Securely Synchronize Your Browser Passwords With LastPass
It’s hard not to find a website these days that doesn’t require some type of registration or login. With every login of course, there is almost always a password. With the password comes with whatever requirements the website has to improve security.
So after you’ve registered at your bank, your three credit cards, your Facebook, your Digg and your blog, you’re so exhausted with usernames and passwords, you begin using your browser’s built-in “Remember This Password” feature. The problem with using this handy feature is that you’re never required to enter another password again. Remembering all those passwords can be quite hard, unless of course you have a method to create strong passwords that are easy to remember.
Now you go home for Christmas, hop on your parents computer to check your latest stock portfolio, and you spend the next hour trying to recall your password. This is where a program like LastPass saves the day.
LastPass is a Firefox or Internet Explorer browser add-on that stores all of your passwords locally and synchronizes all of them to any other browser (with the same add-on) using 256-bit AES encryption. The only two requirements is one strong password and one of the previously mentioned browsers.
After going through the incredibly easy flash-based installation tutorial, the application asks for a strong password as protection and then offers the option to import passwords from Firefox, IE, RoboForm, KeePass, Sxipper and a few others.
Once you have all of your passwords imported, they’ll fill all of your identifiable username and password boxes appropriately.
If a site isn’t stored in the database, it will simply ask you to remember the password, as your current browsers already do.
Again, all of these passwords are stored locally. LastPass uses highly sophisticated code to allow this to happen, so nothing sits out in the cloud.
Once stored, the database is easily accessible to view form information if it needs to be modified in any way.
Along with its great password capabilities, LastPass also includes:
Form Filling
Whether it be for credit card payments or simple site registration, once the they have all the correct information, LastPass takes care of all of the typing.
Password Generation
Generate incredibly strong passwords if you can’t come up with your own.
Site Sharing
Share a site with another member of your family.
Site Logging
Monitor what sites are being logged into, when and where.
As you can see, LastPass has what many of the commercial form fillers, like RoboForm have, plus the added sync capability. The form filling also separates it from password managers, such as PassPack and Clipperz.
If you are already willing to locally store all of your passwords through your browser, you really can’t go wrong with LastPass. It does the exact same thing, in a much more secure fashion.
Again LastPass works in both Firefox and Internet Explorer, on Mac, Linux and Windows.
What are your thoughts? Do you have any better sync solutions? Concerns?
(By)
Being a Mac user, I started using 1Password awhile back and it’s been great. The obvious problem is that it only works on Macs and not Windows, but I solved that problem by syncing 1Password’s database with Drop Box. Once it’s on Drop Box, you can login to the web interface, go to the database file, open it, and lick the 1Password.html thing and have secure access to all your passwords in any browser. So that’s handy if I don’t have my iPod Touch with me or I’m not at one of my PCs. I think it’s the best method I’ve found for syncing passwords thus far.
I actually tried something similar on windows (Using open source keepass and syncplicity/dropbox/mesh, even tried syncing portable firefox) but I found it to cumbersome. For example, I am on a public computer right now and all I have to do is log in to lastpass.com and just click the website I want to log into and it automatically logs me in.
If for some reason it doesn’t you can just click on ‘edit’ to view your username and password. Also, lastpass works on windows, mac, and linux. Ok, now I sound like a fanatic, I should stop now.
ps. I subscribed to these comments, thats only reason why I am posting again.
Hi! I have RoboForm running on my XP machine, but now I own a Macbook. Still trying to decide whether to use Safari (it’s upgraded!) or Firefox…I already use 1Password. Can you give detailed instructions of how to use lastpass with Safari and Firefox so I can continue to “sync” everything? I also have Syncplicity running on my PC.
Thanks a lot!
(Comments wont nest below this level)D.
Wow i’m glad someone is finally posting about last pass! I started using their plugin when they started and it has improved dramatically over a short period of time. I tried all different fill form/password plugins and decided this one was the best. Also, i have no affiliation with last pass, i just love their software! (Especially when my hard drive crashed and viola! everything was restored
oops, I meant if I had the plugin installed on a home computer you can click it to be automatically logged in. Otherwise, on a public computer you just look it up after you log in and type it in.
I am felling a bit unsettled about all my passwords sitting on someone else’s server. Yes, they would be 256-bit AES encrypted, but there would still be vulnerability, if lastpass.com was cracked, right? A cracker with data could try a wide variety of password-guessing methods, and eventually get in, in theory.
