There are several Password-Managers out there in the wild wild west, but LastPass made it to the favorite of mine - and here is why.
What a password manager does…
Like mentioned in the post of Sheogorath about the password manager KeePass, different and complex passwords are essential for your cyber-security but really hard to remember. This is where KeePass and LastPass jump right in. LastPass aims to be a simple and pleasant way of organizing your accounts. At a first glance there already are any tools you expect a password manager to have. On closer inspection there are many more features wanting to be explored.
- Secure Noting
- Searching and Grouping
- Auto-filling pages and applications
The Password-Generator helps with generating complex and long password within the range of a click. Secure Notes can also be the place for your SSH and PGP private keys and Identities help with organizing your meta data around the web.
These features are only the beginning of how LastPass impresses me.
Storing passwords in the cloud? Shame on you.
The password Vault is technically a file on your drive which is encrypted with AES-256 Bit. The Encryption-Key for your vault is a single Master-Password hashed and salted by the PBKDF2-256-Standard to prevent Brute-Force-Attacks and the use of Rainbow-Tables. All encryption and decryption is done on your client machine only. This is essential by the means of keeping even the LastPass-Company out of your data. Only you have access, but still the comfort of cloud storage. Hosted by skilled and experienced security engineers.
Logically your Safe keeps all your accounts with a simple and user-friendly interface. They are searchable and can be stored in several folders or have notes attached to them.
Only 19% of respondents say they don’t share passwords that would jeopardize their identity or financial information, leaving 81 percent of people who would share those passwords.— The LastPass-Blog 29.03.2016
Cloud storage and network access grants another great possibility. In the modern world of the so called internet and social media sharing your passwords in a secure way is a neat little feature LastPass lays right into your hand - by design.
Secure, still pleasant. Even on mobile.
LastPass integrates really nice with your browsers and smartphones. Even a LastPass for Desktop-Applications is available. More on this later. When visiting a web-page LastPass can auto-fill or suggest a login for this domain. If nothing is found it gives the possibility to fill in a identity and generate a secure password for you.
On mobile devices there is a secure browser backed right in. When installing apps and signing in, they can also be auto-filled. To take the simplicity of a password manager to my mobile device and never saving a password directly on the device since then was the killer-feature that got me.
Your passwords to the challenge
To further improve and keep your security-level there is a Security-Challenge for you. Scanning your vault and warning you about week or old passwords. On trusted services like Google and Facebook there is also the possibility to have LastPass auto-change your old passwords in a batch-process.
There is also a notification if a web-site reports a security breach or hack. It then suggest to update your password or even additional tricks.
Life’s little pleasures
Some more advanced features that are often underestimated or not even needed include equivalent-domain definition, domain- and port-rules and certainly two-factor-authentication.
When having one account for several domains and services you can define those domains as equivalent. Having several accounts on one domain, but on several sub-domains or just ports, you can set these specific domains to do an exact match of URL and port.
Standard in most of the services is two-factor authentication, so it is in LastPass. You get the ability to use a fingerprint-reader, a YubiKey or several authenticators like from Google or LastPass itself.
When LastPass sucks…
When using LastPass unfortunately you exchange all the comfort for some security flaws. Following some examples on this.
If the servers of LastPass get compromised a Hacker can steal the vault, account information, password reminders and worst case the authentication hashes for the users. Indeed these hashes are well encrypted but in this case you have to update your master-password - just in case.
Another bad security flaw, although not really caused by a mistake of the developers, is a pishing hack called LostPass which mimics the LastPass login form to catch your credentials.
Convinced? How to get started…
If you can live with the above and are convinced LastPass could help make your life easier and more secure, I’m going to tell you now what it takes after the registration and setup. There are a few things I want you to know on the way to security.
Make sure your master password is safe. You can use several methods to achieve this.
Change your password frequently. Especially after a secure breach.
Run the security challenge frequently to determine if your passwords are still safe.
Follow the LastPass Blog for recent tips and security updates.
LastPass convinced me as the password manager of my choice because of several things.
- The simple and neat user interface strikes straight through my heart.
- All the features are available on all my devices. Android, Windows or Linux.
- The developers are experienced in their field and try really hard to catch up with modern threats.
If you have any questions about LastPass feel free to ask. What do you think?
- Secure Salted Password Hashing - How to do it Properly
[RFC2898 The PBKDF2 definition](https://tools.ietf.org/html/rfc2898)