Intermission: LastPass FAQ

5 minute read

It's been two weeks since my last post, when I suggested that you install LastPass and start collecting passwords from around the Internet into your account. If you did, good for you. Though I said I was going to go on in my next post, I'm actually going to take a short break to make sure that you have a chance to collect all your passwords.

If you haven't yet, go ahead and read How to Use Better Passwords Without Losing Your Mind. Using a password manager isn't necessarily fun, but it will save you an awful lot of grief in the long run.

What I am going to do this week is cover a few common questions and misconceptions I've heard.

What happens if I need a password and I'm not at my computer?
Although the convenient LastPass button is present only on computers you've installed it on, you can still browse to LastPass.com on any computer and log in with your username and password to copy passwords onto your clipboard if you need them.

Isn't that a pain?
Yeah, it is. That's why I don't use LastPass for my email, Facebook, or Amazon accounts, since I often need to access those on other computers. Instead I have separate strong passwords for them (created with the same process that I described for coming up with a master password last week). On the odd occasion that I need to access a strange account from a public computer, it's not such a big deal. You should probably do the same, once you've gotten all your passwords straightened out.

Can I use LastPass if I can't change a password?
But I can't / shouldn't put that password into LastPass, because someone else needs to use it / the site has specific password requirements.
You absolutely can, and you should. You should put all of your passwords into LastPass, regardless of the situation. Simply putting your password into LastPass does not change the password or do anything to change your login or the website. It's only when you later go through and change your passwords that, well, your passwords change. On the other hand, if you put the password into LastPass, you won't forget it, and you'll likely get it off an insecure medium like a sheet of paper. Besides, it just makes sense to keep all your passwords in one place.

There's an obvious corollary to this: Remember to change your passwords once you've gotten them all into LastPass. If you don't, you're not much more secure than you were before.

So I'm more secure now that I'm using LastPass?
No, you need to change your passwords first. Using LastPass (or any password manager) is a great first step and a crucial one in securing your logins, but just having a LastPass account and saving your passwords to it does nothing to make you more secure. Saving your passwords in LastPass is the equivalent of writing down your (insecure) passwords and putting the list into a safe: nobody else can see your passwords, but they couldn't anyway when they were in your head, and you haven't made the passwords any more secure against guessing or automated attacks.

Once you change your passwords, you are more secure, since you now have random passwords. You could theoretically have accomplished that without LastPass, but in practice you would be unable to remember those passwords without it.

But will I have to pay for LastPass?
Unless you want to use a mobile version or certain two-factor authentication devices, no. You can get the premium version if you want (it's only $12 a year), but most people don't need to, and you certainly don't have to pay just to try it out.

But I shouldn't put my financial information in here?!
Is this actually secure?
Can't someone read this?
Your credit card number is far more secure in LastPass than it is on your credit card. A pickpocket could easily steal your wallet while you're walking by, and a waiter or store clerk could easily memorize or write down your information for use in the normal course of their job. Or you could simply drop your credit card on the ground and someone could pick it up. Your credit card is really a horrible method for storing your financial information.

In contrast, your LastPass database is encrypted with some of the strongest available encryption techniques. Nobody at LastPass can read your database, since it's encrypted in the browser that you use to access it. Because of the encryption, even if someone succeeded in stealing the databases of every LastPass user from the server, they would be unable to read them. And it would take trillions of years for our present computers to break the encryption.

The only real hazard is someone sitting down at your computer and using it while you're logged in (which is not any easier than grabbing your credit card). If you're paranoid about this, you can check the "reprompt" box in a password's "edit" screen. This requires LastPass to reprompt for your password before filling it in or showing the password, ensuring that even if somebody uses your computer while you're logged in, they can't get the really important passwords.

Obviously, this applies equally to all forms of financial and sensitive information—even though it's being sent over the web (securely, via HTTPS and SSL, mind you), it's still more secure than it would be in basically any other system, and certainly any system that you would ever use for storing it.