Wednesday, July 20, 2016

LastPass Password Manager

Most people I have met know that long complex passwords are a good idea.  But very few people know of a good way to keep track of all their passwords.  I personally have well over 200 accounts that I need to track passwords for.  Many people, myself included, get stuck in the habit of picking out a handful of passwords and using them for everything.

Over the years I have tried a few password managers including KeyPass and PassPack.  They all had nice features, but they all ended up being such a pain that I was never able to use them to create truly random unique passwords for every account I have.  KeyPass did not sync across computers, PassPack had a very limited free version, and the issues go on.

Then I discovered LastPass.  It took me a month of usage to fully start trusting it, but slowly I have started using more and more features of it.  The best part is the amount of features they offer for free.  And their first paid level ( that many people will want ) is only $12/yr at the moment.  So price for features was exactly what I was looking for.

LastPass syncs across all my computers, or phones for free (paid version can do both at the same time).  It auto fills my website passwords with a Chrome plugin.  It has been gamified to show me my overall security score and compare it to the score of other users.  It supports lots of dual factor authentication options.  It allows me to re-prompt for my password and do other security enhancements on a per password basis.  It even has built in form fills, both generic and tailored to sites that require more than just a username and password to login.  And critically, it allows me to backup all the data in my account.

Having an easy backup system is critical for me, because no matter how good software is, and how much they claim they are not going anywhere, anything can happen.  Their website could crash, they could go out of business, my encrypted data could get corrupted, I could forget my master password, etc.  So I use the backup feature frequently to export a plain text copy of all my data including passwords, I then encrypt the file and store it.  So if anything every happens, or a better software comes along, I can easily recover using my backup file.

In addition to a good backup system, I also wanted to be sure they could not be hacked.  Unfortunately they have been hacked at least twice.  However, the articles and responses to these hacks were so good that it made me feel even more secure using the software; no critical data was lost, users could easily remove the danger by changing the one piece of lost data, and that lost data was encrypted so heavily that it was unlikely anyone would figure it out anyway.  I did use their advanced settings to increase my security above the default level though.

A few things I did to make my account more secure:
- Make sure all my client browser plugins log me off after a reasonable period of inactivity
- Go into my vaults advanced settings:
- - increase the client-side rounds to something greater than 50k. Due to LastPass's speed warnings I did this in increments testing the speed both on my phone and computer.  I also backed up my data first in case the re-encryption corrupted everything.
- - restricted logins to just my country
- - added dual factor authentication
- - reduced my website logoff settings down to a day