Review of LastPass

If you’re looking for password management, please read my review of LastPass, which I can recommend without restrictions.

I’d been using the same - albeit complex - password for nearly all the internet (and intranet) sites I use... with more and more news about cracked servers coming in on a daily basis, I finally decided to do something about the situation.

I researched several sites that reviewed password managers and finally ended up with LastPass, as it fulfills several requirements I have:

  • usability on Mac at least on par with Windows
  • usable on iOS
  • usable on Android
  • auto-fill capability
  • multi-level authentication for security

LastPass ended up covering all of these requirements with bravado. It will auto-fill most webpages you call up automatically; some, it struggles with (strangely enough: my m0n0wall firewall in my local LAN is a candidate), but this is rarely the case.

Also quite nice is the recent addition of autofill on mobile devices, which makes working with passwords a snap for most apps / websites.

When I first signed up (the service costs $12/year, apps are free for all platforms), the safest method for multi-level authentication was a grid (unique to each user) you printed out. To authenticate, LastPass would give you five letter/number combinations which - when followed up on the grid - would generate five alphanumeric characters as an authentication code.

Recently, they have moved to using
Google Authenticator, which reminds me of the RSA SecurID Token used to sign into VPNs. It works like a charm.

To further increase security, you can severely restrict the locale of the IP addresses that can be used to log in. I.e. if you know you’re never going to be in China, you can just close down all Chinese IP addresses as log-in sources. Sure, a Chinese hacker can VPN to an IP address based in Germany, for example, but the mechanism helps.
As the name implies, you do have to give your LastPass account one “last” password that you can easily remember but qualifies for a “safe” password. I.e.: don’t use your cat’s name here, because if someone figures it out, they have access to all of your passwords!

On first installation, LastPass offers to import all passwords from your browser(s). Since I used the browser auto-entry feature extensively, I let LastPass do this. After the fact, I’m not sure if this is a sensible step if you’re using the same password over and over, because you really don’t have much added value. On the other hand, you get a huge list of entries, some of which had up to 10 duplicates in my case, because browsers just don’t do the database thing very well.

LastPass will generate passwords for you; in fact, if you sign up to some service on the internet, LastPass consistently adds a small icon to the right of the fields where you are to enter and confirm the password to be used. I find this quite fascinating, since these fields have all sorts of different labels, etc., but perhaps there is a standard marking used in HTML to designate an entry field for the password.
In any case, if you click on this icon, LastPass will pop up a small window where you can not only generate a random password, but also change the parameters to be used, such as length, wether to make the password pronounceable or wether it can use special characters or not.
Especially the length and special characters settings can be quite important, as there are still services out there that restrict you to, say, 8 letters and/or numbers.

Once you have generated a password for the new service, LastPass offers to save the site (which is something you obviously want to do). You can name the site as you like and also select it as a favorite (which will make it come up at the top of the list in the LastPass panel), as well as assigning a category (such as “Online Shopping”). The categories can be typed in (for new ones) or selected from a dropdown list. They are optional, but very handy.

Perhaps odd at first is the fact that there is no LastPass App for Windows or Mac - you use it from a browser (all relevant browsers are supported). The mobile operating systems do have Apps to make the use simpler on these devices. On the mobile app, you can search for a site, for example (by any of its metadata) and chose “copy password do clipboard” if you need to manually paste it into a service. While you can search for sites in the browser-based “App”, to copy a password you have to open the entry, reveal the password and copy it to the clipboard manually - a bit cumbersome, but you get used to it.

The experience with Apple Safari on the Mac wasn’t so good, but because this is true not just for LastPass, I’ve switched to Firefox a couple of weeks ago. In Firefox, I sometimes have an issue where the Vault (as the database is called in LastPass) doesn’t come up when I click on the LastPass icon in the browser’s menu bar. Restarting Firefox fixes this; I’m not sure if it is a Firefox or a LastPass issue. As I don’t use Chrome much, I can’t say anything about stability, other than it works fine when I test it.

In order to get all your passwords to sync to all your devices (which is absolutely fabulous!), you will need a LastPass account. This also means that your passwords are synced to the LastPass server farm (albeit encrypted). Wether or not this is an issue for you is your decision; I think two concepts are relevant to make it:

1. Nothing on the internet is safe. If you want safe, go back to writing letters on paper and posting them. Oh, and hope no one opens the envelope that isn’t supposed to read the content...

2. I’m quite sure that is one of THE target sites for hackers. Imagine getting your hands on a couple of thousand user records... up to date and as far as I know, no breach has been reported...

You can use LastPass as a local-only installation - in which case your data never leaves your PC (or Mac). This version is also completely free-of-charge! So there is no reason not to test the software. If you only use a single PC or Mac, then this is all you need.

Check LastPass out here.