Secure computing using Lastpass

Sometimes, a program or utility becomes such a part of the computing experience that we take it for granted. Such is the case with LastPass; it seems so “there” that I don’t even remember how long I’ve been using it. What I do remember is why I started using it. I had been using the portable version of KeePass, the Open Source password manager and had built up a large database of passwords. One day, I forgot the USB thumb drive with KeePass on it and was absolutely lost. I decided right then that I needed a solution that was securely accessible from anywhere. That’s when I switched. I highly recommend that you either switch from what you are doing, or start using LastPass today.

Besides the convenience of having all of my site login information in one place, I like the the way LastPass makes it easy for me to use secure passwords. Since all I have to remember is the master password to be able to log into LastPass, I don’t have to fudge around with mnemonic systems and such to make easy-to-remember complex passwords; I simply use the program’s built-in password generator to get strong, random password strings.

The trend these days is toward multi-factor authentication. Passwords are, of course, “something you know;” security dongles like SecureID, YubiKey and the like are “something you have.” That would constitute two-factor authentication. For the truly paranoid, LastPass gives you a second factor: The grid. You generate the grid from within your account settings and you print it out. When you log into LastPass, you are presented with a prompt that asks for four random characters from your grid. Here’s what a grid looks like:

Probably the most powerful security feature is the support for one-time passwords (OTP). From a secure PC, you simply log into your secure LastPass vault on the website, configure a few OTPs, print them out and store them in your wallet. Then, if you ever have to access your LastPass vault from a public kiosk or insecure public WiFi hotspot, you just use one of the OTPs. Even if a keylogger snags it, the password cannot ever be used again. Your vault remains secure.

Even if you’re already using some other password manager program, you can easily switch. I mentioned KeePass; I had also been using Firefox’s Password Manager. Instantly, LastPass knew about everything that Firefox knew, which was extremely cool for me. You can import also from 1Password; from Clipperz; from something called Darn! Passwords!; from eWallet; from FireForm; from HP
Password Safe; from KeePass; from MSI PasswordKeeper; from MyPasswordSafe; from Passpack; from Password Agent; Password Corral; Password Dragon; Password Keeper; Password Safe; Passwords Max; from PINs Password Manager, from RoboForm, from SplashID, from Sticky Password; from Sxipper, I guess; from TurboPasswords; and from a Generic CSV File. That covers just about everything out there.

I should mention what Steve Gibson, who does the Security Now! podcast with Leo LaPorte each week, has to say about it. In Episode 256, “LastPass Security,” Steve delivers his “long-awaited, in-depth review and evaluation of LastPass". Steve explains the nature of the need for high-security passwords, the problem that need creates, and the way the design of LastPass completely and in every way securely answers that need.

Posted in:
About the Author

Ken Harthun

Ken is our resident security expert with years of experience in the field. He can also carry a tune as an accomplished musician. Ken has written for many publications and presently is a contributor to IT Knowledge Exchange.

One Comment

  1. Just a heads up for Last Pass. I’ve been using it for several years and it is SO easy and secure. This program offers a lot of customization. Just one word of caution. NEVER use the “remember master password” (shouldn’t even be an option). If you are certain you have a very secure network (is there really such a thing?) and never take your laptop with you anywhere, it might be ok. And when you do sign in and your vault is available, use the “hide/show password” for each account very quickly and sparingly.
    Unless there is a major break in security for Last Pass, I will continue to use it and continue feeling secure that my passwords are protected.