Password protection starts with ensuring that you have passwords that are long, cryptic, and not tied to anything too personal that others could guess. If a website requires a 8-20 character password, aim for 20. If they allow special characters, use multiple. Avoid using any words in your password that could be found in a dictionary. Similarly, avoid using words from a dictionary even if you replace the “a” with an “@”, or an i with a “!”. These are common but well-known techniques, and are easily circumvented with some good regular expressions.
Why should you care?
Unfortunately, hackers are everywhere and it seems as if no website is safe from . So what can you do to stay protected? Chances are, you know (or maybe are) that person who uses the same password for multiple websites; that was me, several years ago.
Last Friday, I got the itch to go back time and play some classic Command and Conquer, so I launched my Origin.com application and attempted to log in. After several failed attempts, I was still unable to log in. As it turns out, my account was one of the ones leaked in a late-December hack. If the hackers had my e-mail address (username) and my password, they could start trying it on other websites. Fortunately, every one of my online accounts uses a unique password and I couldn’t tell you from memory what they are, even if I wanted to.
How to remember all of your passwords
LastPass has browser extensions for the 4 major browsers and can be used to automatically log you into all of your websites; but that’s just the tip of the ice berg. Once the browser extension is installed and you’ve logged into it, simply navigate to your different websites, and log in. The plugin will detect login forms, and will prompt you to save your credentials. Through the “advanced” options of a site, you can also add additional fields needed for login, such as group ID’s, company codes, etc.
Ok – we’ve just replaced the built-in browser capabilities, now let’s get to the cool stuff.
When creating a new account or changing a password, LastPass will detect the password field(s) and will place a small icon in it. Clicking the icon will bring up a password generation tool – complete with character type and size limit options to fit any requirement (it also fills out both the password and confirmation fields for you). Of course when changing a password, LastPass will automatically offer to update the record with your newly generated password.
Multiple logins for the same website? No problem – the seamless integration allows you to select which account/password combination to use when signing in.
How to protect your database of passwords
They offer a ton security options when configuring your LastPass account. Some of highlight options are:
- using multi-factor authentication (Google Authenticator, Yubi-key, random characters from a grid you’d store on your person, and others)
- requiring your “master” password to view/edit (and any custom combination in-between that you want)
- whitelisting specific mobile devices that are allowed to access your account
- limit access from Tor networks
- share your website logins with other LastPass users without letting them see your password (but still allowing them to use it)
- and many more that may have to get their own blog post.
One security option worth noting that was too big for a bullet point, is the “Identities” feature. You can create as many identities as you want and place your account/passwords/notes in those identities (they can belong to more than one). Let’s say you use LastPass on your work computer, but only use it for work-related stuff – no banking or other personal sites. You can assign your browser plugin to a “Work” Identity and then only the approved sites can be used. The only way to change your identity back to “All” or something else, is with your master password.
Beyond Basic Password Storage
Besides storing passwords, LastPass can also store profiles for various forms. These forms could have all of your billing information, and/or shipping information – allowing you to pre-fill websites with the click of a button. Need more? You can upload your own attachments and create your own “secure notes” to store in LastPass, and leverage their security and encryption. Like any good password manager, you can organize your accounts and notes into folders.
Probably one of the coolest features though, and certainly one of my favorites, is the “Security Challenge”. If you initiate it, LastPass can scan all of your stored websites and their passwords, and give you a detailed report of your overall security. This report includes any/all websites that are sharing the same password (grouped by password which itself is omitted from the report), and the strength of each password used throughout your LastPass account. They will also compare all of the usernames that you use against known lists of exposed credentials to see if you are on any of those lists and alert you if you are.
I am confident in knowing that if any one of the 200+ websites that I have stored in LastPass should get hacked, the damage will be limited to just that website as no one password is the same, and all passwords are randomly generated using the maximum available complexity allowed by each website. Did I mention that all of this is completely free? The only thing you have to pay for (optional) is if you want the mobile application, which is a measly $1 per month (paid annually).
Are you already (or maybe were) a LastPass user and have something to add? Leave us a comment!
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.