How to protect your passwords with LastPass
If your heart sinks every time your favourite Web service has its passwords hacked, protect your growing list of log-ins wiith LastPass.
Who can recall the countless website passwords we're asked to stuff into our overspilling brain boxes? And how do we make sure they don't fall into the hands of rogues? One answer is to turn to password manager LastPass -- a service that creates a secure ID on your computer that will remember your passwords and effortlessly log you into your favourite sites.
Each Web account we hold stores data we've entered about ourselves and it all has to be protected. In this guide, we'll look at why you should be using a better password protection strategy, reasons to trust LastPass, how to install it and how to use it.
It's no longer as simple as coming up with a clever password. These days it's best to take extra precautions.
How LastPass looks after your passwords
Like most Web sites, LastPass uses hashing algorithms to process your account details and authenticate you. However, hashing algorithms aren't completely bulletproof , especially when applied poorly.
LastPass stores a hash of your email address and master password on your computer (not its servers), which it uses as an encryption key to encode your log-in details for other sites (with a 256-bit AES cypher), before storing them on its servers.
The company doesn't want to know any of your details or your encryption key, so it creates a unique ID token for you by hashing your password and local encryption key together. That ID token is then hashed with a random number when you create your account, which is -- finally -- how it authenticates your account.
Assuming this has won your trust, let's get down to business.
Installing LastPass on your desktop and browsers
Whether you're a Linux, Windows, or OS X user, there's a desktop download available for you. Just download the installer for your operating system and follow the instructions.
If your browser isn't listed, you can use LastPass' bookmarklets (see below). The following options ask whether you want to replace the password manager in each of the browsers you've opted to add a plug-in to.
Next, you'll be asked to create, or log in to, a LastPass account, after which you then import passwords from your desktop browsers. Once you've imported any saved passwords, it will even offer to cover your tracks by removing all those passwords from your various browser password caches.
Bookmarklets for browsers that don't support plug-ins
If your browser doesn't support plug-ins, you can install bookmarklets that will retrieve your log-in details for you instead.
Sign in and click 'bookmarklets' in the left-hand column of your Vault page. This will launch a pop-up box with three links you can drag onto your bookmark bar.
Use of mobile apps for LastPass is one of the few features that require a premium account -- which is actually quite cheap. Priced at just one US dollar per month, the cost should be trivial to most people. There is a mobile application for just about every mobile platform you can think of -- Android, iOS, Windows Phone 7, Symbian, BlackBerry, and even webOS.
The mobile apps not only provide access to all of your account data, but also feature a built-in browser that can automatically log you into your Web accounts. This circumvents having your sensitive accounts, like with banks, saved in your default browser's history.
If you're using a mobile device that doesn't have an app, there's also m.lastpass.com, where you can view your account data and install bookmarklets in your mobile browser.
Using LastPass on the desktop
After installing the plug-in on your desktop browser, you'll notice pop-up toolbars offering to remember or fill in your log-in details as you visit Web sites. Via this toolbar, you can set whether LastPass will fill in the username and password fields on a per-site basis. Clicking the options button in the LastPass toolbar allows you to set more preferences, such as auto-log-in, and adding the site to your favourites list.
The plug-in is smart enough to know when you're changing your password too. By clicking the 'Generate' button, you'll be given a new random password, which LastPass will submit to the Web site in question for you, and update your password database.
This is the real value in using LastPass. It makes changing your passwords easy and gives you the auto-log-in ability so you never need to remember your passwords again.
As you explore the LastPass settings, you'll find that you can even store various profiles for filling in forms that contain your contact and credit card details.
Making LastPass even more secure
If using a simple username and password isn't good enough or you, LastPass offers a range of methods to make authenticating yourself even more secure -- if you're a premium user. You can create a set of One Time Passwords (OTPs), which is a list of passwords where each expires after being used once. Taking OTPs a step further, you can combine them with multifactor authentication via your smart phone with Google Authenticator, via a YubiKey device, running Sesame on any USB drive, or even a printed grid of characters.