Edit: a ‘feature’ in WordPress publishes anything written from a draft (anything that takes more than one bite to write, ie) as though it was published on the date the draft was started. Thus, this was published earlier this week, but disappeared back through time into my archives as soon as I hit ‘publish’. Apologies to anyone who was bereft at the lack of blogging on my part.
A couple of months ago, I mentioned that I was looking into using a password manager instead of relying on my memory to store all 184 of my passwords (or thereabouts).
It was a good choice.
I ended up choosing LastPass for my trial. Web research and the experience of a work mate suggested it was easy to use and offered all the functionality I wanted.
What it does
LastPass (and similar companies like 1Password) store your passwords in a secure location, pasting them into forms when you ask for them. Practically, this means you need to remember just one password (the one to open LastPass) instead of scores of them. It also generates new passwords when I ask and offers to autofill forms with details ranging from my address (which it has) to my credit card number (which it doesn’t).
The screen shot below show how it looks when I log in to Facebook now. The asterisks at the end of the username and password field show that I have saved information for those fields; the number shows how many different identities (handy if you’re sharing an account).
I chose LastPass for my system because it works well on my phone, is web based so I can use it at work, and is well priced – $12 a year. You can get it for free if you only want to use it on computers, but I encourage users to pay even then. $12 is a tiny amount to pay for something like this.
What I have to do
Adding a site to LastPass is really easy – when you log in for the first time, it should already be running in the browser. It will ask if you want to save that password, and you can just answer ‘yes’. Total time: 3 seconds.
My process is a bit more complicated. I’m moving from an insecure generic password for all my second and third-tier sites (e.g. stuff that isn’t completely disasterous if it’s hacked) to unique, unmemorable passwords for all of them.
Each time I log in to a site for the first time since starting to use LastPass (or the second or third time if I’m busy), I’ll stop and change the password to a newly generated random set of characters. It takes about 30 seconds to change the password all up. That would be a burden if I tried to do them all at once, but doing it gradually has worked well and barely affected my timetable at all.
So far, I’ve literally had no trouble with LastPass. 90% of the time I’ll be logging in to sites from my home or work computers and the passwords will come up automatically.
The rest of the time, I’m either using my mobile, or someone else’s computer. If I’m using my mobile, I can use the LastPass browser to access the site that needs a password. The browser on my phone can’t have plug-ins, otherwise I expect I would be able to do it in there.
If I’m on someone else’s computer and can’t install programs, there’s still a fix – I can go to the LastPass website and log in to their web service, then copy and paste the relevant password without it showing on the screen.
The obvious worry in doing something like this is that LastPass could a) be hacked or b) steal my password and then use it to steal my stuff. There’s a few reasons I’m not worried about that:
- My old system had a single password or similar passwords being used all over the place, so there was a single point of weakness either way. So far, there’s no loss.
- There’s also a gain in security: the single point of weakness in my system is now protected by a company that stakes its entire ability to exist on being able to protect my passwords. Their whole company literally relies on beating anyone who tries to crack their security. That means their system is going to be much safer than if I went around giving my password to all the sites I want to use, from Facebook to http://www.cutekittenpix.com. If you’re interested in thinking more about this, Lifehacker have already applied their braincells to the same problem.
- At that point, the weakest point in the chain is the staff at LastPass – they could decide that the contents of my accounts is worth more than the $12 a year I give them to protect my information. But that’s going to be hard to pull off – aside from the fact that stealing my passwords would probably result in their staff being arrested for theft, the entire system is set up so that only I can see the plain text versions of my passwords – everything at their end is encrypted and salted.
And if all that fails, it’s still not a world-ending problem for me. I’ve kept the passwords for my key email account, my bank account and my work system completely separate from my LastPass use, so that my core services will be safe even if LastPass fails. Plus, those passwords are easier to remember now that I only have four to keep in mind.
Which is why I’m not too concerned about the biggest risk of all: forgetting the master password. Article’s like Lifehacker’s Choose (and remember) great passwords have helped me craft a password for LastPass that I haven’t forgotten yet, despite not using it often.
How it’s changed things
Using LastPass has done one simple thing: remembered my passwords so I don’t have to. While it’s pretty simple, it’s made a big difference for me. I can now:
- Log into sites automatically, or with a single click rather than having to go through a password reset on every third visit to Amazon.
- Stop stressing about which variation of my mnemonic I’d used.
- Remember my four key passwords more easily, since there’s no other passwords for them to get tangled up with.
- Save time logging in! Now I’ve got the system up and running, I know I won’t have to stop and fuss with a password reset to use a site that’s outside of my daily routine.
If you’re interested in taking a look for yourself, check out the LastPass website, take a look at one of its competitors like 1Password or KeePass, or see what other clever people have to say about getting a strong password system.