Friday, September 3, 2010

Escaping Password Hell with "LastPass"

There are two or three people out there that recognize the importance of using robust passwords for important on-line resources like banks and PayPal and eBay and such (as well as using different passwords for each site). Most everyone else uses their dog's or first born child's name for every single thing they have to log into on the net... Because it's really hard to remember passwords that are robust, such as E5A@/6Z(aKj&^]RO+V. So in the end most people don't even try.

Admittedly, I was somewhat lax about robust passwords too, until recently - I had one password that I used for casual sites, and a much longer one that involved a combination of numbers and characters for my financial sites. But still, I used that one password at a lot of different places.

Via episode #256 of the Security Now podcast, I've become aware of the free LastPass product, and am now using it for all of my password needs. Here, I'll try to summarize what it does and hopefully how easy it is to use, in the hopes that you'll take the time to start using it too.

Firstly - before we continue - here's what LastPass supports: Windows, Mac OS X, Linux, Firefox, Safari, Chrome, and even Internet Explorer 8^) . So most people will be able to use this cool utility.

OK - onwards... The thing I like most about LastPass (which I'll call "LP" from here on out) is that all of my passwords are stored in encrypted form "in the cloud". This lets me access them from any browser that I have the LP plugin installed on, so I can be anywhere in the world. Since the encryption is done "locally" - i.e. on my computer rather than by the LP site, they are extremely well protected. Not even the LP people have any way of getting my passwords unless I tell them my Master Password. When I need to use a password, LP goes up to my cloud-stored Password Vault, grabs the encrypted password, sucks it down the Internet Pipes, decrypts it, and fills in the password field on a web page.

But - there is a caveat: you will need to have one robust Master Password - it's the "key to the kingdom" of all of the rest of your passwords. It really needs to be "strong" and you really really need to be able to remember it. And - your dog's name or mother's maiden name ain't gonna cut it. (A place to start is - combine the home phone number that you had when you were a kid with the names of your three best friends in high school - e.g. 3042732273JamesFredHomer is a pretty good password.)

Once LP is installed (it automatically installed into both Firefox and IE for me) you can get started. I was able to import all of my passwords from the previous password vault utility that I used (Roboform ToGo), which was nice (it can also import from IE's and Firefox's password caches, as well as a bunch of other password products). Once that was done, I could go to my Password Vault in my browser:

From there I can combine my passwords into Groups (e.g. "Shopping", "Travel", etc.), edit them, delete them, and even Share them (securely) with another LP user. Also, just by clicking on a site name, it will bring that site up and fill in your credentials. For new sites, LP will offer to remember the username and password for each one.

But what I did right after installation is use LastPass's built-in password generator to create new passwords for all of the financial sites that I use. Since different sites have different requirements for passwords - and on the flip side, limitations to what characters/numbers/etc. they can understand - the LastPass generator can be easily configured:

Every time "Generate" is pressed, it will generate a fresh password based on what you have setup for length and contents... The green bar gives you an idea of how secure each new password is.

LP can guide you through the process of replacing your old, crummy, too-short passwords that you've used for the last ten years with much more secure ones that it generates. And the beauty is that you don't have to remember any of them - when you next visit any of the sites that are stored in LP, it will automatically fill in the username and password fields (and it can even press the "login" button for you if you want).

One other significant feature is that LP can fill out most web pages that want your name, phone number, credit card, credit card expiration date, credit card CVV number, ship-to address, bill-to address, etc. You can enter that stuff into LP once; from that point on it will fill in all of those fields for you. And, like the contents of the Password Vault, all of that information is encrypted and safe.

So I mentioned at the outset that LP is free, and everything that I've described (and quite a bit more that I won't go into, lest this become even more of a novel-length post) is free. There are, however, some additional features that are only in the Premium version. One of them is the ability to download and install the LP applet for the iPhone/iPad/iPod Touch, BlackBerry, Android, and Windows Mobile devices so that you can always keep your entire Vault with you. Several other Premium features are there too, as described here. Now comes the bad news - it's gonna cost you... drum roll please... a buck a month. Howsa! I'm trying to think of something else that costs a buck a month... Nope, can't.

But if you don't need any of the Premium stuff, all you have to lose by trying LastPass is the time it takes to install it and learn it, and I encourage you to give it a shot.

Finally: a friend of ours was recently "hacked" on-line and was conned out of a few hundred dollars. She was pretty freaked out about it... I asked her what kind of password she was using. You guessed it, the names of her dogs. I told her about LastPass and was going to help her get it installed and running, but she was able to get it going on her own without any assistance (other than my suggesting ways to create an easy-to-remember Master Password). So I think that's a good testimonial that it's pretty straightforward to use.