I recently accepted the position of Secretary in the Twins Cities chapter of the International Information Systems Security Certification Consortium (ISC)2-TC, and in order to send me the passwords for certain online chapter assets, it was requested that I sigh up for the password management product, LastPass. I have written previously about LastPass, KeePass, and RoboForm as recently as June 16. These are great tools that so far, I have experimented with but not used. Now I am registered with LastPass, and the experience has been interesting.
For example, every time I login anywhere, LastPass flashes a message in my browser asking if it should remember this password. If I say “yes,” in it goes, and the next time I log into that resource, my use and password information are filled in form me automatically. Got to say it is convenient. Other useful feature include saving form fill information, which Google has been doing for me already, storing secure notes, such as SSN and drivers license numbers, generating a random password using your own parameters as to length and complexity, updating and sharing passwords (how I got hooked into this), and setting up multi-factor authentication. Since I use Google Authenticator, I set this up too. Not as simple as I would have liked, but eventually I got it registered.
So I am still thinking it would be more secure to use the system I have been using to create Long, Complex, Unique and Memorable passwords. The only place these passwords reside is in my own memory, and if the bad guys get in there, well I may just have bigger problems. My main objection has been that in the event someone got a hold of my laptop, then with my master password they can get into everything else. Now, with two factor authentication set up through Authenticator, this is not as serious a problem. They would have to have my laptop and my phone – not impossible, but this does make it more difficult.
The one word of warning: LastPass seems to be presenting me with the opportunity to remember my Master Password when I log in. Under NO CIRCUMSTANCES should you have your computer or browser remember passwords for you, especially with a password manager program like LastPass. Then the thief doesn’t even need your master password, since your computer is going to supply it for them at startup.
All in all, LastPass appears to have merit, and if you are using it, i would recommend continuing to do so, and if you are considering it, well – get going already! You can download LastPass from their website.