Helping people with computers... one answer at a time.

Managing multiple strong passwords can be a pain. I'll discuss a couple of alternatives, including Roboform and Lastpass.

Password management is fundamentally a conflict between passwords that are easy to remember and passwords that are secure. The thing that we end up having to do is to consider using technology to help us remember what the passwords are.

In this video excerpt from an Ask Leo! webinar, I'll walk through using LastPass.

Download the video: manage-lots-passwords-640.mp4 (58M).

View in HD (1280x720)

Transcript

As we've spoken about before, password management is fundamentally a conflict between passwords that are easy to remember and yet passwords that are secure, that are fundamentally secure. The thing that we end up having to do is to consider using technology to help us remember what the passwords are.

So the technology that most commonly gets used are a couple of tools called Roboform and Lastpass. They are roughly equivalent in terms of what they do, they are both very good technologies; there are actually several others but I only have experience with these two so those are what I'm going to limit my comments to. The idea is that they each create a database of your passwords on your machine that you can then use the tool to automatically enter and remember for you. The key is that the database is encrypted with a master password that, again, you will have to remember but it's just one master password then that you would have to remember. That then opens up the database to your access and allows you to either see the passwords for whatever sites you are doing or let the tool automatically log you in.

Rather than explain that in excruciating detail, what I want to do instead is to actually run through downloading, installing, and using LastPass. LastPass.com is the site; we are doing the Windows version; the recommended one is usually the right thing to do. LastPass, of course, requires administrative privileges to install (everything seems to): We are doing it in English; specify advanced [installation options]; I forget what they are, but I at least wanted to show you what they list so LastPass the program gets installed here. You have the choice of using LastPass for all users on your computer or only the user that's currently logged in. In the interest of security, if you use this computer for more than one person or rather, if more than one person uses this computer, and has a different login account, I'd recommend setting up LastPass for individual users. In my case, I am the only person that uses my computer so I just make it easy on myself to install it for all users.

There's a plug-in for Internet Explorer; you can replace Internet Explorere's own password manager. If I had been running Firefox, I believe that a Mozilla/Firefox item would show here as well. There's an icon to show 'Fire Up LastPass' and the 'Help Improve' thing is your standard - it will report errors back to LastPass; it may report some usage but it's all anonymous, and it's all not identifiable, traceable back to you and obviously, it's optional. It needs to close Internet Explorer so that it can install the add-on.

So we are going to create a new Last Pass account for this example. I found out in my dry run yesterday that this email account doesn't actually have to exist. I strongly suggest that it do because it will end up being how you login to LastPass web service and how you would be able to get your password back.

Now, this is important: the LastPass password obviously needs to be very strong. I'm going to choose a really poor one for my convenience here. If you forget this password and if the password reminder doesn't work for you (well, they won't even let me use a poor one). If you forget this password, and if the password reminder does not help you get it back, then your data is gone.

One of the key aspects of LastPass and one of the reasons that I personally find LastPass so very appealing is that they, even though they store encrypted data on their servers, they do not have access to its contents; they do not know your password, all of the encryption happens on your machine, in your browser. This data that's stored, the data that's transmitted, the data that is kept by LastPass is not recoverable. That is both a good thing, and in a way, it's a bad thing. If, for example, LastPass were able to give you a new password or were somehow able to recover your password for you that means that there's a way for them to decrypt your data. Because it is fundamentally secure to the point that they can't, the technology insists then that there is no way to get at the data without the correct password. So encrypted data, and you can see here that they actually show it light grey that no one at LastPass can read your confidential data since it's encrypted. It's one thing to say that, but as I'll point out in a few minutes, someone has actually done the research to verify that they do that and they do a very good job of it. And of course, there is license agreements that needs to be agreed to. And they are going to test you right away, do you know your password? And I do! Let me choose which items I want to import into LastPass. That would actually take you to your browser and if you have your browser already remembering your passwords for you, you would have the opportunity here to automatically import those into LastPass. And in the particular case, I'm running a virtual machine; it's a relatively clean install of Windows; I don't have any saved passwords. Some choices just for how you want to use it - since I'm the only person who uses this computer, I keep myself logged in at all times.

And this, I kinda laughed the first time I saw it because so many programs want to set your browser's homepage for you. It's really annoying how many programs do that. So, of course, I immediately said do not set LastPass as my homepage. After using LastPass now for I'd say a good couple of months, I can now understand that this turns out to be possibly a valuable thing to do. But if you're first using LastPass, if you haven't done LastPass before, get used to it first, you can always set it as your homepage later. And you can watch the video on your own time, we don't need to do that now and LastPass is installed.

