In Part 1 of this three part series, we talked about using Cloud Services for backups. In Part 2, we’ll talk about how you can use the cloud to keep track of the myriad passwords you end up collecting and how you can start creating better passwords to protect you from attacks. All this without risking storing your passwords in the open on someone else’s server, and always giving you a secure way to download a local backup.
Most of us have accounts all over the Internet, and most of them use some kind of username and password to let us access our account. It may seem that the only way to keep track of them is to use the same password for most of the accounts. Maybe you use a different one for your bank and a few other places, but it just becomes impossible to remember a different password for each site. You could keep them all on Post-Its along your monitor, but hopefully you know that’s not a good idea. So using a tool of some sort is a great way to get around this. Several years ago I started using the password manager built into my browser to track passwords, and it was a great burden lifted. I still used the same username and password on many sites, simply because I was lazy and didn’t want to create a new one. But I used harder passwords more often and they were all remembered for me. About a year ago, I started using a free service call LastPass to keep track of my passwords, and it has changed the way I work with passwords forever.
As I said, I had been using the password manager built into my browser for a long time, and it had worked pretty well. But I found myself needing to share passwords between my home and work machines, and as a developer, I use lots of different browsers, and it became really annoying to not have my passwords in all of the browsers. It also made me really nervous not to have all the passwords backed up in the cloud. So I needed something else.
I found LastPass and it offered solutions to my problems. It was available in lots of browsers, and it stored all of the passwords online, so it could synch all my browsers and give me an off-site backup as well. I did a little looking into the security of their service of course. Giving all of your passwords to someone online seems a little risky, and isn’t something you’d do lightly. I found several good reviews from some respected places, and the LastPass site itself gave a good explanation of how their security worked. The deal was sealed for me a few months later when Steve Gibson gave an in-depth review on the TWIT podcast Security Now of the lengths LastPass had gone to to secure our information. Basically, your unencrypted passwords never leave your computer. All that LastPass stores is an encrypted blob of nonsense, and only you have the keys to unlock it. The only downside to this is that if you lose your LastPass master password, you’re out of luck. LastPass can’t help you out, because they don’t have any of your passwords unencrypted, so make sure you choose one you can remember.
So How Does it Work?
LastPass has created a solution that really works smoothly. It only drops in when you need it, and the rest of the time it stays out of your way. The key to all of this is the browser plugins. They exist for all major browsers, and some that aren’t so major. Once you install the correct plugin for your browser, You’ll be given the option to import any passwords you have stored in your browser already. It will also offer to lock down your browser security a little better once it’s imported the passwords. If you don’t save your passwords in your browser, or you have more that you don’t store, head to one of the sites that isn’t yet stored in LastPass. Enter your login information as you normally would. After you login, a small green bar will show at the top of your browser asking you if you want to save the site into LastPass. Click the Save Site button and you can enter a name and group for the new site. That’s it! The next time you come to this site, you’ll see another slim bar at the top of the browser asking you if you want to login. You click the AutoLogin button to have LastPass log you into the site automatically, or you can click the AutoFill button to fill in the login form for you and you can click the actual login button like you normally would. This even works if you have multiple accounts on a site. In those cases, clicking the AutoLogin or AutoFill buttons gives you a drop down of all the accounts you’ve saved on a site. I have found a few sites where LastPass doesn’t seem to realize that I’m logging into a site, but in those cases I’ve been able to enter the site manually on the LastPass website.
Creating some Randomness
Another factor of LastPass is it’s ability to automatically generate new passwords for you. Whenever you are filling out a registration form, LastPass offers to generate a password for you. And the passwords they generate are really good. I have mine set to generate a 12 character password that includes upper and lower case letters, numbers, and special characters. The result is pretty random and unguessable. And more importantly, the passwords they give me for each new site are totally unrelated. That means that I no longer have the same password for two sites (in truth, I’m still working my way through some of my old sites to change thier passwords, but all new passwords are random). Again, LastPass uses the slim bars at the top of the browser to offer to generate a password for you. The benefit of using different passwords on each site was driven home for when LifeHacker and then the Sony PlayStation Network were both hacked and their users passwords got out. In the case where you use the same password for all your sites, you’ve now lost your password to everything. Using the LastPass password generator, you no longer have to worry about that kind of crossover.
So the big concerns with a service like this, is what if they get hacked and what happens to your information if the company goes out of business. For the hacking question, LastPass’s policy of encrypting passwords before they leave your machine with a key that only you have should be enough, and it would be way too technical to go into it in more detail, but you can find out more about it on LastPass’s site, or by going to the LastPass episode of Security Now. So what about the possibility that they will go out of business? LastPass has covered that possibility as well. Whenever you want to, you can download an encrypted copy of all your passwords and open them in the standalone tool they provide for free called LastPass Pocket. It lets you view all your passwords after entering the master password. There is also a iPhone and Android app that let’s you view your passwords on your mobile device, although you have to pay a subscription fee to get access to those.
There are many other features of LastPass that I’m not going to go into here. It will securely store your Credit Card or other signup data to make filling out eCommerce forms easier, it can store secure notes to keep track of things you want to have access to everywhere, but don’t want floating around unsecured. They also recently stepped in and rescued the popular free X-Marks bookmark synching service by buying the company before it went out of business.
So, as we’ve seen you can use Cloud Services from LastPass to keep all your passwords backed up in the cloud in way that is secured and with tools that can improve how you create passwords and keep you from using the same one over and over. The ability to download your passwords in a portable tool at any time adds that extra security that keeps you protected even if LastPass were to disappear. In short, it’s the perfect password strategy in my opinion, and it puts my mind at ease over the hundreds of account passwords I’ve got to remember.
One final note, while I’m a big fan of LastPass, it is a commercial product and to get the features like mobile tools you have to pay for it. I want to make it clear that I’m in no way affiliated or compensated by LastPass.
In part 3, we’ll cover Evernote, a service that I’ve been using for a while to keep track of basically every meeting note, reminder, and random thought I’ve had. It could change your life!