Product Reviews

Product Review: LastPass

LastPass keeps your passwords secure and organized.

I've been looking for a solid password management application to simplify access to all the Web sites I visit. While Web browsers have their own built-in password managers, I don't think it's a good idea to rely on them.

First, the passwords browsers keep are often stored in plain text, which obviously isn't secure. Second, the passwords are only available from the computer or device used to store the information. Visiting a Web site from any other device forces me to log in and remember the credentials to access the information. Given the numbers of login IDs and passwords we need to juggle these days for our personal and work lives, it's nearly impossible to remember them all.

To get around that, I created a text file with all of my passwords and stored it on a thumb drive, which made the password and login information available almost everywhere. This was great -- until I used a mobile device with no USB port. Then, later on, I lost the USB-based storage drive. Because it wasn't encrypted, the data could be used by anyone who found the USB device.

So I tried a USB key with built-in encryption, which got the job done for any computer I was on because it was portable and easy to use. I handled my password list this way for a while and was pretty satisfied until I found myself in a business center with the USB ports appropriately locked down.

I never really thought how much work it is to maintain passwords and keep track of them. This led me to search for reliable services that are portable and multidevice friendly while keeping my life's credentials safe.

[Click on image for larger view.]
Figure 1. The entry screen for setting up a profile functions as a generic form.

Oh, the Apps I Found
There are several applications available for keeping track of credentials. I tried apps such as Siber Systems RoboForm and the open source KeePass to see if they would meet my needs, but the portability of the apps relied on a USB port.

The credential storage provided by these apps was pretty decent and worked well on a computer, but as my digital life also includes a smartphone and tablets, the USB-only option wasn't enough. The search continued until I found LastPass from LastPass Corp. Almost immediately I realized it was the perfect solution.

Getting Started
To get started with LastPass you sign up at General use of the service is free when accessed within a Web browser. Once you register and get signed in, the application will suggest a client-side component for your computer. There's an ActiveX version for Internet Explorer as well as a standalone installer for Mozilla Firefox, Google Chrome and other browsers. The setup process is straightforward and takes just a few clicks, especially if you're already signed up: Simply sign in during installation and the installer does the rest.

During installation, LastPass will check your computer for credentials cached by your existing browser (those you might have saved before checking out LastPass). It will prompt you to import these items into the service, saving you from having to re-enter them. The cool part, in addition to the fact that there's less re-keying, is once the items are imported into the system, the original insecure copies on your system are removed. This ensures that all of your items stored in a browser in clear text get cleaned up. For this to snag passwords across browsers, you'll need to load the plug-ins or extensions for all of these applications.

On the last page of the installer, you can have LastPass take you right to an area called "your vault," which is where all of your passwords get stored.

The LastPass Vault
The vault displays items you mark as favorites at the top of the list, above the general alpha list, which is nice because the sites you use the most will be readily available. There's also a search functionality included within the LastPass vault. Simply start typing the URL and matches are brought to the front.

The Internet can be the go-to place for most things -- including banking, bills, shopping and other activities -- as long as you don't mind registering with sellers and completing forms to purchase items. With LastPass, you can store profiles for completing forms.

Creating a profile is easy; from within the vault simply select the Form Fill Profiles tab and then click Add Profile on the left-side navigation menu. Figure 1 shows the entry screen for creating a profile.

You can name profiles for specific types of information or Web sites and create as many profiles as you need. When entering information in a profile, you can fill in options for all of your information including name, address, phone, e-mail, Social Security number, credit-card data, bank account information and other defined fields.

As with any information stored online, you should only store what you're comfortable keeping on the Internet. However, LastPass claims that none of its employees can access any of your information. Your password to access the system is secured and recovery questions are completed at sign up.

Once you have a profile configured you can use it for online shopping, banking and even simple things such as registration forms. If you keep a separate e-mail address for registration at Web sites (a spare Hotmail account, for example) this can work well in conjunction with that.

Using a plug-in within a browser allows you to select the toolbar button and choose items such as Fill Forms. Then you can choose the profile to use for the form page you're on. Once you select it, the form is populated with that profile's information.

One Use Only
Have you ever been on a computer in a business center or in a public place and needed to access your passwords and data to get work done, but you weren't sure if the system was secure? You can create One-Time Passwords for LastPass and print the list to take with you when you know you'll need to use systems that aren't trusted. Once you log in with a password from your One-Time Password list, that password expires and can't be used again.

Sometimes coming up with a secure password -- even if only to store it in a manager like LastPass -- can be a challenge, but luckily LastPass can generate (and store) a secure password for you.

Two-Factor Authentication
LastPass also supports two-factor authentication, which allows you to use an additional item to authenticate yourself and then log into other sites. I contacted Yubico -- the makers of the YubiKey, which works with LastPass -- to get a key to test. At first I wasn't sure about using additional steps to log in because it seemed like extra work, but the biometrics on the USB key took care of that. Here's how it works: You insert the YubiKey device and let it load the drivers on your computer, then visit your LastPass vault. From your vault, select settings from the left-hand navigation menu. Then select the YubiKeys tab and enable the devices. You then click in a key field on the screen and touch the area on the YubiKey with the green light. This will pass a secure key to LastPass to identify the device.

In addition to YubiKeys, LastPass also supports Google Authentication using an image on a smartphone -- but that didn't seem as secure or easy to me.

Generally LastPass is free. However, there's a subscription service for using the advanced features, which includes mobile device apps, YubiKey support, Internet Explorer Anywhere, Sesame Support and access to beta releases.

Installation: 20%
Features: 20%
Ease of Use: 20%
Administration: 20%
Documentation: 20%
Overall Rating:

Key: 1: Virtually inoperable or nonexistent  5: Average, performs adequately   10: Exceptional

The cost for a premium account is reasonable considering all the additional devices with which you can use the service (pretty much any mobile smartphone or tablet). It's $12 per year (just a buck a month!). Given the number of mobile devices it supports natively, that seems reasonable. Using it with the added two-factor authentication of a YubiKey makes me trust the service even more. I recommend starting off with a free account to get familiar with it; if you're a heavy mobile user, you can try the 14-day free trial for the premium service to see if it makes sense.


Pricing: Premium edition $12 per year; free version available with limited support
LastPass Corp. | 703-542-1885 |

About the Author

Derek Schauland has worked in technology for 15 years in everything from a help desk role to Windows systems administration. He has also worked as a freelance writer for the past 10 years. He can be reached at [email protected].


comments powered by Disqus

Subscribe on YouTube