Evernote, Adobe, even Apple … just a few of the companies who have found their user data compromised by hackers in recent times. The possibility of a hacker being able to access one of your web accounts is worrying enough – but if you use the same email address and password for almost all the websites you use, the risk becomes huge.
The first thing a hacker does when they get hold of a list of usernames and passwords is to use automated software to fire them at a whole bunch of popular websites. That means your online security is only as good as the most vulnerable of the websites you visit. Not good.
The answer, of course, is to use a unique – and strong – password for each website you access. But that creates its own hassles. Strong passwords aren’t easily memorised. Sure, we can ask our browsers to store logins for us, but when you might use several different computers, an iPhone and an iPad, you’d have to login once from each device as soon as you chose the password so it gets stored before you forget it. Not very convenient.
Which is where password managers come in. When you see the instructions, it’ll look like a long process, but it in fact takes only 10-20 mins if you have two or three devices …
A password manager helps generate strong passwords, and remember them for you so you don’t have to. A single master login can allow you to access your logins from any browser on any device, so you only have to remember a single password. Your individual website passwords are only ever stored in a strongly encrypted form, so an attack on the password manager server would not pose a real-life threat.
There are a whole bunch of different password managers around. We reviewed one of the most popular of these – 1Password – last year. I’m using LastPass as the example here, as the free version can do everything you’re likely to need provided you use Safari on both Macs and iOS devices.
Start by downloading LastPass onto your Mac from here.
When you run the installer, Safari will display a warning that you should only install extensions from trusted sources. Grant permission, and … nothing much will seem to happen. But you will now find your browser toolbar has an extra icon in the form of an asterisk:
Click this, and you’ll be prompted to login to LastPass. Toward the bottom of the window, you’ll see a ‘Create account’ link. Click this.
You’ll then be asked to enter your email address and choose your master password. Bear in mind that anyone who guesses or cracks this password will have access to all your logins, so choose a strong one: a mix of upper- and lower-case letters, numbers and special symbols like &%(. At the same time, make sure it’s one you can remember as nobody – including LastPass – can either view or reset it!
As you type your chosen password, you’ll see a red bar turn orange, then amber, light green and finally dark green. When the bar is dark green, that indicates a sufficiently strong password.
You need to check the first two tickboxes, and normally you’ll want to check the third also, so LastPass can fill in forms for you with things like your name and address. This works in the same way as Safari’s built-in form-fill function, but can store a lot more information – including credit card details if desired. More on this in a moment.
Once you’ve done this, LastPass will issue the same warning I did about your master password, and make you re-enter it to be sure you’ve remembered it:
Next up, LastPass will ask whether you want to complete your form-filling profile now. Check Yes and hit the Continue button.
This is where you get to see how much more data LastPass can store than Safari. You’ll find seven tabs. I won’t go through each in detail, as they’re all pretty self-explanatory.
You’ll notice that there’s one tab where you can enter credit card details, and another for bank details. Given that we’re trying to make things safer, you may wonder whether storing financial info in an app available to your browser is a good idea.
This is probably a good point at which to talk about LastPass’s security credentials.
LastPass uses 256AES encryption, the same standard used by major corporations and the U.S. Government. The encryption key is automatically generated from your email address and master password, so it’s not known to anyone (including you). That encryption happens before your data is transmitted to the LastPass server.
When you use LastPass to login to a website, or to fill in a form, it uses what’s known as a one-way hash, so LastPass can send it to the website without the company itself ever knowing what any of it is.
No security system is every 100 percent safe. While 256AES encryption has never been cracked, that’s not to say it couldn’t be in the future. But it’s as safe as your online banking system.
If you’re still nervous, you don’t need to allow card or bank form-fill if you don’t want to. Personally, I’m happy to do so, and as I sometimes make online purchases with other people around me, I actually consider it safer than getting out my debit card to enter the details manually.
You probably already have a lot of website logins stored in Safari, and you’ll be relieved to know that you can import these. LastPass will offer to do save your login every time you login to a website, whether manually or from Safari’s automatic login, or you can have everything available immediately by doing an import.
Click on the toolbar icon then Advanced (bottom-right). Hit the Import button:
You’ll be offered a long dropdown menu of all the data sources LastPass can read, including other password managers like 1Password and RoboForm. Select Safari, and all your saved logins will now be available in LastPass.
LastPass should then recognize all your websites and offer to log you in automatically. Any logins that you create later will also be recognised, and LastPass will offer to save them for you. Grant permission, and you’ll be presented with a window like this:
I’ve blanked the content, but details are automatically captured, so all you need to do at this stage is hit Save. There’s one option you may want to check or uncheck, and that’s Auto-login. With that unchecked, LastPass will enter your username and password for you but wait for you to hit the login button for the website. With Auto-login checked, you won’t even see the login page except momentarily: LastPass will simply log you in directly.
Of course, coming up with strong passwords is a bit of a chore, even if you no longer need to remember any of them, so you can let LastPass do that for you. It will usually offer this as an option in a bar at the top of your browser when you are registering with a website; if it doesn’t, you can hit the asterisk button in the toolbar and hit the Generate button. You’ll see a bunch of options you can choose:
I recommend checking all four boxes for everything from upper-case letters to special characters. LastPass defaults to 12 characters, as most websites allow that, but you can increase the length where a website supports it. (And no, I haven’t actually used that particular password for anything …)
One question I’ve been asked by friends is what happens if LastPass ever goes bust and the server isn’t available? You won’t know any of your passwords, so will be unable to login manually. The answer, of course, is that it’s no different from any other forgotten password: you just use the site’s password reset function. Granted it would be a pain to have to do this for each site, but nothing like the world of pain that could await you if a hacker gained access to every web account you have.
You’re now all set on your Mac. To access your LastPass logins and form data on iOS, you have two options. The first is to pay $1/month for the iOS app. The app allows you to search for the website you want to visit and can then open a browser and login for you.
If you opt for that, you can stop reading now. The free method is clunkier to set up, but actually easier to use in my view.
First, on your iOS device, go into Settings > iCloud and make sure that Safari is on:
Then, on your Mac, go into System Preferences > iCloud and make sure Safari is checked.
Your bookmarks will now sync between Mac and iOS device via iCloud.
Next, in Safari on your Mac, visit this page, login using your LastPass credentials and hit the dropdown from the asterisk, top-right:
In Safari, go to View > Show Bookmarks Bar and simply drag each of the three links to your Safari toolbar.
Thanks to iCloud sync, within a minute or so these will be available in your bookmarks in Safari on your iOS device.
When you want to login to a website, or fill in a form, simply visit the website and then go to your Safari bookmarks and select the bookmark labelled LastPass Login. This instruction will sound bizarre, but the LastPass links aren’t really bookmarks: they are bookmarklets, which are links that can interact with the site you’re already on.
If you use more than one Mac, you’ll need to install LastPass on each, but on iOS devices all you need to is make sure iCloud syncing is active for Safari.
Phew! As I mentioned, it sounds like a lot of work, but it doesn’t actually take that long.
Of course, you’ll also need to change your passwords at each of the websites where you’ve used the same login. While you’re at it, I recommend switching on 2-step authentication at every site that offers it. That might take your total time investment up to an hour or so, but when you think about the risks of a hacker potentially gaining access to every web account you have, and the amount of time it would take to sort out that mess, I’d say it’s worth it.