One of the most common mistakes when creating a new account, be it for a hobby website, online banking, or web email, is creating a password that’s too weak or easily guessed. On the flip side, creating a strong password has its benefits but they tend to be easily forgotten in the flood of unique passwords we use (you do use a unique password for everything, right?)
The goal of a good, strong password is threefold: It should be not easily guessable (containing no personal information like birthdays, pet’s names, etc.), it should be random (a mix of UPPER, lower, numb3rs, and $ymbol$), and it should be unique (not shared across many sites or accounts).
What’s a person to do?
To simplify managing my passwords, I use a program called LastPass. LastPass is a free password management tool that uses a master password to remember the passwords for all of your websites. All you need to do is download the appropriate version of LastPass, install it, setup an account, and start using it!
One thing I do want to mention before I get started – LastPass did have a possible security concern in February 2011. While it looks like nothing was ever compromised, LastPass did the right thing by reacting very quickly and forcing users to reset their master passwords. To this date, it is unlikely that anyone ever actually compromised their security. Even if someone had, LastPass uses encryption and hashing to prevent your passwords from being revealed. To this day I trust LastPass wholeheartedly and recommend it to my clients.
Go to http://lastpass.com and click on the Download link at the top of the page. The website is smart enough to take you to the proper download for your operating system. Even if you are not using some of the web browsers that are supported you can download and install the application.
Save the file to a location where you can find it or just click on Run to open it automatically after downloading.
Once the installer starts you will be asked to select your language.
Click on the Next button until you get to the installation options screen. Here you will be prompted to install LastPass for the browsers you currently have installed. Click on the Next button again to install the plug-ins.
The next screen will ask you if you already have an account. Select the option to create a new account. Click Next.
On the account creation screen you will need to enter your email address and a LastPass Password. This LastPass Password is also known as your master password – it is the key that will unlock the vault that contains all of your other passwords so it needs to be as secure as possible! One thing that may help you is to use spaces – instead of a password, use a passphrase. This makes a password more secure by an order of magnitudes. A passphrase also has the added bonus of being easier to remember – a sentence is lot easier to quote from memory than a mess of letters, number, and symbols. Another method of ensuring some security is to use number or symbol substitution – that is, use a number or a symbol in place of a letter. For example, the word ‘squirrel’ could be written as ‘$qu!rr3l’. It’s a much more difficult to crack than a plaintext password and a little easier to remember, though not nearly as secure as a passphrase.
Then, use something that can help you remember what your password or passphrase is. In the screenshot below I used a common typing exercise for my passphrase and entered 4th grade as my reminder, since that is when I learned that phrase. If you forget your password or passphrase later on LastPass will use your email address and password reminder to help you remember it. If you still can’t remember it you’ll be sent some special instructions to reset it. The best thing to do though is to remember this password or passphrase! I promise; it’ll soon be the only one you’ll need to remember.
After you click Next you will be prompted to reenter your password or passphrase. Once done, click Next.
LastPass will then ask you if you want to import any insecure items on your computer. Assuming you think you have some, go ahead and choose yes. If the computer is new or you haven’t used saved passwords in your browsers, click No. Note – this only checks for insecure passwords in your web browsers, not in any other locations.
Once you are finished choose whether or not LastPass keeps you logged in or automatically logs you out. This option is dependent on how your computer is setup – if multiple people login using the same Windows or OS X user account then you will want to be automatically logged out. If you have your own Windows account then you may choose to keep yourself logged in. Being automatically logged out is more secure but also a little less convenient.
Once you are done installing Internet Explorer and Firefox may ask you if you want to install the LastPass add-on. Go ahead and allow this.
Once your browser is up and running you should see the LastPass icon. In Firefox it is usually found in the upper-right corner of the web browser. In Internet Explorer it is located in the upper-left of the browser. If you do not see it right away, make sure that the LastPass Toolbar has a check next to it (under the View Menu in Internet Explorer, on Firefox it is located in the Firefox button, Options, LastPass Toolbar).
Click on the icon to see the LastPass menu:
The top option allows you to logoff.
The My LastPass Vault is the area where all of your passwords are stored,
Recently Used will bring up sites that you’ve used in the past few days.
Sites stores all of the site groups and sites filed under those groups.
