Lea Remigio

After last year’s Heartbleed virus scare, I started using a password manager application. With a growing list of clients who entrust me with access to their client-filled data systems on the web, it was simply getting too risky and too complicated to maintain secure passwords on my own. I could no longer be my own password manager.

After a great deal of googling, I decided to use LastPass. Most of my googling was weighing the pros and cons of using a single system to manage all of my other systems. The single point of potential failure left me very hesitant. But in the end, a good password manager with a strong, memorized master password is far less risky than how I was getting by. (It’s almost impossible to store unique, secure passwords in your head for 20 client sites.)

So I gave it all up to LastPass. The control freak in me screamed, “No!” Sometimes she still expresses anger over not knowing a single password for any website, but she’s learning to let go and let LastPass.

Here’s how I’m using it…

I signed up for a LastPass Premium account. The advantage of the premium account is that I can use the Android app on my phone, which quite recently started working really well with most of my other apps that require a sign-in (EG: Amazon, my bank’s mobile app, etc). I also installed the LastPass plugin on my Chrome and Firefox web browsers on my computer. Each morning I sign into LastPass inside my browser and it helps me log in to all of my secure client sites or other web-based platforms I need to work on for the day. I set my plugin to automatically log-off of my account after 10 minutes of inactivity. If someone swipes my laptop, I’m betting it will take the rat more than 10 minutes to open it up and crack my desktop password in order to get to my browser to attempt to log in to any of my accounts. Since none of my login credentials are saved in Chrome of Firefox and since I use a unique and complex LastPass master password, they’re out of luck.

I pay only $12 a year for the service. Since it is on my phone and my computer, I was able to start using the LastPass vault to replace my Xmarks bookmark manager, which frankly hasn’t been synching very well over the past year anyhow. Since LastPass purchased Xmarks back in 2010, Xmarks has decreased in utility. I doubt this is accidental.  It’s worth a side note to say that I’ve been waiting years for the two products to integrate better (or at all) and that’s simply not happening.

LastPass password manager keeps a “vault” full of my website credentials. The information kept in the vault for each site includes the URL, user name, password and settings for auto-log in.

For my secure client sites, who are mostly legal services organizations, I always check the box to Require Password Reprompt and I never check the AutoLogin box. By un-checking the AutoLogin box, there’s no visible hint on the log-in page that saved user credentials exist anywhere. By requiring the re-prompt, I have to enter my master password to get into the site every time.

I can share my sites with other people, such as my husband for household stuff and my sub-contractor. For every item in your vault you can see a share button. Click it and enter the email address of the person you want to share with (who must also have a LastPass account, but there’s a free one) and they will receive an email notification from LastPass. When they accept the share, you are notified. It’s particularly cool for sharing certain sites with my subcontractor because I can choose to hide the site password from them, which makes it easy to revoke their access at any time.

Pain Points

The switch to LastPass (or to any password manager) is laborious for people like me who live and work on the web. All sites have to be saved into LastPass. I also used LastPass generate secure passwords for me on all client sites, my banking sites, and my shopping sites. Passwords like “YIa’j%%*(Morps”, for example. At that same time, I removed all auto-login data from my browsers, since those passwords were then out of date. The entire change took me a couple of weeks of intermittent work and approximately 4 hours.

If you forget your LastPass password, you’re up a creek. Don’t forget it.

There are still rare occasions when I am without my phone and my computer when I want to log in to one my accounts. Making purchases from my Amazon account with my Grandmother, for example. It’s a hassle, but I’m not completely out of luck. I can log into my LastPass account and look at my vault to copy/paste the password as needed. The exception to this is with mobile devices. LastPass made the vault view inside their website dysfunctional on a mobile device. You can only get to your value on a mobile device via the app. I assume they did this to prevent me from circumventing the $12 a year subscription plan, which has been highly effective.

I’ve heard good things about the password manager Encryptr, which claims to be a zero-knowledge solution that does all the same things as LastPass. I’d like to learn more about it and consider making a move to it. Zero-knowledge is a good thing.