Originally posted Jun 17, 2013. Updated Jun 29, 2015.
Security experts recommend long, random passwords — and a different one for each Web site — and don’t write them down anywhere.
But, there is a fairly easy way of doing exactly what they say.
As David Pogue once pointed out, the only realistic way of keeping handling secure passwords is to use one of the password management programs available now. They are relatively easy to use and inexpensive if not free.
Pogue recommended a program called Dashlane, which admittedly has a number of nice features. And it’s free. But, if I’m going to be putting all my secure passwords into one basket as it were, I want to be very sure about the people who built the basket. I particularly want to know where those people live. But when I go to the Dashlane Web site, there is not even a hint about what country it is based in, let alone the mailing address.
Veteran computer expert Steve Gibson recommends another password manager called LastPass, which is from a company by the same name in Fairfax, VA. Gibson originally reviewed the software extensively on his Security Now podcast in 2010. In 2011, he reiterated his support for the program. One of Gibson’s favorite acronyms for computer security is TNO, for “trust no one.” But I trust Steve.
Like Dashlane and many other password managers, LastPass is free on Windows and Mac computers. Following the “freemium” business model, there is also a Premium version that costs all of $12 a year and provides the ability to run LastPass on your mobile devices.
LastPass works by encrypting your vault of passwords using a master password on your computer and then storing this encrypted vault on its server. LastPass does not know your master password and cannot recover your passwords if you forget it. When it is fully set up, all you need to do is click on a secure Web site from any of your browsers on any of your computers, and LastPass ushers you right in. The program will even create secure random passwords for you, as long and as difficult as you would like.
In my tests, the program does have a few rough edges, especially regarding setup. I had to install it three times on my Windows PC to get it work with my two favorite browsers. I had a similar experience on my Mac. On most Web sites, the program worked immediately, but a few required some extra care – such as a few minutes reading the user manual. On my iPhone and iPad, the program uses its own browser – apparently it cannot attach to the Safari Web browser.
These rough edges are mostly temporary. Once you get the program set up, you can breeze into even your most secure Web site. It is well worth the price – either price – and the time needed to set it up. With LastPass you get both security and convenience – a very rare combination. And it this insecure world, it is not only convenient but also essential.
On June 15, 2015, LastPass posted a notice on its website saying, “our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
The company said that certain LastPass users would be advised to change their master password. I did not receive such a suggestion, but I took the opportunity to change my password anyway.
The bottom line is: Is LastPass still dependable? Security expert Steve Gibson still thinks so. And so do I.
— Rich Malloy