One Password Management Software To Rule Them All

Martin Brinkmann
Sep 29, 2008
Updated • Dec 9, 2012
Security
|
18

Choosing secure passwords is important to protect the user accounts from being accessed by unauthorized users. The problem that arises for all users is that secure passwords are harder to remember. Writing them down is one solution to the problem. The other possibility that is more reasonable is using a password management software.

A good password management software should ensure data security, provide password generation and integration into common web browsers to make the life of the user as comfortable as possible.

The password management software Last Pass does all of that and much more. It currently supports Microsoft Internet Explorer and Mozilla Firefox on Windows, Linux and Macintosh. It provides the option to import the existing passwords from Internet Explorer, Firefox and multiple password management software applications like KeePass and RoboForm and makes them available on their secure website and in the browser of choice.

The password manager automatically recognizes websites that it has user data stored for in its database and will fill out the login forms automatically so that it is only a matter of clicking on login to login to the website.

Each password and the rest of the user data can be accessed on the last pass website. Sites can be loaded from there and data changed. The online profile provides access to another interesting feature: It is possible to fill out form data for login forms so that it will be automatically filled out as well when the user registers at a new service.

The password generator comes in handy when registering to a new service on the Internet. A hotkey or the notification on top of the website can be used to open the password generator which can be configured to suite the website's requirements.

The Password Management Software Last Pass will also recognize password changes and ask the user if he wants to store the new password in the database. The passwords can be easily backed up and restored to access them on multiple computers. Since all of them are stored in encrypted form on the Last Pass website it's only a matter of entering the login information and / or installing the plugin for the browser to access the passwords on other computers.

Windows users can also use a portable USB client that can connect to the password management service and pull the passwords from there after proving the correct login details.

One interesting feature is the function to share passwords. Have you ever send someone passwords in plaintext before? That should be a thing of the past because passwords can now be shared securely using Last Pass as well.

Lastly there is a feature to supply different login credentials if more than one account is stored in the password manager for a website.

The only problem that was encountered during tests happened when trying to change passwords on websites. The generated password would fill out the Old Password and the first form of the New Password field. A workaround for this was to copy the password from the password generator, let it paste the password and paste it manually in the second password field and enter the old password manually. Not a huge deal but something that could probably be easily fixed in future builds.

Last Pass is a comfortable password management software that should appeal to many users.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. seenu said on March 11, 2011 at 5:00 pm
    Reply

    The ads in the content are really distracting. Please show very less numbers of content ads. It increases readability.

  2. David said on March 9, 2010 at 3:00 am
    Reply

    g1lQzG061IUQ4EZ6FsIHl5uCCLk2L9ARJG7eXPsP1Nv1

    is a 256-bit password, as shown by the RoboForm password generator, because there are 44 characters, using upper & lower case and numeric characters, no special characters and the minimum number of numeric digits is 2. “Exclude similar characters” is unchecked, as is “Hexadecimal 0-9, A-F”.

    It would have been 128-bit, if there were 22 characters with only 1 numeric digit required, from the same sets of characters.

    At least, now you know that LastPass 256-bit encrypted data is protected by a weaker password than the encryption itself, unless the password is at least 44 characters, with no more than 2 numerals required, using A-Z, a-z and 0-9.

    However, it’s never a good idea to use exactly the minimum required. If a hacker knows exactly how many characters there are in a password, it becomes a much less difficult problem to decipher.

    So, why not 50 or 60? The fewer numeric digits required, the better. If LastPass doesn’t require any, then 50 characters = 297-bits and 60 = 357-bits, and the generated password may or may not include numerals.

    357-bits would provide 29,356,782,284,672,915,348,618,507,459,867e+96 possible combinations. More than the NSA is likely to decipher in your lifetime.

    So, get a Yubikey, if you want to keep your data kept safe online, assuming you trust LastPass encryption more than “mark” does. I believe a Yubikey can handle a password that long, but I haven’t tried one yet.

