I read the articles by Dale Hrabak and Jonathan Bernstein on LastPass and 1Password, respectively, on pages 10-18 of the November – December 2012 issue of the Washington Apple Pi Journal. This article relates my experience implementing LastPass. If you are seriously thinking about giving LastPass a try, I recommend reading Dale’s overview article first. My article is about the nuts and bolts of this app.
I had heard a number of positive comments about 1Password. I suspect it’s a bit more Mac-friendly. But, I missed out on the half-price deal Diana King alerted us to in February. So, I re-read Dale’s article and downloaded LastPass to give it a go. It has turned out to be a very time-consuming task. Nevertheless, my early experience has been positive.
For starters the LastPass folks recommend that Mac Users download first the Firefox version (www.lastpass.com) and use it to create entries in your LastPass vault. The transition to Safari can come later.
After you installed the LastPass plug-in into Firefox, the first thing to do is to construct a really secure, easily remembered Master Password. It will be your access to your vault. No one knows this but you, and LastPass Help says they cannot retrieve it for you. Next, as LastPass recommends, I began visiting my sites and using my current list of userid/password combinations to gain access. Then, I proceeded to find the page at the site where I could change my password. In the usual fashion most such pages will ask for your old password, then give you two dialog boxes to (1) enter a new password, and (2) confirm it. LastPass will detect that step and show you a scarlet banner under the toolbar. It will ask if you’d like for LastPass to generate a new, secure password for you. Click on Generate and LastPass will show 12 random letters and numbers. I used this preferentially because some of my sites accept only these characters. In Dale’s article he shows a screen shot of the advanced options for special characters, etc.
If you click Generate, then Accept, LastPass will put the 12 character password it generated into both dialog boxes. Then, you can click Save (or whatever the site page displays as your next step) to save the new password at the site. LastPass will detect this action and ask you to confirm your action. Then, it will display a dialog box (See Figure 1).
Figure 1: LastPass dialog box displaying data for my MacMall site
In this box I have saved my login to MacMall. I have edited the Name dialog box to show MacMall and assigned it to a group named Computer. After doing this first site, I recommend you stop and construct a list appropriate group names so you can place sites as you go (See Figure 2). Use the Create Group button on the Actions menu to add groups. At present my Bank group is empty for the same reason Dale discussed. Until I’m confident in this system, I won’t automate login to sensitive sites. Two items to note: First, LastPass rates the security of my passwords at just 38 percent. When I first started, I was batting only 17 percent.
Figure 2: LastPass vault showing the groups chosen to organize my sites. Click on image for larger view.
The biggest reason is that I have been using the same password for multiple sites. This is poor practice and needs to be corrected. Second, one of my groups is named Secure Notes. I think this works in a similar fashion to Secure Notes under Keychain. I have found this feature more important as I put more info into my machine. Example: while adding the site of the local natural gas company, things went haywire. All of sudden I needed our account number at the gas company to communicate with a rep on the phone. Copies of paper bills are long gone. What to do? Eventually, I found it and succeeded in adding the gas company site to my vault. Now, I have that information in Secure Notes.
As long as your site requires only (1) a UserID and (2) a password, this process of adding sites goes fairly smoothly. Now, suppose you have a site that requires both of the above plus a PIN, or has security questions and answers required for login. Time for an alternate tactic. After you login to LastPass with your e-mail address and Master Password, a small box in the upper right-hand corner of the screen will turn into a red box with a white asterisk in the middle. This is your access to an important drop down menu (See Figure 3).
Figure 3: Main menu for the LastPass app
For these more-than-ID-and-password sites mentioned above, go again to the site’s Change Password dialog box as before. Follow through with all the PINs, security questions, etc. Let LastPass generate a secure password if you choose. Then, before you submit all this to your site, click on the dropdown menu next to the white asterisk (Figure 3). Scroll down to Save All Entered Data and click. After that, you can click to send data to the site’s host, confirm the entries with LastPass, and see what happens. The LastPass video tutorial that describes this process an be found at: https://www.youtube.com/watch?feature=player_embedded&v=LmYQM0bhNg4
This procedure does work but may take redoing to get LastPass to play nicely with the requirements of each of these more-than-ID-and-password sites.
On the menu in Figure 3, scroll down to Tools>Print>Sites. This gives you a very tight little table in small font that I could not edit with any app on my Mac. This table is an alphabetized of site names, group assignment, URL, Username and PW. Actually, keeping around a list like this could sabotage a lot of your work, so it probably best shredded when you’re confident of the contents of your vault. For me it helped to find errors. Example: our AT&T wireless phone website has insisted on using a cell phone number as a UserID. This, too, is poor practice. Now, AT&T lets you define an “AT&T Access ID,” which is preferably an e-mail address instead. In the printed table I discovered this error and went back to fix it.
I have now more than 50 sites in my LastPass vault. My security rating is less than 40%.
My first step will be to raise the rating. I feel that many sites, like MacMall, don’t really need a secure password; I keep no credit card information there. Nonetheless, each site needs a unique password so that the compromise of one password doesn’t inadvertently compromise many more sites. It seems easier to just let LP generate passwords for me.
In Figure 2 you’ll notice several tabs across the top. I have been using only Vault to this point. I am intrigued to try Share next. Why? My activity of recent days has virtually destroyed my wife’s access to our shared sites. The Share option appears to give me a secure way to send some of the contents of my vault to her vault, albeit only one site at a time. I want first to know more about the security of this transfer.
LastPass has a 100+ pages on-line User’s Manual, provides access to YouTube videos (see URL above), and staffs a Help desk. For the couple of times I e-mailed the Help desk, the response was prompt and helpful. That’s the plus. Both the manuals and the videos need work. The several times I went to the on-line manual for some explanation, it included too few steps in the process. I experienced a similar reaction to the one or two videos I watched – too terse and poorly produced. Looking back I feel I had to figure this all out for myself.
I think this is a workable solution to the problem of password management. It shouldn’t take long to find out; in the coming weeks, I’m obliged to use it exclusively to access my newly protected sites.
Bob Whitesel has been a member of Washington Apple Pi since 1996. He welcomes questions and comments on this article. LastPass is a free download from www.lastpass.com