Image: redorbit.com

Image: redorbit.com

Evernote, Adobe, even Apple … just a few of the companies who have found their user data compromised by hackers in recent times. The possibility of a hacker being able to access one of your web accounts is worrying enough – but if you use the same email address and password for almost all the websites you use, the risk becomes huge.

The first thing a hacker does when they get hold of a list of usernames and passwords is to use automated software to fire them at a whole bunch of popular websites. That means your online security is only as good as the most vulnerable of the websites you visit. Not good.

The answer, of course, is to use a unique – and strong – password for each website you access. But that creates its own hassles. Strong passwords aren’t easily memorised. Sure, we can ask our browsers to store logins for us, but when you might use several different computers, an iPhone and an iPad, you’d have to login once from each device as soon as you chose the password so it gets stored before you forget it. Not very convenient.

Which is where password managers come in. When you see the instructions, it’ll look like a long process, but it in fact takes only 10-20 mins if you have two or three devices … 

A password manager helps generate strong passwords, and remember them for you so you don’t have to. A single master login can allow you to access your logins from any browser on any device, so you only have to remember a single password. Your individual website passwords are only ever stored in a strongly encrypted form, so an attack on the password manager server would not pose a real-life threat.

There are a whole bunch of different password managers around. We reviewed one of the most popular of these – 1Password – last year. I’m using LastPass as the example here, as the free version can do everything you’re likely to need provided you use Safari on both Macs and iOS devices.

Start by downloading LastPass onto your Mac from here.

When you run the installer, Safari will display a warning that you should only install extensions from trusted sources. Grant permission, and … nothing much will seem to happen. But you will now find your browser toolbar has an extra icon in the form of an asterisk:

lastpass0

Click this, and you’ll be prompted to login to LastPass. Toward the bottom of the window, you’ll see a ‘Create account’ link. Click this.

lastpass1

You’ll then be asked to enter your email address and choose your master password. Bear in mind that anyone who guesses or cracks this password will have access to all your logins, so choose a strong one: a mix of upper- and lower-case letters, numbers and special symbols like &%(. At the same time, make sure it’s one you can remember as nobody – including LastPass – can either view or reset it!

lastpass2

As you type your chosen password, you’ll see a red bar turn orange, then amber, light green and finally dark green. When the bar is dark green, that indicates a sufficiently strong password.

You need to check the first two tickboxes, and normally you’ll want to check the third also, so LastPass can fill in forms for you with things like your name and address. This works in the same way as Safari’s built-in form-fill function, but can store a lot more information – including credit card details if desired. More on this in a moment.

Once you’ve done this, LastPass will issue the same warning I did about your master password, and make you re-enter it to be sure you’ve remembered it:

lastpass3

Next up, LastPass will ask whether you want to complete your form-filling profile now. Check Yes and hit the Continue button.

lastpass4

This is where you get to see how much more data LastPass can store than Safari. You’ll find seven tabs. I won’t go through each in detail, as they’re all pretty self-explanatory.

lastpass5

You’ll notice that there’s one tab where you can enter credit card details, and another for bank details. Given that we’re trying to make things safer, you may wonder whether storing financial info in an app available to your browser is a good idea.

This is probably a good point at which to talk about LastPass’s security credentials.

redorbitcom

Image: redorbit.com

LastPass uses 256AES encryption, the same standard used by major corporations and the U.S. Government. The encryption key is automatically generated from your email address and master password, so it’s not known to anyone (including you). That encryption happens before your data is transmitted to the LastPass server.

When you use LastPass to login to a website, or to fill in a form, it uses what’s known as a one-way hash, so LastPass can send it to the website without the company itself ever knowing what any of it is.

No security system is every 100 percent safe. While 256AES encryption has never been cracked, that’s not to say it couldn’t be in the future. But it’s as safe as your online banking system.

If you’re still nervous, you don’t need to allow card or bank form-fill if you don’t want to. Personally, I’m happy to do so, and as I sometimes make online purchases with other people around me, I actually consider it safer than getting out my debit card to enter the details manually.

You probably already have a lot of website logins stored in Safari, and you’ll be relieved to know that you can import these. LastPass will offer to do save your login every time you login to a website, whether manually or from Safari’s automatic login, or you can have everything available immediately by doing an import.

