Lastpass – a brief review

Evernote ambassador Jamie Rubin posted in early May about a new password-storage program that he was trying out: My Latest Automation: Password Management Plus Improved Security

I’ve been using Access Manager Pro for the last few years. It has worked very well, and there is even a portable version so you can export or copy it to a USB. It has a few drawbacks, however, which had caused me to be on the lookout for an alternative:

1. While it worked fine on my Windows Vista machine, it sometimes froze on  Windows 7. In fact, it would freeze when I opened up a password record in order to edit it or tried to create a new one. As long as I was just viewing my passwords (and copying them to the clipboard), it worked fine. But…
2. There is no iOS app, so I had been re-using easily remembered passwords for sites that I often visit from my phone or iPad, thus compromising my security – not a desirable way to go.
3. On the plus side, because it works from a USB (the computer it’s running on needs to have the Microsoft .NET Framework version 2.0, 3.0 or 3.5), it isn’t browser dependent, and can be used to store and access program or file passwords.
4. Another plus – it’s free (tho I coughed up the $24.95 for the Pro version).

So, after reading Rubin’s positive review, I decided to give LastPass a whirl. I’ve been playing around with it most of the weekend, and here are my thoughts so far.

• Despite the slogan, it won’t be “the last password you’ll have to remember”, because it won’t store passwords for things like your encrypted Excel files or other programs on your computer. For this reason, I won’t be ditching my Access Manager immediately.
• I watched some video reviews of LastPass by Steve Gibson which explained how LastPass works before I decided to install the free version. Tho that sounds boring (and not something I usually do, to be honest) but it was worth it because I learned a few useful tips and understood better the kinds of things I could do with LastPass and why it was secure.
• After downloading and installing and choosing my LastPass login password, the first thing that happened was LastPass imported all the passwords that were stored in my Firefox browser.
• I read about how to use it from iPhone and/or iPad, and discovered you have to pay for that. It’s only $12/year (you read that right, a YEAR), but still I wanted to play around with it first, so I followed the User Manual’s suggestion to run LastPass from a portable version of Firefox (my browser of choice)
• After installing Portable Apps on a thumb drive, and then installing the Firefox Portable, I added the LastPass extension for Firefox and started playing with it.
• I then ran the LastPass Security Challenge: it ran through all my logins and passwords (imported from my Firefox settings) and gave me a piss-poor evaluation of 40%. This was based on
  • Number of sites scanned (64, and those were just the ones in my Firefox settings; there’s a ton more in Access Manager, so lots more fun to look forward to)
  • Average password strength
  • Average password length
  • Number of duplicate passwords (I’m too embarrassed to reveal this exact number)
  • Number of sites having duplicate passwords
  • Number of weak passwords (basically any password with a strength of less than 50%)
  • Number of blank passwords, and
  • Multifactor authentication score (0!) Whaat???

This is followed by a list of all my passwords with their login, site name and a security score (password strength in %), starting with the weakest ones. I then went thru this list, clicking on the link to visit the site, logging in (LastPass helpfully asks if you want it to auto fill-in your login and password and/or auto-login as well, or not), then changing my password for one generated by LastPass.

You can set the level of strength of the passwords LastPass generates. E.g., you can set it to generate passwords that are random selections of letters (including capitals) and figures only, or including other characters, like commas, question marks, and other hieroglyphics. I opted to go with Steve Gibson’s recommendation (sorry, can’t find the link to the exact video but it’s on YouTube) of the random letters and digits option. Gibson explains this by saying that

1. the strength provided is quite sufficient for most purposes and
2. the odd characters are not accepted in passwords by some sites (a fact I can attest to).

Hiccups and snags

1. For most sites, LastPass recognizes that there is a login and/or password field on the page and offers a prompt (at the top of the browser), asking you if you want it to fill in this info using what it has on file for this site. However, there are some sites it doesn’t recognize. However, assuming you have a record of the required info somewhere (mine was usually in my Access Manager), this is not a problem.
2. In the same way, when you go to your account or settings for that site to change your password, LastPass usually recognizes that there are login/password fields on the page and asks you if you want it to
   1. fill in the existing (old) password and
   2. create a random, new, password.

   If you click yes it creates one and if you accept its suggestion, it will copy it into the (usually) two “new password” fields. In a couple of cases, tho, it took its time to do this, and being impatient, I started typing in my own new password, which fouled things up for a while: I typed in my own password, hit “save”, logged out and then tried to login again. LastPass filled in the password field, but the site wouldn’t accept it.

   In Firefox, LastPass opens a page or tab in the browser called your LastPass Vault, which lists all your passwords, sites, logins etc. Of course the passwords are just dots, but you can click and view the password. After I’d figured this out (which of course was right away, ahem), I was able to see exactly what LastPass had saved as the password for a particular site, and so fix the problem.

3. Also, there were a few sites where LastPass didn’t respond. It didn’t seem to recognize this was an opportunity for it to strut its stuff. In these few cases, I clicked on the LastPass icon in my browser’s menu bar and selected “Generate Secure Password”, then copied its suggestion and pasted it into the password field.LastPass saves this in your Vault and lists it as “Generated password for (name of the site)”. Sometimes, if I logged out of the site, then tried to login again, LastPass would use the old password, which of course wouldn’t work. Then I would go to my LastPass Vault, choose “generated password” for that site, click “view” so the dots magically change into letters and figures, copy that sucker then paste it into the password field. Logging out and logging in again would usually teach LastPass the new password, but sometimes I had to copy and paste it manually in the Vault, then delete the “generated password for…”
4. I lost a couple of passwords before I figured all this out, and had to hit the old “lost password?” button and get a new password or a reset option emailed to me.
5. I have several WordPress blogs which I host on a single domain, but LastPass doesn’t recognize these subtle differences.  This is all simply explained in the User Manual which I of course consulted right away. Anyway, what you do is, you fill in the login and password fields manually, then click “save site” when LastPass asks you. You can then choose a suitable name if you want, or it will save the info as “(domain name)2″ or “(domain name)3″, etc. You can also edit the name in the Vault later.

I spent the best part of a day changing my weak passwords to strong ones, replacing my duplicate passwords with unique ones and tidying up my Vault (renaming sites for quick recognition and sorting them into groups).

I can now sleep peacefully, secure in the knowledge that my passwords are much more secure, and that I have no duplicates (except for one website where I couldn’t see how to change my password).

That only leaves the coupla hundred other passwords still left on my Access Manager to go through.

And, until I spring for the Premium version of LastPass, I can’t access my Vault from my iPhone or iPad, and that’s really where LastPass will show its true value. Otherwise it’s just an online version of Access Manager, but one that can only help with website logins.

(Disclaimer: I’m not a LastPass affiliate, or connected with LastPass or Steve Gibson in any way).