, it's hard to find a password syncing solution that meshes well with every browser and system (Mac users have 1Password, but that's a very Mac-universe app). LastPass has dedicated apps, with free 14-day previews, for iPhone, Android, BlackBerry, Windows Mobile, Symbian and Palm WebOS (phew). They generally offer both simple password retrieval databases and in-app browsers for jumping right into a site. If your phone isn't covered by an app, or you don't want to pay the $US14/year for a premium subscription, you can hit the LastPass mobile site to get at your security goods.

One-Time Passwords

If you're in a foreign land or on a sketchy Wi-Fi connection, the last thing you want to do is pass your universal LastPass password over the insecure airwaves. Set up your account with some one-time passwords, then use them whenever you're somewhere not entirely locked down. As soon as you log in, that password becomes invalid, and, as mentioned before, your passwords don't fly open the open air in any case.

That's why I dig LastPass anyways, and it's why I'll be quietly trying to move the other computers in my house and family onto that system. If you have other reasons you dig LastPass, or another web or desktop-based management scheme, tell us all about it in the comments.


Comments

    Last Pass sucks!!! The idea is brilliant but I couldn't make it work and we tried for months.

    The 'ergonomics' were just not cool - cursor routes to unexpected places, too many clicks to select an alternate login and more.

    We went back to Roboform because although LastPass looked wonderful on paper, unfortunately it just didn't deliver!

    *sniff*

    Roboform has a special place in my heart. Anyone who's used the Roboform toolbar with Firefox or IE over the years knows how beautiful it is - sadly the company appear to have gone on extended holiday since about 2004.

    Roboform for Chrome is the worst piece of shtie I've ever seen: Click a toolbar button, enter a username and password, select the passcard, click Fill, enter another password - to have it not even work. I don't think so.

    Roboform for Firefox is fine. If you actually still use Firefox that is.

    Roboform for IE is fine. But I only use that on my Intranet for managing systems that bork with Chrome.

    Roboform for Mac. Umm... yeah, about that. How long has everyone been waiting now?

    Roboform Developers: Every password manager available has the ability to IMPORT Roboform passcards. Yet you ignore your competitors as if they don't exist. If the Import/Export options only work in one direction you can guess what's gonna happen to your market share.

    Whilst I am no fan of LastPass, I tend to agree with the article.

    I think it's lacking the je ne sais quoi of Roboform and its Form Filler is no where near as good... but the cloud-sync is great and it works on every platform.

    In this instance functionality outweighs form.

    I've pretty much adapted to LastPass for a long while now and so far so good.

    @Dannelle - You have no idea what you're talking about.
    Lastpass is brilliantly simple.

    Alternate LastPass profile logins are handed with a simple drop-down list at the main login box.

    Alternate logins to websites are as simple as clicking a button on the tiny little toolbar that opens whenever it sees a login/password prompt, and choosing alternate credentials from the list.

    The only time I find lastpass sometimes trips up is when you have multiple different logins in different sections of sites in the same domain. eg. one account to use the web app, and another account to use the forums. But this is all sorted once you've actually saved a user account for each section.

    The best LastPass feature for me is the ability to force logging off the service after 'x' minutes of inactivity.

    I installed the Last Pass extension in Firefox (Leopard) and disabled the Firefox password manager, but now Firefox keeps me logged into all the websites that require password even after I restart the browser and haven't logged in to Last Pass yet.

    This is frustrating since I like the Last Pass concept of having my passwords available everywhere, but the Firefox master password system worked better at keeping them safe in my own computer. No one could automatically log in using my passwords unless they knew my master password, but now is just a matter of launching the browser and voila, I am logged into the websites from the previous browsing session.

    Anyone with the same problem and a possible solution?

    Ive been using Passpack (http://www.passpack.com/en/home/) for awhile now and im really happy with it.

    I have a lot of social media accounts for the companies I work for and Passpack is an online service so that I can use it from any computer.

    It's free for up to 100 passwords.

Join the discussion!

Trending Stories Right Now