Click on the toolbar icon then Advanced (bottom-right). Hit the Import button:

lastpass6

You’ll be offered a long dropdown menu of all the data sources LastPass can read, including other password managers like 1Password and RoboForm. Select Safari, and all your saved logins will now be available in LastPass.

lastpass7

LastPass should then recognize all your websites and offer to log you in automatically. Any logins that you create later will also be recognised, and LastPass will offer to save them for you. Grant permission, and you’ll be presented with a window like this:

lastpass8

I’ve blanked the content, but details are automatically captured, so all you need to do at this stage is hit Save. There’s one option you may want to check or uncheck, and that’s Auto-login. With that unchecked, LastPass will enter your username and password for you but wait for you to hit the login button for the website. With Auto-login checked, you won’t even see the login page except momentarily: LastPass will simply log you in directly.

Of course, coming up with strong passwords is a bit of a chore, even if you no longer need to remember any of them, so you can let LastPass do that for you. It will usually offer this as an option in a bar at the top of your browser when you are registering with a website; if it doesn’t, you can hit the asterisk button in the toolbar and hit the Generate button. You’ll see a bunch of options you can choose:

lastpass9

I recommend checking all four boxes for everything from upper-case letters to special characters. LastPass defaults to 12 characters, as most websites allow that, but you can increase the length where a website supports it. (And no, I haven’t actually used that particular password for anything …)

One question I’ve been asked by friends is what happens if LastPass ever goes bust and the server isn’t available? You won’t know any of your passwords, so will be unable to login manually. The answer, of course, is that it’s no different from any other forgotten password: you just use the site’s password reset function. Granted it would be a pain to have to do this for each site, but nothing like the world of pain that could await you if a hacker gained access to every web account you have.

overview-deployment

You’re now all set on your Mac. To access your LastPass logins and form data on iOS, you have two options. The first is to pay $1/month for the iOS app. The app allows you to search for the website you want to visit and can then open a browser and login for you.

iosapp

If you opt for that, you can stop reading now. The free method is clunkier to set up, but actually easier to use in my view.

First, on your iOS device, go into Settings > iCloud and make sure that Safari is on:

cloud-ios

Then, on your Mac, go into System Preferences > iCloud and make sure Safari is checked.

cloud-mac

Your bookmarks will now sync between Mac and iOS device via iCloud.

Next, in Safari on your Mac, visit this page, login using your LastPass credentials and hit the dropdown from the asterisk, top-right:

lastpass-book

Select Bookmarklets:

drag

In Safari, go to View > Show Bookmarks Bar and simply drag each of the three links to your Safari toolbar.

dragged

Thanks to iCloud sync, within a minute or so these will be available in your bookmarks in Safari on your iOS device.

When you want to login to a website, or fill in a form, simply visit the website and then go to your Safari bookmarks and select the bookmark labelled LastPass Login.  This instruction will sound bizarre, but the LastPass links aren’t really bookmarks: they are bookmarklets, which are links that can interact with the site you’re already on.

ios-bookmark

If you use more than one Mac, you’ll need to install LastPass on each, but on iOS devices all you need to is make sure iCloud syncing is active for Safari.

Phew! As I mentioned, it sounds like a lot of work, but it doesn’t actually take that long.

Of course, you’ll also need to change your passwords at each of the websites where you’ve used the same login. While you’re at it, I recommend switching on 2-step authentication at every site that offers it. That might take your total time investment up to an hour or so, but when you think about the risks of a hacker potentially gaining access to every web account you have, and the amount of time it would take to sort out that mess, I’d say it’s worth it.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

25 Responses to “How to: Use a password manager to have strong, unique passwords for each website”

  1. Paopao Wudi says:

    Where the master password is stored? local or server?
    if it is not stored in server, I should pass the log-in step with whatever password I input, is this correct?

    • Ben Lovejoy says:

      It is encrypted and then stored on the server

      • Paopao Wudi says:

        So I think the master password should be encrypted by the key of the master password itself and store this encrypted code on server.
        Now if lastpass’s server is compromised, the hackers will get those encrypted master password, and they have the rule to decode it. With AES256, it should be very hard to decode in theory, but you know people normally hate to choose a password which is very hard to remember. with a dict, it is still very possible and easy to hack 10 thousands of passwords in a million based users.

      • Ben Lovejoy says:

        The risk of AES256 being cracked is tiny compared to the risk of using the same login for multiple sites.It’s all about balance of risks.

