How to protect your passwords with LastPass

If your heart sinks every time your favourite Web service has its passwords hacked, protect your growing list of log-ins wiith LastPass.

David Gilson
David Gilson has always revelled in tech and started writing about it in 2009. He covers the smartphone world and is rather partial to a spot of BASH scripting. David is a freelance writer and is not an employee of CNET.
David Gilson
4 min read
Watch this: How to get started with a password manager, LastPass

Who can recall the countless website passwords we're asked to stuff into our overspilling brain boxes? And how do we make sure they don't fall into the hands of rogues? One answer is to turn to password manager LastPass -- a service that creates a secure ID on your computer that will remember your passwords and effortlessly log you into your favourite sites.

Each Web account we hold stores data we've entered about ourselves and it all has to be protected. In this guide, we'll look at why you should be using a better password protection strategy, reasons to trust LastPass, how to install it and how to use it.

Password security should be on everyone's mind, whether you're nervous about the effects of Heartbleed, reported hacking attacks, or if you're using common sense on the Internet.

It's no longer as simple as coming up with a clever password. These days it's best to take extra precautions.

How LastPass looks after your passwords

Lastpass: hashing

Like most Web sites, LastPass uses hashing algorithms to process your account details and authenticate you. However, hashing algorithms aren't completely bulletproof , especially when applied poorly.

LastPass stores a hash of your email address and master password on your computer (not its servers), which it uses as an encryption key to encode your log-in details for other sites (with a 256-bit AES cypher), before storing them on its servers.

The company doesn't want to know any of your details or your encryption key, so it creates a unique ID token for you by hashing your password and local encryption key together. That ID token is then hashed with a random number when you create your account, which is -- finally -- how it authenticates your account.

Assuming this has won your trust, let's get down to business.

Installing LastPass on your desktop and browsers

Whether you're a Linux, Windows, or OS X user, there's a desktop download available for you. Just download the installer for your operating system and follow the instructions.

The first option you'll be presented with is which browser plug-ins to install -- Chrome, Firefox, Internet Explorer, and Safari are all supported.

If your browser isn't listed, you can use LastPass' bookmarklets (see below). The following options ask whether you want to replace the password manager in each of the browsers you've opted to add a plug-in to.


The install interface is simple and clean.

Screenshot by Eric Franklin/CNET

Next, you'll be asked to create, or log in to, a LastPass account, after which you then import passwords from your desktop browsers. Once you've imported any saved passwords, it will even offer to cover your tracks by removing all those passwords from your various browser password caches.


So far, so good...

Screenshot by Eric Franklin/CNET

Bookmarklets for browsers that don't support plug-ins

If your browser doesn't support plug-ins, you can install bookmarklets that will retrieve your log-in details for you instead.

Sign in and click 'bookmarklets' in the left-hand column of your Vault page. This will launch a pop-up box with three links you can drag onto your bookmark bar.

Firstly, 'LastPass Login!' gives you a one-click log-in for most Web sites (the JavaScript bookmarklet won't work properly with some Web sites). Secondly, 'Lastpass Fill!' fills in log-in forms without logging you in. And finally, 'LastPass Fill Forms!' actually fills in Web forms such as your contact and payment details with info you've stored in your account.


Plenty of clear useful instructions.

Screenshot by Eric Franklin/CNET

Mobile devices

Use of mobile apps for LastPass is one of the few features that require a premium account -- which is actually quite cheap. Priced at just one US dollar per month, the cost should be trivial to most people. There is a mobile application for just about every mobile platform you can think of -- Android, iOS, Windows Phone 7, Symbian, BlackBerry, and even webOS.


LastPass for mobile requires a premium account.

The mobile apps not only provide access to all of your account data, but also feature a built-in browser that can automatically log you into your Web accounts. This circumvents having your sensitive accounts, like with banks, saved in your default browser's history.

If you're using a mobile device that doesn't have an app, there's also m.lastpass.com, where you can view your account data and install bookmarklets in your mobile browser.

Using LastPass on the desktop

After installing the plug-in on your desktop browser, you'll notice pop-up toolbars offering to remember or fill in your log-in details as you visit Web sites. Via this toolbar, you can set whether LastPass will fill in the username and password fields on a per-site basis. Clicking the options button in the LastPass toolbar allows you to set more preferences, such as auto-log-in, and adding the site to your favourites list.

The plug-in is smart enough to know when you're changing your password too. By clicking the 'Generate' button, you'll be given a new random password, which LastPass will submit to the Web site in question for you, and update your password database.

Lastpass: change password

This is the real value in using LastPass. It makes changing your passwords easy and gives you the auto-log-in ability so you never need to remember your passwords again.

As you explore the LastPass settings, you'll find that you can even store various profiles for filling in forms that contain your contact and credit card details.

Making LastPass even more secure

If using a simple username and password isn't good enough or you, LastPass offers a range of methods to make authenticating yourself even more secure -- if you're a premium user. You can create a set of One Time Passwords (OTPs), which is a list of passwords where each expires after being used once. Taking OTPs a step further, you can combine them with multifactor authentication via your smart phone with Google Authenticator, via a YubiKey device, running Sesame on any USB drive, or even a printed grid of characters.


If you're looking to get really hardcore about protecting your passwords.

Screenshot by Eric Franklin/CNET