I had seen this, it is Windows, something about the install hasn't communicated back to Windows to say I'm done and it worked. In this particular case, it did work.

So we fire up Internet Explorer, Internet Explorer needs you, this is Internet Explorer 9, Internet Explorer 9 needs you to enable the add-on that was just added so we do that, and what you'll see here is the LastPass menu. When you click on it, it asks you to login. This is the LastPass homepage. Now what's important to realize about this particular page is that is not on the web. This page is actually a local page a 'fake' page, if you will, that LastPass creates and displays for you. Now in the interest of some screen real estate, I'm actually going to make the LastPass toolbar go away and you can see why we can do that in a minute...(they're not going to let me). In Firefox, you can actually make the toolbar go away without disabling the add-on. The reason that you don't really need the toolbar is that there is a keystroke that bring you right here.

So, we have LastPass; it's installed; we're logged in; we have an empty what they call a vault - the place where you store usernames, web pages, login. So let's go somewhere and login. Let's go to Hotmail. Don't bother emailing me at that address; I never check it. So I've entered my username and password for Hotmail once. Now I sign in. LastPass comes up with this line that says, 'Should LastPass remember this password?' Yes, please, save this site. You can give it whatever name you like. In fact I'm going to change it to Hotmail. You can group things; you can make it a favorite, you can require that the master LastPass password needs to be entered in order for this to be used. In this particular case, I'm not going to do that. And Auto Login says literally when we go to this page automatically login. We'll see what that is in a moment. Save the site.

So, here I am in Hotmail, I've logged in, we're ready. Now that I'm in here, let's log out. And of course they're going to send me to MSN which is not where I want to go. Let's go back to Hotmail - well, look at that! It entered my username and my password for me and in fact, the red boxes and icons here are what tell me that it was LastPass that did this. 'Keep me signed in' was never clicked. There was nothing in Hotmail or Internet Explorer that caused me, that I instructed, I didn't do anything to instruct anything other than LastPass to remember anything. All of this was entirely because of LastPass. So all I need to do now is click 'Sign in'.

OK, that's kind of cool. We went to Hotmail.com and it remembered the login ID and password for us. It gets a little bit cooler. If I go back to the LastPass vault, you'll see now that there are two groups. There's the Recently Used group and you can control how long that is and then there's this group that has no label. Like I said, when we created this, you could add it to groups. So you can actually organize your logins here. In this case, since we only have the one, it's Hotmail and we've used it. You can edit it which will show you all of the details of that login: the URL that it needs to go to, the name you've given it, the username, the password (yes you can show the password if you want to; no, I'm not going to show you mine), and all of the other options that are included for this. OK, so that's how you can go in and change things if you want to or see what the password is.

But more interesting to me, anyway, is the fact that these over here are links. In a sense, they're bookmarks. And if you click on that bookmark, it automatically takes you to Hotmail, logs you in, for you. So remember, we were logged out, we were signed out. All I did was click on the link in LastPass and it automatically took me there and logged me in. Now, if you have multiple accounts on the same service like I actually have a few, more than one Hotmail account. It will give you the option of choosing which one you want to login with. So that's the only time that becomes a two-step process instead of a one-step process. Also, if I were now to go into Hotmail and change my password, LastPass is smart enough to know that the password I'm changing is for this Hotmail account and it will automatically update and re-encrypt its database.

OK, so, this actually looking pretty cool so far, right? We've got a database here of passwords. As you can imagine, mine is very, very long. I have lot of accounts. What that means now, is you can now create and use complex passwords and never, ever have to remember them yourself. By using a tool like LastPass or Roboform, or some of the others, you can have it do all of the remembering for you, which allows you, it frees you from having to have these rememberable passwords. I honestly can't tell you what my banking password is; I do not know; I login with LastPass. I can't tell you what my online brokerage password is. I do not know; I know it's secure. I know it's very secure as is my LastPass entry password (master password), but I can't tell you what the bank password is or what the brokerage password is all I can do, all I need to remember is my LastPass master password.