      • Compu-Go says:

        All encryption is done on the device (PC, mobile), only encrypted data is sent/received from LP’s servers the encryption goes beyond just AES256, it’s also salted, the level of which can be decided in the options (too high a salt will reduce decryption speed or even cripple it on mobile devices) and you can have several options of 2 factor authentication (I use Google’s).
        Even the unlikely event of a hacker obtaining the password data that’s stored on Lastpass’s servers will not be able to do anything if your master password is good enough even with all the world’s computing power working 24/7.

  2. Erik Hanson says:

    Great concept – until your management password is swiped.

  3. Out of curiousity, such an app is probably very convenient, but I it scares me to know that nobody knows what it does internally… Maybe it’ll send unencrypted passwords to “somewhere” ?

    So – besides making attacks on websites using your password more difficult (because of stronger password) – why would such apps be more secure ?

    • Ben Lovejoy says:

      LastPass doesn’t have your unencrypted password so can’t send it anywhere. The risks of using replicated logins for websites is far greater than the minescule risk of AES256 being cracked.

  4. Sean Aske says:

    I just started using 1Password and I would like to use the strong password generator but my concern is how do I access my websites if I am using a computer different than my own? Seems like that I can only access sites while using my own devices. Is there a different way to do this?

    • I used 1Password for a couple of years and loved it sync it would use dropbox to sync passwords from my Mac to all my iOS devices. However, when they release version 4 instead of just adding new features they actually took away the dropbox sync feature for everyone that purchased the previous version in order to make them upgrade to version 4 making my $60 investment worthless.

      For this reason I switched to LastPass, It is a lot more convenient and a lot cheaper.
      First with 1Password you have to purchase a copy for your Mac, your iOS device and any PC’s you have in order to have them available.

      Second is the issue you just mentioned, with 1Password you can only access it from your installed devices, with LastPass you can go to the LastPass website, login and click on the site from your list and it will log you in.

      Third is the second setup option mentioned in this article using the Bookmarklets, on my iOS devices while I’m on a website using safari I can select the LastPast bookmarks, select a login and it fills in the forms. This is much better than having to switch to the 1Password app and use their crappy browser. If you have an Android device it’s even easier because anywhere you want to use LastPass you click the icon on the keyboard to switch the keyboard type and there is a LastPass keyboard for you to select your login or form fills. I wish they could do this for iOS, then you could use LastPass in iOS for applications as well as safari. If you not sure what I’m talking about for the keyboard, compare it to when your texting and want to switch to the Emoticon Icons, just like that.

      1Password has a much nicer application but the flexability of using it on all my devices and computers by installing just a browser plugin and the price, I don’t miss 1Password at all.

  5. tallestskil says:

    Mavericks does all this for free.

  6. Great Post! I understand that the server LastPass uses is secure but what if the connection your on is not? As an illustration, I take my Macbook practically everywhere such as Starbucks and on my college campus. Given this, can LastPass be compromised if I access via the Public Wi-Fi Networks at these places?

    For instance, If I want to just access LastPass to get the password for say.. Spotify.. If the Wi-FI is intercepted, the “attacker” will have access to all the passwords such as my bank and email…

    Great option, but is LastPass practical? For some ideally yes, but for others…

    • Ben Lovejoy says:

      All data sent to LastPass is encrypted before it leaves your PC, so no man-in-the-middle attacker would have access to that. But any standard login done on a public hotspot is potentially vulnerable to a MITM attack. So LastPass is the safer approach.

  7. This couldn’t have come at a better time; I’ve been using Lastpass for several years, yet I knew that I wasn’t using it to its fullest potential, even though I paid for the yearly subscription. I use Chrome, mostly, but I substituted it for Safari (which I will eventually import my Lastpass settings to). Thanks much for writing this; now I know how to use Lastpass much better than I had.

  8. I made the switch to RoboForm last year after LastPass had their servers compromised a second time and couldn’t be happier. Unlike “PastPass” RoboForm actually offers live phone support (located in the U.S.A. no less), and has never experienced a security breach. I feel much safer using RoboForm and find it much more user friendly.

    • Ben Lovejoy says:

      Ironically, the LastPass issue (which didn’t put at risk anyone with a strong master password) probably makes it the most secure service out there now thanks to the additional safeguards introduced

  9. Thanks for the great tip on using Bookmarklets on iOS. I was using the LP app on iOS and copying/pasting from there to Safari app, which was a real pain. This makes it so much easier.