    However, if you don’t trust proprietary code, which (by definition) provides security by obscurity, then you’re better off with PasswordSafe, which is Free and Open Source, so it has been scrutinized much more than RoboForm or LastPass for properly implemented algorithms.

  3. David said on March 9, 2010 at 2:30 am
    Reply

    Why doesn’t the password generator show the bit-strength of the password generated, so the user can see the effects of various options being taken?

    The RoboForm password generator does this quite nicely.

  4. mark said on April 4, 2009 at 3:37 pm
    Reply

    Joe (the LastPass guy) said:

    “Why wouldn’t you trust your encrypted data to be stored on a server?”

    Because there could be implementation bugs in your software, for one thing. It’s not impossible that you sometimes mistakenly send unencrypted passwords to your server under certain circumstances. It’s not impossible that the encryption is done, but not done in the best way, and has weaknesses that should not exist.

  5. Guy Soffer said on October 21, 2008 at 11:09 am
    Reply

    Really an amazing product. I use it on a daily basis…

  6. Christopher Harley said on October 11, 2008 at 3:38 am
    Reply

    Joe Siegrist-

    Thanks for the clarification. I’m now more inclined to take a look at your offering.

  7. Roman ShaRP said on October 5, 2008 at 10:20 pm
    Reply

    May be I’ll check it later. Now I’m satisfied with Keepass, and I like that it’s OpenSource.

  8. Joe Siegrist said on September 30, 2008 at 4:23 pm
    Reply

    Why wouldn’t you trust your encrypted data to be stored on a server?

    LastPass works by locally encrypting data with 256-bit AES, then storing that for you so you can use it elsewhere. It’s quite safe if you pick a good master password.

    If you trust NIST:

    Q: What is the chance that someone could use the “DES Cracker”-like hardware to crack an AES key?

    A: In the late 1990s, specialized “DES Cracker” machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.

    Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.

    — NIST.gov AES Questions and Answers

    LastPass uses a 256-bit AES key, so it would take many times longer than this. The risk of compromise of your locally encrypted data is exceedingly low.

    Using LastPass is by far safer than what most people do, which is use a few passwords for every site. Many sites don’t hash passwords and simply store them in plain text, many sites don’t encrypt the channel for sending passwords. These are the pratical attacks that hackers can use to compromise you.

    Joe Siegrist
    LastPass

  9. David Bradley said on September 30, 2008 at 1:11 pm
    Reply

    Yes, point taken. It was the cloud security aspect I wouldn’t trust. Moreover, I’d be loathe to have all my passwords in one box on my PC too in case it was stolen and cracked open.

  10. MK said on September 30, 2008 at 12:32 pm
    Reply

    @David Bradley: There is no perfect answer to everything. What a password storage system do is simplify the management of your passwords (obviously). It can generate complex passwords, and store them so you don’t have to remember all those tiny caps/big caps/numbers in your head.

    Sure, it can eventually be cracked. But I prefer a password storage system that writing it on sticky notes, any day.

    I do agree on the compromise of online system. Though it sounds tempting (you can access your passwords everywhere, don’t even have to bring a pen drive), I would never trust my security on cloud computing.

  11. David Bradley said on September 30, 2008 at 10:08 am
    Reply

    Theoretically, all password storage systems could be cracked, compromising all your sites. I’d worry about relying on an online system of any sort no matter how clever or otherwise it seems to be. There is no perfect answer LastPass is just another compromise.

  12. MK said on September 30, 2008 at 6:31 am
    Reply

    Just what I am looking for right now. I’ve been using PassPack for long, and it works great. However PassPack is too simple, thus lacks many features such as password generator, or the ability to choose where you can save the file.

    I’ve tried KeePass, nah too complex. Currently using PasswordSafe and it is pretty good.

    LastPass sounds promising, especially the integration with the web browser. I hope future builds will include Opera.

  13. pavid said on September 30, 2008 at 1:04 am
    Reply

    I love LastPass. It’s so easy to use. Unfortunately, I have encountered a small problem in that I am unable to access my on-line e-mail using the new version of Rogers Yahoo. However, the classic version of Rogers Yahoo works just fine.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.