Securely Synchronize Your Browser Passwords With LastPass

lastpass   Securely Synchronize Your Browser Passwords With LastPass It’s hard not to find a website these days that doesn’t require some type of registration or login. With every login of course, there is almost always a password. With the password comes with whatever requirements the website has to improve security.

So after you’ve registered at your bank, your three credit cards, your Facebook, your Digg and your blog, you’re so exhausted with usernames and passwords, you begin using your browser’s built-in “Remember This Password” feature. The problem with using this handy feature is that you’re never required to enter another password again. Remembering all those passwords can be quite hard, unless of course you have a method to create strong passwords that are easy to remember.

Now you go home for Christmas, hop on your parents computer to check your latest stock portfolio, and you spend the next hour trying to recall your password. This is where a program like LastPass saves the day.

LastPass is a Firefox or Internet Explorer browser add-on that stores all of your passwords locally and synchronizes all of them to any other browser (with the same add-on) using 256-bit AES encryption. The only two requirements is one strong password and one of the previously mentioned browsers.

lastpassdropdown   Securely Synchronize Your Browser Passwords With LastPass

After going through the incredibly easy flash-based installation tutorial, the application asks for a strong password as protection and then offers the option to import passwords from Firefox, IE, RoboForm, KeePass, Sxipper and a few others.

Once you have all of your passwords imported, they’ll fill all of your identifiable username and password boxes appropriately.

lastpassfilled   Securely Synchronize Your Browser Passwords With LastPass

If a site isn’t stored in the database, it will simply ask you to remember the password, as your current browsers already do.

lastpasssavesite   Securely Synchronize Your Browser Passwords With LastPass

Again, all of these passwords are stored locally. LastPass uses highly sophisticated code to allow this to happen, so nothing sits out in the cloud.

Once stored, the database is easily accessible to view form information if it needs to be modified in any way.

lastpasssites   Securely Synchronize Your Browser Passwords With LastPass

Along with its great password capabilities, LastPass also includes:

Form Filling

Whether it be for credit card payments or simple site registration, once the they have all the correct information, LastPass takes care of all of the typing.

lastpassform   Securely Synchronize Your Browser Passwords With LastPass

Password Generation

Generate incredibly strong passwords if you can’t come up with your own.

passgen   Securely Synchronize Your Browser Passwords With LastPass

Site Sharing

Share a site with another member of your family.

lastpasssitesharing   Securely Synchronize Your Browser Passwords With LastPass

Site Logging

Monitor what sites are being logged into, when and where.

lastpasslogging   Securely Synchronize Your Browser Passwords With LastPass

As you can see, LastPass has what many of the commercial form fillers, like RoboForm have, plus the added sync capability. The form filling also separates it from password managers, such as PassPack and Clipperz.

If you are already willing to locally store all of your passwords through your browser, you really can’t go wrong with LastPass. It does the exact same thing, in a much more secure fashion.

Again LastPass works in both Firefox and Internet Explorer, on Mac, Linux and Windows.

What are your thoughts? Do you have any better sync solutions? Concerns?

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

33 Comments -

0 votes

Andrew Curfman

Being a Mac user, I started using 1Password awhile back and it’s been great. The obvious problem is that it only works on Macs and not Windows, but I solved that problem by syncing 1Password’s database with Drop Box. Once it’s on Drop Box, you can login to the web interface, go to the database file, open it, and lick the 1Password.html thing and have secure access to all your passwords in any browser. So that’s handy if I don’t have my iPod Touch with me or I’m not at one of my PCs. I think it’s the best method I’ve found for syncing passwords thus far.

0 votes

Kevin

I actually tried something similar on windows (Using open source keepass and syncplicity/dropbox/mesh, even tried syncing portable firefox) but I found it to cumbersome. For example, I am on a public computer right now and all I have to do is log in to lastpass.com and just click the website I want to log into and it automatically logs me in. :) If for some reason it doesn’t you can just click on ‘edit’ to view your username and password. Also, lastpass works on windows, mac, and linux. Ok, now I sound like a fanatic, I should stop now.

ps. I subscribed to these comments, thats only reason why I am posting again.