Now, this gets even more interesting, right now we are on one machine. If I had a second machine, and I wanted to use it for this, I would install LastPass on that machine. I'd log into the same LastPass account that I had just created and all of the passwords that are associated, all of the account information, all of the passwords, all of the other information that is associated with my LastPass account, become immediately available on that other machine without any other work. So, it's good at remembering things but it's also good at helping you access all of those other accounts from any number of machines that you might have access to. I have access to a bunch of machines. You can bet that I rely on LastPass getting me access to my accounts whether it be from the desktop machine that we're looking at, whether it be from my laptop in the other room, whether it be from my Ubuntu laptop in the basement, whether it be from my Mac in another room. And that's another aspect of it: LastPass is cross platform. If you have a Mac, if you have a PC, if you have a Linux box, you're taken care of. And did I mention that everything that I've talked about so far is totally free? The cost, so to speak, is this ad over here and it will change from time-to-time.

Now, you can use LastPass to save your passwords and login information. I also use it to save my credit card information. I actually have my credit card in LastPass - totally encrypted - totally secure. Why do I do that? Because so many websites when I want to go in and make an online purchase ask me for my credit card information. This way, a couple of clicks and you can see, LastPass automatically fills forms. It does a very good job of identifying where the credit card number's supposed to go, where the address is supposed to go where the little CVV is supposed to go. All of that can be filled in with one click.

Profiles, same thing: I have name, I have an address, I have a phone number; I have a couple of different addresses depending on whether we're talking about my business or my home. You can have, you can set up LastPass to save those kinds of things for you so that it can then enter them automatically with a couple of clicks.

Finally, in the free version, there's this concept of a secure note. And that is nothing more than a text box. Put whatever you want here. It gets saved, encrypted all behind your LastPass master password. And you can recall it whenever you want for whatever you want. You might describe your password creation rules here. You might have your Last Will and Testament here, I don't know. Anything that makes sense to put in something like this would make sense to put into a secure note like this. It's just a place where you can keep whatever you want in a completely secure and portable way.

So, so far we've only talked about the free version. There is an upgrade, the upgrade adds a couple of things. It's $12/yr; it's a buck a month. In my way of thinking, it's dirt cheap. As somebody else once put it, I'd pay them that much a year just to support the development of this thing. The upgrade gets you your mobile versions. I have LastPass on my Android phone. There's one for your iPhone; I have it on my Android tablet. So not only do you have all of your accounts and passwords in a secure place, but that secure place is any device that you choose to use it on.

And I tell you, it's very, very handy to have it in your pocket when you're out and about. I end up using it more often than I would have expected. There's also a couple of random tools; I think they also have a password generator that shows up here in the paid account that will actually generate passwords for you. Roboform has a password generator. Again, much like the GRC perfect password generator we've talked about before, it will actually at a click just generate a completely random password for you. And it's great now because when you're using a tool like LastPass or Roboform, you don't have to remember it anymore. So I'm concerned, I don't want this to sound like a sales job for LastPass. Obviously, I'm very supportive of LastPass and if I haven't done a recommendation it on the site, I probably will. Much of what I've talked about applies equally well to Roboforms; some of the details are a little different both of the tools have some quirks at times. Sometimes logins for certain types of sites aren't quite as smooth as you might want them to be. But, in general, they do such a great job of making something that is so important: multiple passwords, complex passwords usable that I strongly endorse using a tool like this and you can't really go wrong by using either LastPass or Roboform.

