Use a password manager – free LastPass gets the tick

I gave up remembering passwords – I am using the free LastPass now and could not be happier.

I am gradually transferring all my passwords from scraps of paper or notes to LastPass. This is a big step for me – trusting software instead of memory or other not so secure methods.

GadgetGuy frequently gets press releases about how passwords are so insecure and that consumers reuse the same or a variant making it easy for cybercriminals to brute force crack them.

I am, sorry was, guilty of that despite proselytising never to use the same password twice. In fact, I used one for all non-critical online accounts – read those not able to access finances – like Myers, Coles, Woolworths, Airbnb, Opal and 18 more.

That was until late last year when the Starwood breach revealed my critical personal details – email and physical address, passport, date-of-birth, mobile number and more. By sheer good luck, little of the information was current – but there was enough that when added to my dark web profile (yes, we all have one) that relentless hack attacks on my online accounts began.

The attack involves a ‘bot’ trying to log in to target websites using the stolen details. It succeeded with an old webmail account, and all went downhill from there. People started getting emails from me (spoofed), unsuccessful bot attacks locked me out of Office 365 (three tries – you are out) and spam and spearfishing mail sky-rocketed. So, I spent most my waking minutes in January changing passwords.

It became clear that I needed more than a physical record of the accounts and passwords, so I did some research. There are many free and paid password protection products out there – Norton Vault, Kaspersky, Roboform, Keeper, 1Password, Dashlane and LastPass …

How password managers usually work

You set up a cloud account – many call it vault, where logins and passwords are stored. A single strong and complex password secures the vault – all you have to remember is one password!

When it detects a URL that requires a login, it checks the vault, and if it’s there, you are in. If not, you need to log in manually, and it will store it in the vault for next time.

The vault (be it on your device or in the cloud) is encrypted, and multi-factor-authentication (MFA) stops unauthorised use from other devices. It is safe!

What to look for in password managers (and how we selected one)

Works in whatever operating systems you use – at least Windows, Android and macOS and iOS – what about Linux and Chromebooks?
Works seamlessly across those via a cloud system – what about offline use?
Password generation, password strength assessment and detecting multiple uses of passwords
Works in your chosen browser – Safari, Chrome, Firefox (and Opera that is the basis of many third-party browsers)
Does not need to be part of a security software suite – what if you stop using that?
Optionally (and usually at extra cost) supports fingerprint or face recognition (iOS, Android or Windows Hello) and MFA.
Optionally has a wallet/notes to store loyalty cards, credit cards/CVV/expiry date and more secure information for e-commerce and form-filling

And the winner is?

All mainstream password managers are pretty good and perform the base level of services. We ruled out password managers that were part of a security suite (in case you change security suites), decided that off-line storage was nice but not critical (after all you need to be online to fill in logins/passwords) and a wallet/notes was a necessary option.

The choice came down to Dashlane and LastPass. Dashlane has a bulk password reset but that is not easy or foolproof, and its free version only stores 50 passwords.

We decided to give the free version of LastPass a test (website here). In fact, Tony Jarvis, Chief Technology Officer of Check Point recommended it as the one he uses.

LastPass is a freemium product. If you need more than basic services, you can pay for more.

LastPass free services

Works with almost any desktop browser or mobile operating system
AES 256-bit encryption
Automatic duplicate password detection
Both encrypted cloud and locally-stored master password and vault
Merging with browser-saved passwords
Autofill passwords
Edit passwords
Generate passwords
Password strength auditing
Restrict login to specified countries/regions
Secure notes/wallet
SMS account recovery
Autofill web forms (financial information, addresses, and other common web forms)
Two-step verification (2FA)

LastPass premium paid services

Passwords sharing (for family members or friends)
Emergency access nominee (in case you are incapacitated)
Multi-factor authentication such as YubiKey
Application passwords (not just browser forms)
1GB encrypted storage
LastPass Family and enterprise versions

LastPass setup

I am using the Firefox plugin, but it has support for Chrome, Safari, Opera and Edge in Windows and macOS.

After setting up an account (I had forgotten I had tried this years ago, so my email address revealed an account and my generic password worked!) you set a very strong password. I suggest a memorable phrase from a movie – ‘Here’sLookingYouKid’ or “YouCallThatAKnife” or “CanIPetYourPuppy” and add some symbols and numbers. Do not use phrases that you may have used even once in social media posts.

That is it. As you visit websites on a desktop or Android/iOS device, it adds them to your vault which is accessible across all devices as it is in the cloud. You can use your passwords or generate new ones – it will perform a security check for compromised passwords.

LastPass also syncs to your devices and downloads an encrypted vault you can access offline via the browser or app. For added security, you must have logged into the browser or app on that device when online before. Note most disk cleaners will remove the local cache – when you log in the LastPass it downloads again.

You can also use LastPass from a shared on internet café PC by logging into its website. It does not download the vault in that case.

Secure Notes

Most people use a sticky note or email contacts for storing information like birthdays etc. While Gmail and Outlook 365 are secure, you often share contacts with Facebook etc., and that other information could be compromised.

With Secure Notes, you can store all manner of things like serial numbers, invoices and purchase dates, membership numbers etc. It can store an unlimited number of notes (total 450,000 characters) and documents or images.

File types include: csv, doc, docx, odt, ppt, pptx, txt, xl, xlsx, pdf, png, gif, jpg, m4a, mpg, wav, av, rtf, html, htm, mov, tiff, tif, jpeg, wmv, tsv, zip, rar, log, and key.

Note macOS users need to install the LastPass Binary component to use this feature.

Each attachment can be up to 10 MB in size, and your total storage limits are dependent on your account type (i.e., Free users have up to 50 MB whereas Premium, Families, Teams, and Enterprise accounts have up to 1 GB).

GadgetGuy’s take – LastPass is worth many times its price!

It’s only after a breach that you realise how many passwords you have and how weak many are.

Having used the free LastPass free for a few months, I will never go back. I don’t need Premium (single user $4.20 per month) or Family (6 users @$5.52 per month), but you can review the features you want here and decide what suits you.

It offers so many more security features than a browser, and all your devices can access the cloud.

LastPass has had a few critical so-called ‘user reviews’, and most relate to customer support – or lack thereof. In part that is why I waited four months before writing the review – to see if there are any bugs. As a techie type, I have had no issues in Windows and Android – it has been excellent, and it is free, so that correlates with a lack of support.

LastPass meets or exceeds our review paradigms – it is a five-out-of-five. Now a plea to readers – start using a password manager!