I used to use Sxipper because Firefox built-in password manager lacks of features. However Sxipper development has stopped and it doesn’t support Firefox 4 which forces me to look for another password manager. Choosing the best password manager can be tough as there are many available to download. Other than managing or keeping your password, it must be also programmed with the logic of keeping my passwords safe. Surely a password manager allows you to set different complex password on every account but I personally think that the chances of user’s computer being hacked is much higher compared to online servers such as Hotmail/Gmail.
I did a search on the keyword “password” in Firefox Add-ons site and the first one listed there is LastPass with the most weekly downloads. LastPass is undoubtedly one of the most popular password manager today. I have tested LastPass for more than a month and would like to share with you my review on the pros and cons of LastPass.
As a general security rule, you should NEVER use the same password for all of your accounts. If one of the account is hacked, then you lose all of them. The best is to use a different strong, non-dictionary based password for every account. The problem is its impossible to remember all of them. This is when Password Managers comes to play by saving them in an encrypted list so you can refer or access them. All you need to do now is just memorize one master password to view the list of passwords.
1. You can access your passwords anywhere on any computer from your online LastPass Vault. Some people are afraid to use LastPass because they are uncomfortable with the idea of saving their whole password lists in LastPass servers. LastPass strives very very hard to explain to users again and again that they only keep encrypted data on their servers. Your passwords are encrypted on your computer first before it is sent to LastPass servers. Neither hackers who managed to hack in LastPass servers nor LastPass employees are able to view your passwords directly as they are not in “clear text”. Only through dictionary brute force cracking may decrypt the “weak” master password. If a master password can be cracked using a dictionary brute force, then the user is to be blamed for setting a weak master password.
2. Autologin without manually typing username and password. I have personally tested the auto login feature against Keyloggers and Keyloggers wasn’t able to capture anything. Safe and convenient on local computer.
3. Bookmarklets. This feature is found in the LastPass Vault where you can use it to auto login to a site without installing LastPass software/plugin. Very useful when you’re on public computers that doesn’t allow installation of third party software or plugins.
4. One Time Passwords (OTP). You can generate a list of passwords that can be used only one time. Very useful when you need to login to LastPass from an untrusted public computer. A keylogger that managed to capture the one time password is useless since it cannot be used the second time.
5. Multifactor Authentication. Relying only on a single master password alone is very risky because if it is stolen, then the hacker is able to login to your LastPass Vault. Multifactor authentication requires the user to present both username/password and information from another physical item such as the Grid (printable card), Sesame (USB flash drive), YubiKey, Fingerprint and SmartCard authentication.
If a hacker managed to steal your master password, they still won’t be able to login to your LastPass Vault since the physical item is with you. Do note that only the “Grid” is free while the rest of the multifactor authentication requires a premium subscription.
6. Mobile Support. This feature is only available with Premium service for $1/month. Ads are also removed on premium accounts.
LastPass Usage Tips:
As good as LastPass is, it doesn’t mean that using LastPass alone will ultimately keep all your passwords safe. There are some important tips and steps which you should take note of when using LastPass.
1. After creating an account in LastPass, immediately change the password for the email account that you’ve used to register with LastPass using the LastPass Secure Password Generator. Press Alt+G to bring up the password generator and click the Accept button where LastPass will automatically insert the newly generated password into the browser.
Reason: Email account used to sign up with LastPass has already been compromised. The hacker could go to Account Recovery page to change your LastPass master password and gain access to your LastPass Vault. The hacker could also reset your YubiKeys if they have access to the email address. Better to be safe than sorry…
2. You should use multifactor authentication such as the grid, USB, fingerprint, card reader, or YubiKeys.
Reason: LastPass lacks of Screen Keyboard which forces you to type the master password from your keyboard and that information can be captured by keylogger. Currently you can only find the on-screen keyboard on the online LastPass Vault login page.
There is no screen keyboard when creating a LastPass account and changing your Master password in LastPass Vault. Offline mode login also doesn’t have on-screen keyboard since the Screen Keyboard needs to be loaded from LastPass website. If the hacker managed to steal your master password, your list of passwords are still safe because the second authentication is not present.
3. Always use OTP on public computers.
Reason: You don’t have to reveal your master password.
4. Always use the bookmarklets on public computers instead of installing the LastPass addon.
Reason: Although the local cache stored by LastPass in C:\Users\UserName\AppData\LocalLow\LastPass with filenames ending with .sotp .lps .slps .sxml .cac extensions and lp.suid & sites.dat are encrypted, I still feel that it is unnecessary since the bookmarklets works flawlessly.
5. Set a strong, non-dictionary based password for your Master Password. Make sure you memorize it.
Reason: With a master password that is not in the dictionary list, you’re safe from dictionary attack. Brute forcing would probably hundreds of years…
I personally felt that the Master Password should be kept safe at all times even with the availability of the multifactor authentication. I’ve reported this to LastPass and they agreed with me that they should have an on-screen keyboard at all places and it is currently on their TODO list. Until LastPass implements screen keyboard at all places, I would recommend you to use KeyScrambler Professional or Premium which encrypts your master password as you type on your keyboard.
I am sure many of you heard about LastPass being hacked early this month but if you have set a strong, non-dictionary based password or pass phrase, this shouldn’t impact you. In fact after this incident, LastPass has taken a few actions to make their cloud services even more secure.