0 votes

Deb

Hi! I have RoboForm running on my XP machine, but now I own a Macbook. Still trying to decide whether to use Safari (it’s upgraded!) or Firefox…I already use 1Password. Can you give detailed instructions of how to use lastpass with Safari and Firefox so I can continue to “sync” everything? I also have Syncplicity running on my PC.

Thanks a lot!
D.

0 votes

prowse

Ya, just drag and drop the Lastpass Fillin, Login, and/or Form Fill bookmarklets to the Safari Fave bar and your done. Many more browsers are supported now, the only ones not are Orca/Avant and SeaMonkey (the reason? Because you cannot access fine control of Referrers in those browsers; you can add a line to Seamonkey config file, but I dont know the correct code for it yet)

0 votes

prowse

Dropbox is fine, when you have Administrator access to the next computer, and have time and permission to install it on that other computer (*you need that in order to make changes to the files for syncing, for later home use again – sure you can access it and read it using the email invite, but you cannot change it, you can only download the copy in the cloud, change it, and upload a new version IN addition to the first one, then you have to some how merge them when you “get home”, that is IF you cannot install dropbox locally).

0 votes

Kevin

Wow i’m glad someone is finally posting about last pass! I started using their plugin when they started and it has improved dramatically over a short period of time. I tried all different fill form/password plugins and decided this one was the best. Also, i have no affiliation with last pass, i just love their software! (Especially when my hard drive crashed and viola! everything was restored :)

0 votes

Kevin

oops, I meant if I had the plugin installed on a home computer you can click it to be automatically logged in. Otherwise, on a public computer you just look it up after you log in and type it in.

0 votes

prowse

KEVIN and everyone else, a little known “Easter-Egg” is that you can – on a public computer – go to Lastpass.com. login, then go to your vault. Now just click on the username and you will be automatically taken to and logged on that site. Found this out by accident.

0 votes

Jonathan

I am felling a bit unsettled about all my passwords sitting on someone else’s server. Yes, they would be 256-bit AES encrypted, but there would still be vulnerability, if lastpass.com was cracked, right? A cracker with data could try a wide variety of password-guessing methods, and eventually get in, in theory.

I am probably being a bit paranoid. I would recommend, though, that if you want to try lastpass, that you read

https://lastpass.com/technology.php

and make sure you are comfortable with this. Then, make sure you use a really strong master password. Microsoft has a couple helpful pages for this:

http://www.microsoft.com/protect/yourself/password/create.mspx

http://www.microsoft.com/protect/yourself/password/checker.mspx

Hope this is helpful.

0 votes

Dan Orth

AES encryption is not a function that can be broken by someone who “cracked” the website. AES is a standard adopted by the US government, that to this point has not had a know weakness. One of the biggest risk any cipher has is the use of a weak passphrase. Lets do some quick math.

If we use a character set of upper/lower case letters, numbers, and space only that gives us 63 characters. Say if we have a simple 7 character password, that gives us 63^7 (3,938,980,639,167) possible password combinations. Just increasing your password by one character in this example raises the number of possible passwords to 248,155,780,267,521.

Also pointed out on the

All encryption is done client side, and not server side. Your secret key never leaves your local machine, and all encryption is done on your local machine as well.

0 votes

T.J. Mininday

I appreciate the response. You really have to put trust in the product you are using. If you aren’t comfortable with the security they are incorporating to protect your accounts, then I’d recommend against them. Just like if you don’t trust online banking, don’t use that either.

0 votes

prowse

Even online banking is still less secure than 256, online banking is still only at 128 (which will still take 2 Big Blues 3 months to crack, and that is after shutting down all their other important tasks)

0 votes

Haplo

Don’t forget the keyboard that can be used to type your password, hence avoiding keyloggers.

0 votes

Joe Siegrist

LastPass’ Screen Keyboard certainly helps, as does LastPass’ One Time Password System.

Joe (From LastPass)

0 votes

T.J. Mininday

Yeah, that’s a feature I completely missed, but have gotten a couple of comments on it. Thanks for the addition.

0 votes

prowse

Other than this: “Again, all of these passwords are stored locally. LastPass uses highly sophisticated code to allow this to happen, so nothing sits out in the cloud.” this is a great article. Actually, Lastpass does NOT store your login creds LOCALLY, it only encrypts/decrypts using your machine – it HAS to store them (encrypted) “in the cloud”, otherwise you would not be able to access them from their website using another machine!