I am probably being a bit paranoid. I would recommend, though, that if you want to try lastpass, that you read
https://lastpass.com/technology.php
and make sure you are comfortable with this. Then, make sure you use a really strong master password. Microsoft has a couple helpful pages for this:
http://www.microsoft.com/protect/yourself/password/create.mspx
http://www.microsoft.com/protect/yourself/password/checker.mspx
Hope this is helpful.
I appreciate the response. You really have to put trust in the product you are using. If you aren’t comfortable with the security they are incorporating to protect your accounts, then I’d recommend against them. Just like if you don’t trust online banking, don’t use that either.
AES encryption is not a function that can be broken by someone who “cracked” the website. AES is a standard adopted by the US government, that to this point has not had a know weakness. One of the biggest risk any cipher has is the use of a weak passphrase. Lets do some quick math.
If we use a character set of upper/lower case letters, numbers, and space only that gives us 63 characters. Say if we have a simple 7 character password, that gives us 63^7 (3,938,980,639,167) possible password combinations. Just increasing your password by one character in this example raises the number of possible passwords to 248,155,780,267,521.
Also pointed out on the
All encryption is done client side, and not server side. Your secret key never leaves your local machine, and all encryption is done on your local machine as well.
Don’t forget the keyboard that can be used to type your password, hence avoiding keyloggers.
LastPass’ Screen Keyboard certainly helps, as does LastPass’ One Time Password System.
Joe (From LastPass)
Yeah, that’s a feature I completely missed, but have gotten a couple of comments on it. Thanks for the addition.
I’ve been using LastPass for awhile now, and I never thought I’d like it as much as I do. It’s very good at picking up when you’re starting a new account somewhere and asking if you want to store it. It still gets confused with certain flashy websites (where the login field is hidden or slides out or whatnot) or when you need to login to two different parts of the same domain with two different accounts, but overall it’s really awesome and easy to use. It’s kind of scary looking at the list of just HOW MANY passwords it has stored for me now. Luckily, I don’t have to remember any of them anymore. ;P
I’ve been using LastPass for several months now and absolutely love it. I used KeePass before that, and Roboform before that. I think LastPass combines the best of both, because I get the form filler function of Roboform, plus the no-cost aspect of KeePass. And the fact that it works on Linux is another bonus. They’re constantly improving, too.
(I have no connection to LastPass, either. I just really like it.
I’ve been using LastPass for several months now and really like it a lot. I used KeePass previously, and Roboform before that. I think LastPass combines the best of both- like KeePass, it’s free, but it also has a form-filler. And the fact that it runs on Linux is a huge plus.
I also have been using LastPass for several months and have found it to be the best out of the online password managers. I use it as a bookmark manager for all my password protected sites by putting sites into groups (headings).
Thanks for putting together such a detailed post.
Thanks for the kind words Ellen. I can’t help but spread the word about such an amazing free product.
I actually love the RoboForm software myself. I use it all of the time and it takes all of the menial everyday tasks that I have to perform on my computer daily and shortens them extremely! What once took me fifteen minutes to complete now takes me only one second because RoboForm does the same task with just one click. In fact I wrote a Report about a lot of RoboForm’s capabilities for use that aren’t even touched on in the User’s Manual for RoboForm. You can get that Report here:
http://www.theroboformreport.com
There is also a FREE version of RoboForm that you can download on this web page, just to test the RoboForm software out for yourself! I highly recommend it!
Completely agree - lastpass is excellent, and I can say from personal experience that Joe goes the extra mile to listen to his customers and be helpful (thanks Joe :-).
Yeah, they say that encryption occurs on the client, and only when that’s done are the files uploaded.
But what if they have bugs in their software that sometimes causes plaintext data to be uploaded by mistake?
It’s difficult to implement encryption into a product with no security leaks. How do you know they don’t have implementation bugs?
I’m not going to go on an open source tirade, but seriously, you have no idea what’s leaving your computer. Even if you use a packet sniffer, can you tell if it’s strongly encrypted, and doesn’t include anything it shouldn’t?
No, you can’t.
I, for one, am simply not comfortable using LastPass.
I use lastpass and love it. But I am still unclear about one aspect of the product, the security it is not explained clearly for a non technical user like me.
The following is from Lastpass website..
”
All sensitive data is encrypted locally
All encryption/decryption occurs on your computer, not on our servers. This means that your sensitive data does not travel over the Internet and it never touches our servers, only the encrypted data does.”
I can still go to lastpass website from a public computer and enter my login/password and see all my sites in there. All this takes is someone to know the username and password and you are toast.
I am not complaining, I know my risks here. I am looking for more info how this encryption is done locally helps me. There is not much info about this on the website.