Last week (well, last post—I never got around to publishing for the last two weeks) I talked about why passwords are getting easier than ever to crack. If you haven’t read that article, you should read it now, because if you don’t, you’re going to give up before you get through this article.
Yes, I told you it wouldn’t be too easy. Well, it’s not exactly difficult, but it means an hour or three of work for you. But guess what: that’s a lot less trouble than you’d have to take if somebody got into one of your accounts and started screwing up your life. And given how easy it is now, it’s no longer a crazy, improbable possibility.
Besides keeping your passwords safer, LastPass can help you in other ways as well. It can fill out forms for you (of course, there are other tricks for doing this faster as well). It can keep track of what accounts you have on the Internet, which might seem unimportant but is really nice if you visit a site that you vaguely remember and can’t remember if you had an account already set up for. And guess what: you’ll never again sit at a username and password prompt and have no idea what to type in. It may be a small annoyance, but the more small annoyances you fix, the better your life will be.
Here’s how to get going and secure your life. I’m going to take you through some steps that may seem paranoid, but will greatly increase the likelihood that you remain secure not just now, but in the future. (For instance, a strong twelve-character password may be acceptable now, but in five years it may not be anymore. Therefore, I recommend a twenty-character password or better.)
If you can’t read any screenshot below clearly, you can click on it to display it full-size.
1: What Is LastPass?
LastPass is a browser extension that acts as a password manager. It adds a small LastPass button and right-click menu to your browser somewhere, as well as prompting you to autofill a password when you visit a page containing a login form:
LastPass can synchronize your data across multiple computers using the browser extension, so you can use LastPass at home, at work, and on your tablet or smartphone. You can also log onto the LastPass website if you need to access a password from a different computer (you can’t autofill, but you can copy and paste your password, which is good enough for occasional use).
However, you’re not giving your passwords up to LastPass for this convenience. All your data is encrypted on the client side, which means the browser on your local computer deals with everything. The folks at LastPass can never access your data, no matter if they’re curious, get hacked, or have a court order to retrieve your passwords. And the encryption would supposedly take trillions of years to crack with current computers—even if that’s a high estimate, nobody is getting to your passwords anytime soon. (LastPass has a nice page about their security, but I can’t seem to find it right now. If you’re still worried, try to find it, and if you do, post the URL in the comments for me.)
Unless you have an amazing memory or love sitting around memorizing strings of characters, you need a password manager to be fully secure in today’s world. If you don’t want to use LastPass for whatever reason, poke around the Internet and look for a different one (I don’t know of any other ones that can synchronize across the Internet, although you can still sync them using Dropbox or a similar service). Some popular ones include KeePass(X), RoboForm, and Password Safe. The rest of this article will focus on LastPass because I find it to be the easiest to use and most feature-rich.
2: What LastPass will not do
LastPass does not work miracles. It is a useful tool that helps you keep track of secure passwords, but simply getting a LastPass account will not magically increase your security. (This seems to be a fairly common misconception.) For it to work properly, you need to do a few other things:
- Use a strong master password (and, preferably, two-factor authentication). If your password is “password,” all the security measures in the world will be useless.
- Get all your passwords into LastPass’s database. If you don’t know where you have accounts on the Web, it’s going to be difficult to secure them.
- Once you have them gathered together, change all your passwords to something more secure, ideally randomly generated.
- Don’t do anything stupid. Don’t leave your LastPass account logged in on a public computer, write your master password on a sticky note on your monitor, or anything else. Common sense applies.
Ready to start? It’s probably best to wait until you have about forty-five minutes free to do the initial steps.
3: Choosing a Master Password
Before you create your account, you should choose a master password. If you’ve never made a strong password before, this is probably going to cause a few hangups for you. Your master password should be at least twenty characters long. Twenty-five or more is better.
There are a lot of different ways to get a good password. The one I typically use is to pick two or three phrases or words (randomly, using whatever inspiration you want) and string them together, often with some sort of numbers and/or punctuation in the middle. If you do this, it doesn’t matter if one part of the password is fairly guessable by itself—the strength is provided by the fact that two completely random things have been joined.
Here’s one of mine as an example (I don’t use it anymore, of course):
The second part of this password comes from the phrase “You can’t spell evil without vi.” If you don’t know anything about Unix/Linux, you probably don’t get it—which is all the better, because it demonstrates that most people probably wouldn’t even guess the original phrase, without my modification and the first part. The first part is a reference to the fact that gnus are related to *nix and can be remembered by thinking “the gnu is saying the following phrase.”