0 votes

prowse

To be clear, I said ALMOST the opposite. Actually, it does both – stores on 2 servers AND locally IF the plugin is installed by you on the local computer, and then only when using your Lastpass account login. If you are using someone else’s computer temporarily and they DO have Lastpass plugin installed in their browser(s), then only while you are logged in is their a local copy downloaded – nd then only temporarily, the encrypted data is trashed when you logout of the foreign computer.

0 votes

Rebecca

I’ve been using LastPass for awhile now, and I never thought I’d like it as much as I do. It’s very good at picking up when you’re starting a new account somewhere and asking if you want to store it. It still gets confused with certain flashy websites (where the login field is hidden or slides out or whatnot) or when you need to login to two different parts of the same domain with two different accounts, but overall it’s really awesome and easy to use. It’s kind of scary looking at the list of just HOW MANY passwords it has stored for me now. Luckily, I don’t have to remember any of them anymore. ;P

0 votes

John B

I’ve been using LastPass for several months now and absolutely love it. I used KeePass before that, and Roboform before that. I think LastPass combines the best of both, because I get the form filler function of Roboform, plus the no-cost aspect of KeePass. And the fact that it works on Linux is another bonus. They’re constantly improving, too.
(I have no connection to LastPass, either. I just really like it.

0 votes

John B

I’ve been using LastPass for several months now and really like it a lot. I used KeePass previously, and Roboform before that. I think LastPass combines the best of both- like KeePass, it’s free, but it also has a form-filler. And the fact that it runs on Linux is a huge plus.

0 votes

Ellen

I also have been using LastPass for several months and have found it to be the best out of the online password managers. I use it as a bookmark manager for all my password protected sites by putting sites into groups (headings).

Thanks for putting together such a detailed post.

0 votes

T.J. Mininday

Thanks for the kind words Ellen. I can’t help but spread the word about such an amazing free product.

0 votes

Omarra Byrd

I actually love the RoboForm software myself. I use it all of the time and it takes all of the menial everyday tasks that I have to perform on my computer daily and shortens them extremely! What once took me fifteen minutes to complete now takes me only one second because RoboForm does the same task with just one click. In fact I wrote a Report about a lot of RoboForm’s capabilities for use that aren’t even touched on in the User’s Manual for RoboForm. You can get that Report here:

theroboformreport.com

There is also a FREE version of RoboForm that you can download on this web page, just to test the RoboForm software out for yourself! I highly recommend it!

0 votes

John S

Completely agree – lastpass is excellent, and I can say from personal experience that Joe goes the extra mile to listen to his customers and be helpful (thanks Joe :-).

0 votes

x

Yeah, they say that encryption occurs on the client, and only when that’s done are the files uploaded.

But what if they have bugs in their software that sometimes causes plaintext data to be uploaded by mistake?

It’s difficult to implement encryption into a product with no security leaks. How do you know they don’t have implementation bugs?

I’m not going to go on an open source tirade, but seriously, you have no idea what’s leaving your computer. Even if you use a packet sniffer, can you tell if it’s strongly encrypted, and doesn’t include anything it shouldn’t?

No, you can’t.

I, for one, am simply not comfortable using LastPass.

0 votes

prowse

“But what if they have bugs in their software that sometimes causes plaintext data to be uploaded by mistake?” Because the software on their servers immediately rejects any string NOT long enough, nor any string without proper headers, and asks you to “Try Again”.

“It’s difficult to implement encryption into a product with no security leaks. How do you know they don’t have implementation bugs?” It’s not difficult when you know what you are doing; their day jobs are as programmers, so they have practice. You would know everything of implementation – it is OPEN SOURCE.

“I’m not going to go on an open source tirade, but seriously, you have no idea what’s leaving your computer. Even if you use a packet sniffer, can you tell if it’s strongly encrypted, and doesn’t include anything it shouldn’t?” You are on an Open Source tirade. ESPECIALLY if you use a packet sniffer you know EXACTLY what is leaving your computer. As it is OPEN SOURCE, you compare what is going out to what was just encrypted – if there is any difference, then you would have your proof of a compromise, if there are no differences in the outputs compared, then you have proof that there is NO compromise.

“No, you can’t.” Yes, you can.

“I, for one, am simply not comfortable using LastPass.” For many, I think you prove you know very little of programming. You obviously don’t work for the competition.

