What is it?
LastPass is one of many password managers available. LastPass is a free or paid, cloud-based password manager. Need more information? Read this article I wrote about password managers (opens in a new tab).
I take no responsibility for your use of a password manager. Ultimately, the only person who can evaluate the best way to protect their identity… is you. Use this guide at your own risk and if you subsequently lose all your passwords, even if you followed all the advice herein, that’s on you.
This article assumes that you are using Google Chrome (or the open-source version, Chromium). Alternatively, feel free to use Mozilla Firefox. However, I won’t be covering Internet Explorer in this article, because it doesn’t feature a plug-in architecture (or at least one I want to talk about), and requires you to install an actual piece of software instead.
Bottom line: Please use Chrome/Chromium, or Firefox. If you’re on Mac, same applies – please use Chrome/Chromium or Firefox. Some of this might work on Safari… but I’m afraid I don’t know.
Make sure that your phone has a password/pin/pattern/fingerprint! Of course, it’s not 2010 any more – everyone is already running a lock screen, right? Right??
Your phone can probably already access your email, so anyone who steals/finds your phone will be trivially capable of resetting your passwords on your favourite sites and stealing your online identity.
However, this article will require you to use Google Authenticator as part of Two Factor Authentication for LastPass. That means that not only is your phone the keys to the kingdom, but now anyone will be able to see that you have Google Authenticator on it, which also lists your LastPass token. Therefore, it will be trivial for someone with your phone to access ALL YOUR PASSWORDS!
Your phone should be protected. I shouldn’t need to say this, but I’m saying it anyway. LOCK YOUR PHONE. Always.
I say this a lot, but I’ll say it again – you must use Two Factor Authentication with a password manager (any password manager). To do otherwise is to massively compound the problems you’re probably already having with online identities, problems that you probably assumed that a password manager would help you with. But that is only a correct assumption if you use Two Factor Authentication.
One last time: ensure that you put Two Factor Authentication on your Lastpass, or close this article and walk away.
At the time of writing (November 2016), LastPass costs $1/month (plus tax, so $15/annum) for their “Premium” option. The main reason to do so appears to be so that you can access Family Sharing – so that you can put family details such as passports, billing details, or even bank accounts in one LastPass account and share it across two or more (up to five) separate logins.
Considering that $15/year is about (ahem) a tenner a year in sterling, it’s a piffling amount to pay for having your passwords accessible by your other half, or for better technical support. More details can be found here. That said, it looks like the free version will be a perfect fit for a LOT of potential customers. Your call, ultimately.
Install the Plug-In
Head to the LastPass website (https://lastpass.com) and click on “Get LastPass Free”. This will prompt you to install the LastPass plug-in. Don’t worry: we’ll be enabling Two Factor Authentication before we put any useful information in there.
Next, put your email into the login screen that appears straight afterwards – don’t forget to tick the Terms and Policy box, then click “Create Account”.
Now you get to choose your master password. This is, obviously, extremely important. Follow their advice – use a reasonably complex, but memorable password. Makes sure it is UNIQUE – i.e. you haven’t used such a password, or similar password, before. If you’re struggling for inspiration, you can’t do much better than security guru Bruce Schneier’s advice on complex but memorable passwords here. He suggests a memorable phrase, something family related perhaps, which you then use the first letters from to form your password.
However! At the risk of you choosing a trivial, 8 character password (please don’t do that…), this password doesn’t quite have to go to the 14-character extremes in that article, because we will be pairing the password with a second factor – your phone. So choose something around the 10-12 character mark, reasonably complex, but very memorable. Depending on your settings, you’ll be typing this a LOT, so make it something that you can mostly get right on the first try.
Finally, choose a reminder phrase that will remind you, vaguely, of what your password is. My test password, below, is related to the word “monkeys”, so…
Two things will happen next. First, you’ll get the short, five-slide tour of LastPass and then access to your Vault. Second, you’ll get an email confirming your sign-up. The email usually appears by the time you’ve skipped merrily through the baffling and not-very-helpful tour.
You haven’t done the Two Factor Authentication yet, so step away from your Vault for the time being. Seriously – nothing is going into that Vault until we’ve enabled Two Factor Authentication.