I could make this password even more secure without too much loss in memorability by capitalizing a random letter or two: 1-stuffed-gnU:no-evIL-wo-vim, or, slightly less secure in terms of guessing but useful if I needed a bit more help to remember, 1-stuffed-gnu:no-eVIl-wo-VIm. I could also add another number somewhere: 1-stuffed-gnu25:no-evil-wo-vim. (The 25 translates to “nose” in my modified version of the Major System, so I could remember this as “stuffed gnu nose.”)
If you don’t like my technique, another good one is using the initials of a phrase. Don’t pick a common phrase or a phrase from well-known literature (if you pick a Bible verse, for example, it is quite easy for a dictionary cracker to try every single verse in the Bible in just a few minutes). You should combine this with something else if you want a 20-character length. Names and birth dates work well when used in combination with something else. (Using only a name with a number after it is a recipe for disaster: cracker programs are available that can hack all common name+number combinations in only a couple of minutes.) You can hunt around the Internet for other good techniques; just be sure to take the sources with a grain of salt (if somebody on Yahoo Answers tells you that a six-character password of your initials repeated twice is a good password, they’re wrong).
“But I won’t remember this password!”
You can really remember pretty much any password of reasonable length, no matter how insane it is. The only thing you have to do is use it. If you enter your password enough, you’re unlikely to forget it, and if you do it even more and you’re a touch-typist, it’s likely the password will even be engraved into your unconscious memory—you can type it without thinking about the words. When I create a new master password for any encryption or password software, I type it ten times right afterwards, ten times later that day, and ten times the next day. As long as I use it regularly after that, I’ve never had trouble remembering my password.
You also get a password hint to help you out; see two paragraphs down.
If you really feel you need to, write down your master password and put it in a safe place. (If you usually keep your wallet with you, it’s probably pretty good—if you lose it, you should notice and have a chance to change your password.) After a few days, once you’re sure you know your password, it’s best to destroy it or put it somewhere really inaccessible, like a safe deposit box.
That said, keep in mind that there is no way to recover your LastPass master password if you forget it (remember that LastPass can never see your data?). This is of course the sensible way to handle information this secure, but most of us are so used to clicking the “Forgot your password?” link that we take it for granted that we can recover passwords anytime we forget them. However, while you can’t reset your password if you forget it, you can provide a password hint that will be emailed to you if you click the “forgot password” link. Since nobody but you will ever see this unless your email account is hacked, you can safely describe the parts of the password (for my example+numbers password, I could say something like “speaker’s nose: evil vim”). Chances are very good that that will be plenty to jog your memory.
At the end I’ll also talk about backing up your password list, so that even if you do forget your master password you won’t be totally screwed.
4: Signing Up
Phew, we’re 1500 words into this article and we haven’t even created an account yet? Don’t panic; in my experience the master password is usually the biggest mental hurdle for new users to overcome.
You can sign up for a LastPass account in several ways, but if you use this referral link both you and I get a free month of LastPass Premium.
Scroll down to “create your account” and fill in your email address, your shiny new master password, and a password hint, as described in the previous section.
You can uncheck “Keep a history of my logins and form fills” and/or “Send anonymous error reporting data…” if you’re really paranoid, but otherwise they should be fine. You do have to check the first two boxes, though. If you picked a good master password, the bar will probably be full.
Click the Download LastPass button and proceed through setup. This step will be different for each operating system and browser, so I won’t walk you through it (it’s not difficult). At some point during the process, you will be prompted to import all “insecure” passwords that are currently stored in your browser’s memory. You should accept this offer and the one to have them deleted from the old storage, as they’ll be safely retained in your new LastPass Vault. You may be shocked to discover how easily LastPass can tell you exactly what all those passwords are—that’s why it’s not a very good idea to store your passwords there!
You may need to restart your browser(s) to install the LastPass extension(s). (If you have multiple browsers, the extension should have been installed in all of them.) After you see the LastPass button (an asterisk with a black background, or a red background if you’re logged in) in your browser, you can click it to log in. There are two screenshots way up at the top if you’re confused.
5: Getting Your Passwords Into LastPass
Adding a new password to LastPass is easy:
The only difficult or annoying part of this process is that you have to repeat it for all the accounts you have on the Internet. The easiest way is to take about a two-week-long break at this point. Every time you want to sign into a website, make sure you’re logged into LastPass (the icon will be red), then log in and make sure to click the “Save Site” button. For now, you’re done—go ahead and put continuing this on your calendar for a couple of weeks from now. Just don’t forget to keep adding those passwords (and don’t forget to come back or you won’t be any more secure than you were before).