0 votes

Sri

I use lastpass and love it. But I am still unclear about one aspect of the product, the security it is not explained clearly for a non technical user like me.

The following is from Lastpass website..

All sensitive data is encrypted locally
All encryption/decryption occurs on your computer, not on our servers. This means that your sensitive data does not travel over the Internet and it never touches our servers, only the encrypted data does.”

I can still go to lastpass website from a public computer and enter my login/password and see all my sites in there. All this takes is someone to know the username and password and you are toast.

I am not complaining, I know my risks here. I am looking for more info how this encryption is done locally helps me. There is not much info about this on the website.

0 votes

prowse

To your last point first, there is no way that you will find out HOW the encryption works, unless you learn how to code in the application that made the opensource product in the firstplace.
.
.
“…All this takes is someone to know the username and password and you are toast. …” You mean, of course, to say “Know the username and password OF THE LASTPASS ACCOUNT.” Well, duh, but that’s why you create a whacky gmail name that no one would think of using, and use lastpass’ own password generator to make a difficult to guess password. But, seriously, there is a comment above to a link that shows how to create a secure PASSPHRASE, that no one else but you would be likely to guess. Regarding use of EMAIL for a Login, that is not as secure as a separate USERNAME, impo, but perhaps Lastpass will make that change – it is on their published wish list.

0 votes

Grolo

I only trust open source password managers.
Lastpass could have a master password.

0 votes

prowse

Lastpass IS open source. A master password? To what, your local computer? That is what they would need; access to your local computer, physical access. The ONLY iffy thing that could gum up the works, is if the ONETIME password you make is cracked. The onetime IS stored on their servers for one time use. There is NO “Master” password.

0 votes

prowse

And, everyone, pls remember, the onetime password is just exaclt that ONE TIME. So, if you login , that is THE ONE TIME. You won’t be able to reset or change any config, because Lastpass asks you for your password AGAIN, but the one time isnt for the session, it is for the ONE TIME. I was curious, tested it, and yes, it is indeed ONE TIME. (I had to say it, because contrary to their website and to popular belief, the onetime password does NOT work through the whole session; the onetime password is so that you can reset or change your account password – that is really all it is good for)

0 votes

tosim

Will LastPass work with Opera10? And yes, I know Opera has a built-in password manager.

0 votes

Ski22

@Prowse. You comments show that you do not fully understand how encryption works and the pitfalls and challenges of implementation. Many people brought up excellent points. Now I’m not saying Lastpass is not safe. But the points people brought up are very valid concerns. I will go though several of them.

1. Just because the the creators of Lastpass are professional programers, does not mean they will not make implementation mistakes. Implementation is the hardest part of encryption. There are so many attack avenues to be concerned about. And it’s impossible to be 100% sure everything is implemented correctly now and in the future. That is why you see Microsoft, Apple, many other big companies continuously come out with security patches to their software. Because it was not implemented correctly. Fixing security flaws and implementations will be never ending.

2. Someone had the concern of a master password backdoor. This is very valid. I’m not saying Lastpass has one. But it is very possible. When you program an encryption, you have have it encrypt to both the user’s password, and a master password. The personnel at Lastpass does not need physical access to you computer to unlock your database. A copy of your encrypted password database resides on the Lastpass servers. They have access to everyone password databases on their server, and *if* they programmed a master backdoor password backdoor, then they can decrypt anyone’s password database right from *their* server.

3. Someone brought up the point where what if there is flaw in a Lastpass software release, and it starts sending data in plain text. Your response was that it was impossiable because it would not be the right length and have the right headers. And it would be rejected. That is wrong on 2 accounts. First, what if the block of data was the correct lenghth and did have the right headers, but the data inside the block was plain test. Unlikely, but very possible if Lastpass accidently implements a new release with this type of bug. Second, even if it did have the wrong record length or wrong header, your local Lastpass still attmepted to send the block of plain text passwords through the internet. Sure the Lastpass server rejected the block, but that was *after* it went through many internet servers in plain text on it’s way to the Lastpass server.

4. Lastpass is NOT open source. They use *some* open source encryption routines, but the Lastpass program itself is not open source. That is the concern. There is no peer review of what really is in their software and if they have any implementation flaws or password backdoors.