So I think I want to take a quick look at the questions here. If you have any questions, please go ahead and start typing them in. Cathy asks, 'My banking password is a three level one. Will LastPast deal with this?' If by three level one you mean you have to enter data into three separate pages, it does, but it's not necessarily as smooth as you might like it. My bank, for example, has a two level one. I enter my username on one page then possibly a security question on another page that's optional depending on if I'm on a new computer and then finally my password on the second page. What ends up happening is I have two entries in LastPass. I have a LastPass password for a LastPass entry that gets me to the username page which it automatically fills in and I click on login, that takes me to the password page which gets separately remembered and then it types in my password for me and I click login again. So it actually works fairly smoothly; it does work in those kinds of scenarios. Mark indicates that the password generator also works in the free version. Mark, I couldn't find it. Normally it's off the More list but that's ok if it's here, that's fantastic. It's a useful tool and if it isn't there, there's certainly some alternatives and like I said, I'm all for giving these guys twelve bucks a year. Judy points out a very practical point that I've actually written about before, it's very important that someone else knows your password, your master password is what I'm sure she's referring to in the event of your death. Yeah, I've written about that before and in fact, I've found that tools like LastPass and Roboform to be incredibly valuable for making that scenario significantly easier. I do have a trusted individual; a couple of trusted individuals who have a password to an encrypted file that has some other information, but ultimately, they have my LastPass master password. By giving them that password, if they need it, they then have access to every account and the current password for every account that I happen to be using LastPass for. It's actually a nice way to bundle up a tremendous amount of security information in a secure way. Now, Robert points out that he has his master passwords in a safe deposit box that only one person has access to if he can't or is deceased - yes, absolutely. And I do have to point out that it's for more than just death. Any kind of, if you get lost, you get sick, any kind of scenario, that prevents you from accessing your computer. If you go on vacation and your in some remote place and you get stuck there; there's any number of different ways that this information can be become incredibly valuable. In my case, I have a different password that I've sealed in an envelope and given to somebody that they are instructed to open that gives them information about OK, you go here; there's an encrypted file there, you decrypt with this password and that then gives you more information to go on. So, with that, I encourage you all to investigate it to look into solutions like this if you haven't already; it looks like several of you have and we'll move on to our next segment.

Article C4893 - August 3, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

11 Comments
Bucky
August 5, 2011 12:31 PM

I use Keepass, it has worked well for me.

Gil
August 9, 2011 9:00 AM

I've been using LastPass for about six months and I have no negatives to speak of it. I think the webinar did an excellent job in explaining what LastPass is, but also the functionality of it. Good job!

Snert
August 9, 2011 2:00 PM

I'm just a plain vanilla computer user; a semi-geek.
I don't think I need LastPass or RoboForm. I futz around in my social networks and play a very few on-line games. I don't store debit/credit card info, banking account #s or anything like that on this machine. I don't need to, so I refuse to.
I don't see a need to use LastPass or RoboForm.
But, Mr. Leo If I ever need something like this, I will take your recommendations to heart.

JJF
August 9, 2011 8:02 PM

Wow Leo! What a wonderful timesaver! Many thanks for the great advice.

Lyn
August 9, 2011 8:23 PM

The problem I have with remembering all those passwords is when I am travelling or on holidays and want to use a 'public' computer to check my Facebook, webmail etc. I do not have a notebook, laptop, iPhone.
How would that work? Can LastPass be kept on a USB stick?

It is possible to download a portable version of Firefox or Google Chrome and then install the LastPass plugin for that portable browser. (I still don't recommend public computers for logging in to anything important, since you have no idea if that computer has malicious keylogging software or hardware).
Leo
10-Aug-2011

Mark J
August 9, 2011 8:59 PM

@Lyn
It is possible to download a portable version of Firefox or Google Chrome

http://portableapps.com/apps/internet/firefox_portable

and then install the LastPass plugin for that portable
browser.

Carlos R Coquet
August 11, 2011 8:17 AM

It is important to note that, when using anything stored on someone else's server, you are essentially placing a great deal of faith on that someone else. In this particularly case, if the publisher should go out of business or their Web site be down, you will be dead in the water, something that would not happen if you use a product that stores that password database in your own computer. For portability, you would have the program and the database in a flash drive.
Each alternative has its advantages and disadvantages. (Most Windows programs have to be installed on the machine you are using but that is not a requirement. It depends on how the developer writes the program.)

Ken in San Jose
August 13, 2011 11:08 PM

Leo,
I found a free password program "PasswordSafe" from http://pwsafe.org/. It works great and is simple.

Billy Bob
August 21, 2011 2:24 PM

Everybody knows that "joshua" is the most secure password ever. How could you forget to mention that, Leo? Sheesh!

vincent
August 26, 2011 11:31 AM

I'm using roboform right now (the paid version) and would like to switch to Lastpass (mainly because I have to buy a new version of the roboform plugin for virtually every new version of firefox that comes out...).
I suppose there's no (easy) way to export my roboform data into lastpass?

not that I'm aware of, and I'm making this same transition myself. Roboform doesn't have a convenient export format. I ran both for a while, and I now have Roboform Everywhere's webpage as one of my favorites for logging into via lastpass.
Leo
26-Aug-2011

dan
August 28, 2011 1:28 PM

Lastpass supports import of Roboform, no stress :)

when I tried I could not find them. If it's been added I'd love to know where it is. Perhaps you could point to the instructions?
Leo
30-Aug-2011

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.