Secure Notes allows you to jot down a note that is password protected (as long as you are logged out of LastPass).
Fill Forms will save you some time when you are presented with a form asking for your name, address, ZIP, phone, email, etc. Not only does it auto-fill these forms for you but it keeps all of that information secure.
Preferences allows you to change some options in LastPass, including automatically logging you out of LastPass after a certain amount of time, highlight form field boxes, and to show you your vault after you login. I usually uncheck the Show My LastPass Vault After Login since it is distracting and somewhat insecure. There are many other options – feel free to explore them and tweak LastPass to your desire.
Help will be the first place to go if you still have questions after this tutorial.
Tools includes some advanced tools that are included with LastPass, including importing passwords from other password managers and checking for LastPass updates.
Generate Secure Password will allow you to have LastPass gernate (and remember) a password for you. More on this in a second.
Go Premium allows you to add additional features, such as LastPass on your phone and better support.
To use LastPass, simply visit a site that you need a secure, random, and/or unique password for and get going! For this example I am using Pinterest.
At the password prompt I can right-click and choose LastPass. One of the options is to generate a secure password. When I do this I am presented with a box that allows me to create a secure, random, and unique password. In this example you can see that the password generated is very difficult to remember. This is not a problem however because LastPass is going to remember it for me!
If I click on the Show Advanced Options checkbox I can:
-Specify a password length,
-Choose which types of characters to use and whether or not I want the password to be pronounceable,
-Avoid Ambiguous (duplicate) Characters, and
-Require Every Character Type (A-Z, a-z, 0-9, and special/symbolic characters).
With a little tweaking I can get a password like this:
(One caveat – there is no universally-accepted method of password complexity. Some sites let you use spaces, some don’t. Some sites will say that you must use some special characters, some will not. Some even impose a character limit. Unfortunately it is up to you, the person signing up for the account, to make sure that the password meets the minimum password requirements, no matter just how arbitrary they may be. Luckily the advanced section below makes generating a password with these requirements much easier).
To accept your password, choose Copy. You will be prompted that your generated Password will be saved to your Vault. You can then right-click in the password field, choose Paste, and your password is now set!
Once you fill out the rest of the form and choose Submit you’ll see the LastPass message bar at the top of the screen. This bar will automatically pop up when a password is used and ask you if you want to save the site. This is the method that you will use to add your established sites to LastPass.
Clicking on the Save Site button brings up the Add LastPass Site box. You can change the name to anything you’d like. The Group is a box you can use to organize your sites. In this case I will leave the name as Pinterest and make a new Group of Hobby Sites:
I can also choose whether or not to have LastPass automatically log me in when I visit the site. Since Pinterest has a very low threshold of pain for me should it ever be compromised, I’ll choose to AutoLogin. Generally you want to avoid AutoLogin at sites like online banking, credit cards, etc. This will add a small layer of protection should someone get into your account and start clicking on your sites. They can still just as easily right-click and login with your saved passwords though in the login fields on those sites so it is always a good idea to lock your computer or log out of LastPass when you leave your machine. (You can lock your computer very quickly by pressing the Windows key + L at the same time).
Here you can see LastPass automatically logging me in:
As you start visiting your regular sites LastPass will begin prompting you to save the site after you successfully log in. I suggest doing this at first and having LastPass remember your password for you. as you grown more comfortable with LastPass you should start to change your site passwords with generated passwords.
On sites where your login is remembered, all you’ll need to do in the future is right-click on the username or password field (if LastPass hasn’t already filled them in), choose the LastPass menu item, and choose the option that corresponds to the site you are on.
You can also use LastPass to simplify the filling out of forms. After you fill out a form LastPass will ask you (via the message bar) if you want to save the entered information. You’ll need to create a profile and enter some personal information. I steer clear of sharing credit card information or my SSN – while I trust LastPass and the strength of my master password I do not trust myself to always remember to logout of LastPass or to leave my computer secured every moment of the day.
This is great and all, but what about the other computers you use? LastPass has you covered – it will remember all of those passwords for you! Simply install LastPass like we did above but instead of creating a new account simply login to your existing one. For shared computers you can access your LastPass password vault by going to http://lastpass.com and logging in with your master password.
I hope that this tutorial will help you to begin using secure, random, and unique passwords to keep your personal information protected.