Two Factor Authentication
Let’s nail this absolutely essential step: enabling Two Factor Authentication. Don’t know what that is? Well, I linked to it above, sneakily, but I’ll do it again here more obviously: http://scaine.net/kb/the-internet/two-factor-authentication/
Go and have a read, then come back here. I mean it – come back here and finish the set up. If you go ahead and put your passwords in your Vault, then walked away thinking that you’ve done yourself a good service, then you’re an absolute fool. No two ways to say it. You’ve just put all your (golden) eggs in one basket, then left the basket lying in the street. Sure, the basket is locked and chained down, but there exist plenty of interested parties with crowbars. A password just isn’t enough of a lock, so you need something better. Something practically infallible, or at least infallible outside of spy movies. You need Two Factor Authentication.
Enable Two Factor Authentication
Click on your Last Pass icon (), at the top-right of Chrome, then choose “My Vault”. Now at the bottom left, you should see “Account Settings”, so click on that.
Now click on the second tab, called “Multifactor Options” and click on the pen icon next to “Google Authenticator”.
You’ll see this:
Panic not… this looks more complex than it actually is!
Start by installing the necessary 2FA app on your phone, if you haven’t already done so for other services. Google Authenticator is available for Android, iPhone/Pad and Blackberry devices.
Once that’s running, on your desktop, click on “View your Barcode”. Now start the Google Authenticator app on your phone, tap on the “Add” button (on Android, this is a big + sign at the bottom right), and choose “Scan a Barcode”. Hold your phone’s camera up to the barcode shown on your desktop’s screen. Your phone will vibrate and you’ll now have a new entry on your Google Authenticator app! We’re nearly done.
Now back to your web browser, the first option is “Enabled” – click on “No” and change it to “Yes”. You’ll be prompted for your LastPass master password. Do that, and a prompt will appear asking you to enter your Google Authenticator code. Get that from your phone, type it in, and you’re all done.
Whenever you log in to LastPass from now on, you’ll be prompted to get your phone out, unlock it, start Google Authenticator and type in that code. The code changes every 60 seconds, but don’t worry if it’s just changed, or even if it’s about to change – there’s usually a 15-20 second overlap with codes to prevent frustration.
You now have two options.
You’ve installed LastPass! Congratulations! You can now (tediously) type in all your passwords that you know about, as a one-off exercise and thereafter, LastPass will handle them and help you use, maintain and protect them.
You can import all the passwords that Chrome already knows about. This is probably a much better idea, but you’ll need to install LastPass’ binary add-on to access the store. To do this, follow these steps:
- Left-click on the Last Pass icon (), at the top-right of Chrome.
- Click on “More Options”, then “Advanced”
- Click on “Import”, then “Google Chrome Password Manager”. If you’re using Firefox, you’ll see a similarly named option.
- Click on the blue writing that says “Install the binary version of LastPass for Chrome to enable importing passwords from Google Chrome password manager“
- Click on “Allow” to enable the native messaging option.
- Restart Chrome.
Now, when you click on your “Import” tab (steps 1-3 above), you’ll see all the passwords that you have already tucked away in your Chrome Password Manager. You can also see those passwords by accessing your Google account here: https://passwords.google.com. Note that I’m not making that a link on purpose – you shouldn’t trust web pages to show links to that kind of information… ever!
LastPass is now an integral part of your online identity management. Well done! There are a number of ways you can be even more secure now, however. Here’s a few ideas.
- Take the LastPass Security challenge. Click on LastPass, go to “My Vault”, then on the left, choose “Security Challenge”. This will highlight sites that have weak passwords, or those instances where you’ve used the same password on two or more sites. Raising your score to above 80 is a must.
- Turn off Chrome’s password manager. Now that LastPass will save/enter every password you use, there’s no need to have Chrome’s password manager trying to pop up and get in the way. Go to Chrome’s Tools/Settings/Passwords (paste this into your URL bar: chrome://settings/passwords), then turn off Auto Sign-in.
- Create entries for non-password stuff – passport details, driving licence, tax details, bank accounts, National Insurance numbers, PIN numbers, Emergency numbers (e.g. lost credit card numbers), the lot. You’ll be surprised at how useful it is to have that stuff anywhere, anytime. It’s particularly useful when you lose a credit card, for example. Or when you’re booking a flight and the check in pops up asking for your passport details. Or filling in a direct debit form. And so on.
How do I actually use it?
Very simply, whenever you visit a web page which requires login details, you’ll now see a little logo the right hand side of the entry fields. Here’s an example.
The tiny “1” on the logo means that I have one matching entry for the website (https://reddit.com) in this case. When I click on the logo, I can see my matching entry:
I just click on “scaine” and it will automatically log me in with that username/password combination. Simple!
Any feedback? Stuck? Leave a comment.