Last week my manager asked around at work for input on LastPass, a password management service. There are other similar password tools, yet LastPass seems to come out on top among Lifehacker readers. Given that I don’t know anyone that actually uses a password manager, I figured I’d take it for a spin.
Caveat: Head on over to LastPass’ website for more technical information about how the passwords are stored, encrypted, etc. This post is a collection of my observations while getting familiar with the product/service.
The Basics
LastPass is meant to be run as a browser plugin, and they seem to have a version for whatever browser you prefer. The plugin monitors the page content and will auto-fill usernames and passwords based on what’s in your password vault.
Your vault is stored in the cloud and is synchronized to your browser and your mobile device (if you choose to install the app there). Essentially you can get access to what your usernames and passwords are from anywhere with Internet access. (There’s an off-line contingency plan as well, although I haven’t tested it.)
When you sign up for an account, you’ll be asked to pick a master password. Make sure this is something you can remember, but long/nasty enough to be difficult for others to guess.
What I Like
Completion of Web Passwords
This is where LastPass really shines. You visit a webpage that requires a login, and LastPass looks in your vault to see if there’s something to fill in for you. (It doesn’t actually log you in; there’s still a button/link click required.)
Multiple Logins for a Single Site
I have several Bitbucket accounts for work and for personal projects. When I visit the login page, I get an option to choose which account to use. (See the number next to the asterisks.)
Randomized Passwords
One of the goals for LastPass is to prevent password fatigue, that is having to memorize a different password for every site/app that requires one. Now that you don’t have to memorize those passwords, they can be as cryptic as possible. When changing your password, an icon appears giving you the option to generate one automatically.
Import of Existing Passwords
When I first installed the app, it showed me all of the wireless networks I’ve connected to. The passwords and access point configurations were seamlessly stored in the vault as secure notes. (These don’t get auto-filled, but you can look them up when needed by browsing your vault.)
LastPass also makes a list of sites you’ve been to and pre-populates your vault. If you used your browser to cache passwords, those are imported.
Although the intent is good, the UI/UX of getting the passwords into your vault and the categories into which they are placed could use some refinement.
Two-factor Authentication
Google probably has the simplest explanation of two-factor authentication. How it helps you with LastPass is that you need your master password and a numeric code to ultimately gain access. This security feature is helpful if your master password is compromised (and the perpetrator also didn’t steal your phone).
I’m already using two-factor authentication with Google, so this was a snap to get LastPass working with the Google Authenticator app on my Android phone.
Simple Mobile Integration
Disclaimer: I opted for the premium account ($12/year), so I’m not sure how “limited” the mobile app is with the free account.
The main feature is to provide access to your vault. Installing the app walked me through how I would need to configure some of the Android pieces to interface with LastPass. To test this, I signed out of the Trello app; the login page had an option to use the password from my vault — couldn’t be simpler.
Access to Your Vault
As mentioned before, the vault is online and synced on your devices. If you need to look up a password in plain-text, it’s only a few clicks/taps away. You can also make categories; for example, I have categories for work, personal, and shared (e.g., electric bill) accounts.
Password Sharing
My manager has used this successfully to share his business travel accounts with our administrative assistant. She has LastPass on her computer and can use shared credentials to log in as my manager. Once that access is no longer needed, sharing is simply disabled. Also, there’s an option to prevent the person you’re sharing with from seeing the actual plain-text password.
Shortcomings
Web-only
As mentioned previously, the system is plugin-based. Any password fields on other Windows applications (e.g., Skype, the window where you provide your wireless network password) don’t work any differently.
Another web-related scenario that doesn’t work is when you’re dealing with a site that has password protection with htaccess:
Workaround: Store the passwords as secure notes in your vault.
Confusion with the User Interface
The Lifehacker post mentioned in the introductory paragraph backs up this claim. There were multiple times in the Chrome plugin where I wanted to re-categorize an entry, and it simply wouldn’t do anything on the first few tries. Also, the categories/folders simply disappear when they become empty. When having LastPass generate passwords, some sites seemed to have problems committing those passwords, so I ended up with multiple entries in my vault for the same site.
Workaround: Use the web version of the vault instead of the plugin’s version. (I’m not sure if there’s a workaround for the “multiple entry” problem; it may be website-specific.)
No Google Account Integration for Mobile
I changed one of my Gmail passwords, and my phone dutifully told me that authentication (with the old password) failed. Resolving the issue involved me trying three times to type in my new super-cryptic password on my phone. Also, have fun if you have two-factor authentication from Google on that account because you’ll need to hop back and get a code to finish the login process.
Workaround: None that I can see; maybe this is because the authentication is closer to the metal than a third-party app.
Shared Computer Scenarios
Scenario 1:
We do some pair programming at work, which involves connecting to someone’s dev machine. When that person commits code to Bitbucket, a password is required. Because that password isn’t entered into a website, you have to manually type it. The other solution is to pull up your vault (remember the other dev is looking at the screen) and copy/paste the plain-text password.
Workaround: Choose a strong password that you can type from memory.
Scenario 2:
If I’m visiting my friend’s house and I want to pull up something on his computer from my Evernote account, I need to log in first. The preferred solution from LastPass it that my friend also have LastPass in his browser, and then I’d just sign in as myself. (Also, I’d need to remember to sign out before leaving.) Another proposed solution is to use “LastPass Portable”. This involves installing Google Chrome Portable on a flash drive, and then installing the LastPass plugin for that version of Chrome.
Workaround: Access your vault through lastpass.com while using the “private browsing” feature of your browser.
Scenario 3:
Let’s say you decide to sign in to your friend’s computer with LastPass and you step away for a bit. Now, the computer thinks you’re in front of it, giving the person at the keyboard access to your passwords.
Workaround: Temporarily set the security level to a higher setting in the preferences section of their website. For example, you can have it prompt you for the master password any time auto-fill is used.
Conclusion
So far I’ve been pleased with the experience. Granted, I’ve only played with the app/system for a few days, but it does basically what I need it to do.
The biggest pain I’m going through is one inherent to having a plethora of accounts: going through and changing the passwords to better ones. However, the peace of mind I get from knowing that I’m not reusing passwords and that they’re all basically random makes it worth the effort.
If you’ve had any experience with this or other password managers, I’d love to hear what you have to say; just leave a comment below!