Passwords Security and LastPass

To remember usernames and passwords for the online services we use can be an extremely tedious procedure. What most people do (among them also me) is to have at least three passwords that start from the strongest, followed by the ok but not that safe one and finish with the “123456” one. We tend to put our strong one to the most important websites like our email, facebook, online bank accounts and we distribute the other two among sites, forums, services that we do not use that often. Well, to start with, this is totally wrong. By doing this if someone finds out our main password then it has access to the most important piece of our online life.

Having in mind that, most of us create multiple alternatives of our strong password based on a simple algorithm that can easily be remembered. So far so good. Having multiple passwords for our most important services and on top of that two more passwords for the less important, we can sleep safe at nights.

What happens though, when we decide to change passwords? The average user must change his passwords somewhere between six and twelve months. Not only it is kind of hard to recreate all these passwords but also most of the times it is impossible to remember all the sites, forums, services we have singed up and need to apply our changes. This leads to having accounts that will have a two or three version old password and in our next login attempt we will have to guess if we have changed it to the newest or not and so on.

One solution would be to write down all our credentials per website and update them when we want to change our passwords. That sounds like a good solution but for me keeping our passwords not encrypted and to one place is exactly just like having one password. Especially if you keep that file to an online host service like you personal web server or a web storage service. If someone grants access there will have everything.

Considering that absolute security is an ideal notion that we will never see in practice, I would like to bring to the table the password management systems. Systems like RoboForm, 1Password, AnyPassword, Sticky Password, Password Agent etc etc. I intentionally left out LastPass which is the one I would like to talk about.

To begin with, a short description about LastPass for all of you who have no idea about password management systems. LastPass is a hosted password security system that will host all your passwords on the cloud and you would only need a master password and its browser plug-in to access all your accounts.

The first objection someone will have is about providing a service on the cloud all his passwords. LastPass does not save your actual passwords. It saves an encrypted key based on your password and also the encryption happens on the client side and not on the server side.

Moreover, someone could wonder about the difference between having one master password and saving your passwords in a file? If someone obtains either of them then he has full access to everything. Well, this is where the good stuff start! LastPass supports a two-factor authentication. What does that mean? In order to access your account you need your master password but also a token. After you activate the two-factor auth you have some options regarding the token (like a usb) but I personally prefer the Grid. The Grid is like a crossword puzzle and after you successfully login with your master password the system will ask you to fill some random letters from the Grid in order for login to complete. Two-factor authentication raises the security standards and provides us with extra safety.

In addition to that, if for any reason you do not want to use your master password you can simply use the One Time Password feature of LastPass. You can create as many one time passwords you want and carry them with you to a usb stick or something. So, if you go to a net cafe or any not trusted computer you can use your one time password plus the Grid authentication to access your LastPass account. By doing that you raise your security level to the maximum!

Finally, LastPass does what you would expect from a standard password management system. It can generate secure passwords, auto-logins you where you want, has secure notes and you can do all these from a nice browser extension (safari, firefox, chrome, IE) to any platform you use.

Those were the key features of LastPass, regarding security and the reason they make it a great tool for us to use. If you believe that LastPass fulfills your personal security standards then give it a try.