Edit (March 3, 2021): I no longer recommend LastPass after their announcement in February 16, 2021.
My current recommendation for most users is Bitwarden.
My videos about that decision are on my YouTube channel in Spanish and English.

LastPass

My students and colleagues have often asked me what that red icon at the top of my browser is, so I’ll make a quick post here to point you to that as well as make some tips about password security.

  • Do not use bad passwords, really. You may think nobody will guess ‘monkey’ but they will. But Ken, I love using ‘monkey’ as my password to everything….
  • Do not use the same password on more than one site. Why? If that site has their password file compromised (like Twitter, LinkedIn and others) somebody could grab your password or brute-force guess it to obtain your login on that site. If the password (and login) is the same on another site they will gain access to other sites with your identity.  But Ken, I will never be able to remember all those passwords….
  • Make sure your passwords are random strings of letters, numbers and special characters and while you are at it they should be at least 12 characters.  But Ken, I will never be able to remember all those crazy random passwords….
  • Go get LastPass, get it now. Use this on your desktop/laptop browser, your tablet, your smartphone. There is support for pretty much any environment and any browser. Then you will only need to remember one (very good please) password which will store all of your other passwords for you. LastPass will even generate random passwords each time you need a new one.

This is the best thing since sliced bread. Oh wait a minute, I no longer eat bread but that is a story for another day.

There was an episode of Security Now covering LastPass that goes into detail of why this is good security. You can listen to the podcast and/or read through the transcript of the episode (#256).

Edit (July 8, 7pm) to add links to Security Now podcast on LastPass.

6 thoughts on “Personal Password Security with LastPass

  1. I started using it a few months ago, but got into the problem that outside of work I mostly access the internet via devices (tablet, phone, xbox, etc…). What do you do in those cases?

    1. Thanks for the reply Ramiro!

      I install it on those devices pretty much. There are cases that I cannot but 99% of my internet life is on a device that has LastPass support. This means actually paying LastPass for a great product which I have no problem justifying for what it does ($12 per year).

      1. Have you considered SAML in those situations?

        I stopped using LastPass a few years ago when their entire database was compromised. In the interim, I’ve been using KeePassX both personally and professionally, but recently joined OneLogin, a leader SAML auth provider.

        When SAML is supported — and it is with a growing number of services — there is no password, only a token linked to OneLogin and optionally protected by a One-Time Password device.

        I hate to sound advertisy, I just randomly stumbled on your blog post browsing LinkedIn today and I wouldn’t have joined OneLogin if it wasn’t a pretty neat app that addresses a problem I’ve often encountered in Operations.

        I just got an iPad mini and have been enjoying our app there..

  2. My only concern is that you’re storing all your passwords with them so if their password file is compromised then you’re done

    1. Thanks for the reply Jafet. The passwords are not stored on their server but all encryption is done client-side. So even if your data is leaked from their site or a government agency asks for the data they do not have the keys to decrypt it; only you do.

      Now that I’ve dug it I am putting some links to a podcast (and transcript) about LastPass in an edit to the original post.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.