This article was the subject of Fast Talking Podcast episode 163.
UPDATE April 2022: Since this article was published, LastPass has implemented changes and has new ownership. A few years ago, I switched to Bitwarden which offers essentially the same features while being, in my opinion, more trustworthy. If you’re still using LastPass, there’s no need to change — I continue to believe it’s still really good. But if you’re starting from scratch with a new password manager, I now strongly recommend Bitwarden.
Password management can be challenging. Proper password hygiene requires a different, secure password for each service. Let’s take a look at what these two requirements mean and why they’re important.
A secure password is one with enough entropy and length to resist brute force attacks. Entropy, in this context, is the amount of randomness in the password. A password that comprises words in the dictionary has a very low entropy, while a password made up of random characters has a high degree of entropy. A brute force attack uses a powerful computer to try every possible combination of characters until one works. Modern offline brute force attacks can attempt billions or trillions of combinations per second.
Entropy is important because modern password cracking processes are smarter than just starting with A and then trying AB and then ABC. They use patterns derived from the millions of leaked passwords to determine commonalities likely found in your password, and they try those first before moving on to more random combinations.
Length is important because it’s how we can easily make the brute forcing process take much longer. Each character in the alphabet can be upper and lower case, which means every letter we add forces an additional 52 possibilities. Adding numbers and special characters to the password “alphabet” can increase the character depth to 92. There’s the great Password Haystacks tool at GRC to analyze password strength and length and tell you how long a brute force attack would take on the password you give it. Don’t worry – nothing is sent through the internet…it’s all done with your browser, which is important for reasons we’ll examine later in this post.
We’ve all heard of the myriad password leaks from major internet businesses in the last few years. These leaks seem to be increasing – Yahoo is usually good for a new breach announcement every few months now. When passwords are leaked from one service, every user who used the same password on a different service is suddenly vulnerable. If every password you use is unique to each service, then a password breach only impacts your account at the service that was breached.
Why do some security experts recommend, or in some cases demand, that we change our passwords every so often? Because if our password is one that we’ve reused on multiple sites, then the longer we use it, the better the chances that it’ll have been involved in a breach of some service somewhere and our password will be floating around in one of the databases-for-sale available to the hacking community. A frequently refreshed password mitigates this danger. But, if we make sure that each website has a different and secure password, then there’s no need to ever change it.
Here’s a bad password.
Here’s a good password.
It’s unrealistic to think any of us can remember a good password for the hundreds of sites that we use on a regular basis. We must use a password management system.
LastPass is the right password manager
While there are many services that compete for each class of service these days, in my experience there are some absolutely right answers. CrashPlan, for example, is the right answer for file backup. TrueCrypt was the right answer for encryption when I wrote about it in 2008, now it’s TrueCrypt’s offspring VeraCrypt. Doggcatcher is the right answer for podcasts. For password management, the right answer is LastPass.
LastPass is the Cadillac of password management systems. There are several out there — 1Password, KeePass, Dashlane — but in my research and experience, none offers the combination of security, simplicity and enormous feature set found in LastPass.
You name it, and LastPass does it. Browser extensions and an excellent mobile app mean you only have to log in to LastPass and LastPass logs you in everywhere else, automatically filling in your username and password across the web and in your local apps and even Wi-Fi networks. Passwords are only the beginning, as you can store notes, SSNs, QR codes, images and credit card information completely securely. Shopping becomes much easier when LastPass populates credit card information and addresses into web forms.
It features two-factor authentication, so you can enter a one-time-use code in addition to your LastPass password for that important second layer of security. The first time you log in to a site, it pops-up an option to automatically store that credential so you never have to worry about it again. When you’re creating accounts, it generates extremely secure passwords so you don’t have the stress of having to come up with something yourself. It can also audit your security, letting you know which sites have weak passwords and offering you the ability to easily change them. For most sites, it can actually change your passwords for you to something much more secure.
You can also share passwords securely with other LastPass users, which lets us share the ability to login with employees without giving those employees the actual passwords. If an employee leaves, we simply turn off the sharing of the login with that user instead of having to actually change passwords to the different sites the employee was using.
The best part about LastPass is that all your content — passwords, SSNs, notes and even images — is encrypted on your computer before it’s transmitted to the LastPass servers. LastPass never has access to the master password since it, too, is encrypted before it leaves your computer. Even if the LastPass servers are compromised, all a hacker would have access to is the encrypted data which, assuming the master password has enough entropy and length, is useless to anyone other than you.
LastPass has a free tier, which lets you sync any of the same type of device. If you set up your account on a desktop, you can sync with any other computer for free. If you create your account on a phone, you can sync to other mobile devices for free. To sync your phone and computer, you need to upgrade to LastPass Premium, which, at $1 per month, would be a steal at 10 times the price.
If you don’t have a password system in place, get LastPass today. If you currently use one of the other password management systems, take a hard look at LastPass and see if it might make your life even easier. If you look at LastPass and think one of the other solutions works better, I’d love to know why and how — let me know in the comments.