Whenever we talk passwords, we always preach the same thing: Use strong, difficult-to-remember passwords, and different passwords for every site. Easy to say, extremely difficult to do through sheer willpower. I've tried many password-remembering systems, and this is what I've stuck with.
To paraphrase photographer Chase Jarvis, the best password manager is the one you have with you. Of all the password management utilities out there, I consider LastPass the most elegant compromise between convenience and security, and if you're not using it already, I recommend you start. It's mostly free, plugs into nearly any browser or smartphone, is KeePass compatible, and just works.
Why not just use KeePass for all my passwords and be done with it? It's secure, open-source, extensible, and geeks like Gina have sworn by it as a password solution. Oh, and many readers love it, too.
I like KeePass. KeePass is friendly and locks down pretty tight. But when it comes to filling in web passwords, I want the path of least resistance—and I want to convert my friends and family into more secure practices, too. LastPass offers a few advantages over KeePass:
- Universal: KeePass has a nice collection of extensions and plug-ins, but they're all over the place when it comes to support, updating, and platforms. LastPass offers extensions for Firefox, Internet Explorer, Chrome, and Safari on Windows, Mac, and Linux. There are a few gaps (Opera, mainly), but they're covered in large part by free auto-filling bookmarklets (covered below) and desktop, USB, and mobile software, offered to LastPass' premium subscribers.
- Simple: LastPass has a multitude of options, settings, tools, and other knobs to twiddle, just like KeePass. If all you want, though, is a better kind of universal password manager that remembers your log-ins, simply install the browser extension, log into LastPass, and let it do its thing. It automatically prompts you to save passwords and form data—though you can turn that off—and fills out username/password fields, with an easy switch to another login name.
- Secure, yet dummy-proof: My one fear with systems like KeePass, where I'm keeping my own database and, potentially, safe-keeping my own encryption key file, is that I'll do something stupid and delete that file, or forget that ultra-secure master password. Sure, sure—you're a superhero of forethought and memory, and would never do such a thing. Me, I've had too many brushes with Dropbox sync screw-ups (my own fault for tinkering, usually) and memory gaps to leave it up to myself to serve as my own knight to protect the Holy Grail. LastPass uses a single master password to log into your account, sure, and if you lose that, you have to jump through quite a few hoops to get it back. But it is, technically, recoverable.
The short version of LastPass' safety and privacy setup, and its technology is that the only thing stored on LastPass' servers is a heavily encrypted bundle of your passwords and the sites they belong to—a form of host-proof hosting. They don't have the encryption key to your passwords, you do, and the encryption and decrypting all takes place on your own computer, where a backup copy of LastPass' records is always kept. If LastPass became evil, or got hacked, the nefarious doers would have to buy one of Google's server farms to break into its users' passwords. And the service strongly encourages using strong, secure, randomized passwords with web sites, and it ends the use of insecure password storing by browsers.
Lastly, but just as important to many of our readers: yes, LastPass lets you import from KeePass, and many, many more password management apps and sites. Heck, if you only want to use LastPass for your web passwords and still keep your more intense security concerns in KeePass, go ahead. You can actually store non-web passwords and data in LastPass, but we'll get to that in a bit.
Intrigued? Even just a little interested? Here's how LastPass can make your web browsing, or maybe the browsing of a friend with really weak passwords, more convenient and secure. Go ahead and create an account if you'd like, but LastPass actually recommends creating that account from a browser extension or software download.
The primary means of getting your username and passwords into your web sites. They're all slightly different, but work basically the same: you click an icon, log into LastPass with your One True Password—making sure not to set your extension to remember that password—and then just got about your browsing. When you hit sites that ask for a username and password that you already know, LastPass will drop down a tiny little toolbar and ask if you want to save them. If you need a new username and password, you can have LastPass generate a random, highly secure couple, save them, and never worry about remembering them again.
Here's LastPass' (somewhat clinical) explanation of how their extensions work, demonstrated on Firefox:
Let's say you're looking for a universal password, PIN, and other security data database, like KeePass and its ilk. If you find LastPass convenient, you can store any data as a Secure Note, and it gets the same kind of password-protected, blindly encrypted treatment as your passwords. Helpful for those "virtual keyboard" passcodes that banks often use, telephone PIN numbers, and other non-simple security schemes.
Mobile Apps & Site
Small screens, tiny keys, and microscopic text fields are a reality of many smartphones. Even if your phone handles password input well, it's hard to find a password syncing solution that meshes well with every browser and system (Mac users have 1Password, but that's a very Mac-universe app). LastPass has dedicated apps, with free 14-day previews, for iPhone, Android, BlackBerry, Windows Mobile, Symbian, and Palm WebOS (phew). They generally offer both simple password retrieval databases and in-app browsers for jumping right into a site. If your phone isn't covered by an app, or you don't want to pay the $14/year for a premium subscription, you can hit the LastPass mobile site to get at your security goods.
If you're in a foreign land or on a sketchy Wi-Fi connection, the last thing you want to do is pass your universal LastPass password over the insecure airwaves. Set up your account with some one-time passwords, then use them whenever you're somewhere not entirely locked down. As soon as you log in, that password becomes invalid, and, as mentioned before, your passwords don't fly open the open air in any case.
That's why I dig LastPass anyways, and it's why I'll be quietly trying to move the other computers in my house and family onto that system. If you have other reasons you dig LastPass, or another web or desktop-based management scheme, tell us all about it in the comments.