How may of you practice what you preach? Run as a non-administrative user? Use separate, strong passwords for all your internet accounts? I’ve been guilty of doing neither – I blame Visual Studio for not being able to run as a limited account, but not using strong passwords and individual usernames has been done to laziness and a bad memory. lastpass.com to the rescue.
lastpass is a browser plugin and web site that replaces the “Remember username and password” functionality of Firefox and IE, on Windows, Mac and Linux (there’s even alpha support for IE 64-bit). This is nothing new, but the killer feature for me is synchronisation – your passwords are kept in an on-line vault which each browser, on each machine you use can access.
“Hold on” I hear you say “How’s that secure?” Well you can’t see the source unfortunately so we have to take their word for it but your lastpass account is protected by a master password. You will be prompted for this when passwords are retrieved (you can configure a timeout period as well). According to their website the master password is used to encrypt your other passwords – this is pretty simple to do, it’s straightforward symmetric encryption. Worried about keysniffers or logging in with your master password on a public computer? Then generate a list of one time passwords, carry it with you and use those.
When you create an account the software can import all those saved passwords you have in Firefox (I didn’t check IE – I don’t have any saved there) and optionally delete them afterwards. Paranoia said I shouldn’t let it, but after using the software for a while I felt confident enough to delete them from Firefox and let lastpass take over.
How does it take over? When you come to a website that has a saved password up pops the lastpass prompt – and you can choose to either fill in the saved details. You can even choose the site from a drop down list via the toolbar icon and have it load the site and login for you. So that’s just a little bit better than Firefox. So what’s better?
Well a few things.
- You can share passwords securely with other lastpass users. Want to register on a site on behalf of an organisation? Do it (with a strong password) and share it securely. No more emailing passwords around.
- Want to switch from Firefox to IE? Do it and use the same lastpass account and now your passwords are in both places. Woohoo!
- Don’t want to / can’t install the software in the office? Use the website and retrieve your usernames and passwords. All over HTTPS so that nasty network admin can’t see your passwords being transmitted.
- And the killer. Strong passwords …
When you register on a new site or lastpass detects a password change dialog it gives you the option to generate a new secure password. You can fiddle with the length and content of the password it generates and of course it will then prompt you, once you’ve changed the password on the site to save it into your password vault and of course that will then reflect in the other machines I’ve configured to use the software. I’ve spent a couple of hours going around the sites that I use and worry about updating passwords to strong individual ones – and then promptly realising I needed to update Live Writer with the new password. And Outtwit. And everything else that talks to remote services – this was longer than regenerating the passwords themselves but now I’m finally following my own advice.
Of course your lastpass account is only as safe as your master password – and it’s up to you to choose a strong one. I choose … errr, no, never mind, suffice it to say when you register you will be advised on your master password choice. Make it strong and secure.
Now if only I could wean myself off administrative rights on my laptop …