If you want to speed the process up, there are a couple tricks. Obviously, if you currently have a pad of paper or a Word document containing a long list of passwords (shame on you), that’s a pretty good place to start. Another trick is to search your email for terms like “account” or “password reset” to remind yourself of what websites you have accounts with (since most websites send service messages to your email, as long as you archive your email this should work fairly well). It’ll probably be months before you have every website in your database, but as soon as you have a fair number of the ones you use frequently, you can proceed on to the next step.
6: Changing Your Passwords
Did you take a good break to find some of your accounts? Good. If you haven’t done it yet, it wouldn’t hurt to try some of the tricks in the paragraph immediately above, like searching through your email or password files. (If you haven’t added one to your database yet, just go to it and log in.)
Although you now have a nice, neat, comprehensive list of all (most of) your accounts and passwords, you’re not any more secure than you were when you started, even though you have a nice fancy password manager. In order to increase your security, you need to change the passwords.
Changing a password can be a bit of a challenge at times; it’s not always the most accessible option. (On one memorable occasion, I had to resort to an eHow article to figure out how to change my Comcast email password.) Fortunately, LastPass has a handy feature to help you out: the security check. The security check runs through your passwords and gives you a report of which passwords are duplicates and which have low strength. To use it, simply open your vault (LastPass button → LastPass Vault) and click the “security check” link on the left-hand side, then click the huge “Start the Challenge” button.
You’ll get a big score (90.1% in my case), a rank, and a short list of the criteria that it used to determine your score. That’s good for seeing how generally secure you are, but the real meat is underneath, where there’s an exhaustive listing of all your LastPass accounts, their strength, which have duplicate passwords, and (if you enable it) the exact plaintext password of each. Here’s a small snippet of mine (usernames blurred for security):
When you see that you have a poor rating on a site, you should click the “visit site” link, log in, and find the “change password” option. I’ll change my Amazon password because it’s currently a duplicate (though a strong password).
After reaching the password change page, click “fill current” to enter your current password. Then click “Generate” to bring up the “Generate Secure Password” dialog box. A random password is about as secure as you can get: there’s no way to guess it aside from brute force. You probably can’t remember it, but that’s what your password manager is for—you only need to remember that one master password.
However, LastPass’s default settings really don’t produce a secure password. Here are my standard settings:
Here are good standard options. Your password length should be 20 or 25 (or more, if you want)—as there’s very rarely any need to type it, there’s little advantage in making it shorter. “Avoid Ambiguous Characters” is useful if you expect you’ll need to type it or copy it—it excludes characters like l, 1, I, and i, so that you won’t make errors because you couldn’t read the password.
Sometimes, though, you’ll encounter a website that imposes silly restrictions, like “the password must be exactly 7, 12, or 62 characters in length” or “the password must consist of exactly two numbers, two special characters, one composed of only straight lines and the other only curves, and thirteen consonants, alternately lowercase and capitalized.” (Okay, they’re not usually quite so bad, but sometimes they feel like it. Once I was trying to change my Yahoo password and was informed that my password could not contain any part of my first name. All well and good, but many moons ago I’d entered my first name as “S,” so my new password was not permitted to contain the letter s.) In this case, simply come back to this dialog box and fiddle with the options until they produce a password that meets the guidelines.
Once you’re done, click “generate” (the password doesn’t update to match your settings until you do), then “accept.” LastPass will fill in your new password. Click the accept or continue button on the website.
This final step is extremely important. After clicking accept, you will receive a notification bar that says “LastPass detected a password change….” Click “Confirm.” If you don’t, LastPass will continue attempting to log in with the old password and you’ll be unable to access the site. (The generated password is always saved as “generated password for x.com” until or unless you click save, so you’ll never completely lose your password and be locked out due to this. Keep that in mind in case it happens to you.)
If you follow these instructions, your passwords should be secure for the most part. It’s a lot of work, but the next time one of your passwords is compromised, you’ll be pretty happy. (I haven’t had a website lose my password information yet, but I have accidentally pasted my password into a live chatroom, twice. It’s a pain when you only use a couple of passwords and have to change them all in an afternoon.)
Next week I’ll talk about increasing the security on your LastPass account itself, as well as some more things you can do with LastPass (filling forms and storing software license keys). Additionally, I’ll discuss how to back up the contents of your LastPass account.
After the LastPass stuff is done, I’ll continue with security and talk about what you should do if one of your accounts is hacked. I’ll also deal with how you can protect yourself from other attack vectors that may allow people to bypass your passwords entirely.
Comments, questions, and problems are welcome.