You’ve heard the saying, “If it ain’t broke, don’t fix it.” Certainly if your password manager is doing everything it should, you don’t necessarily need it to change.
But sooner or later the interface starts to look dated, and the competition comes up with new features.
Accordingly, the free LastPass 4.0 has a bold new online interface, and its new features include a Sharing Center to manage shared passwords and Emergency Access to hand down your passwords to your heirs.
These new features put the free LastPass ahead of even many of its for-pay competitors.
You can use many commercial password managers for free if you accept substantial limitations.
Some, like RoboForm Everywhere 7, limit you to 10-15 passwords before you must pay. Others, like Dashlane 3, are free as long as you stick to one device, no syncing. With such stringent restrictions, these aren’t really free products.
When initially released, the free edition of LastPass only let you sync across devices of the same type. You could use it with multiple desktops (Windows, Mac, or Linux), multiple smartphones (Android, iOS, Windows Phone, or BlackBerry), or multiple tablets (Android, iOS, or Windows).
That limitation has been lifted. You can now sync passwords across all your devices, just as you can with LastPass Premium.
Getting Started With LastPass
Setting up a LastPass account is simple.
Start by downloading and installing the free app. You’ll be prompted to either sign in to an existing account or sign up for a new one.
As always, you should create a strong password, something that you can remember but that nobody else would guess.
You can add a password hint, but that may not be the best idea.
In June of 2015, hackers apparently stole some data from the LastPass servers.
Thankfully, LastPass’s impressive security meaures meant that no actual passwords, master or otherwise, were exposed. Just to be super-safe, the company notified all users to change their master passwords.
The one thing that hackers might have obtained? Password hints.
If you must use a master password hint, make it something cryptic, something only you will understand.
And enable multifactor authentication, as explained below.
Note that nobody at LastPass has access to your data, not without that master password.
In the past, if you forgot your master password and the hint didn’t jog your memory, you had no recourse but to start over. Now when you install LastPass on a new device, you get the option to have it save a one-time password for account recovery.
The recovery process requires access to your email account and to the device, so this isn’t too much of a security risk.
Even so, I’d be inclined to stick with the master password.
During installation, LastPass offers to slurp up passwords stored insecurely in your browsers.
It also deletes the passwords from unsafe storage and turns off the browser’s password capture.
In addition, you can import data from several dozen competing password managers.
Once the LastPass extension is installed in your browsers, you know the drill. Log in to your secure sites as always, and let LastPass save your credentials. You can assign a friendly name for the site at capture time, and add it to a new or existing folder. LastPass itself suggests folders for well-known sites.
Sometimes you’ll run across a website that uses a weird login page, something that LastPass doesn’t capture automatically. Like RoboForm and Sticky Password Premium, LastPass can handle these. Just enter your credentials and then, before logging in, select Save All Entered Data from the browser toolbar menu.
Clicking the LastPass toolbar button in your browser brings up a menu that includes a menu of all your saved sites.
Each folder becomes a submenu, and you can have nested folders.
The menu of saved logins is a common feature, but LastPass and Sticky Password are among the few that allow nesting.
When you sign up for a new account or change your password for an existing account, LastPass offers to generate a secure password.
By default, the password generator creates 12-character passwords using at least one digit and a mix of capital and small letters. You can crank up the length and include punctuation to get even stronger passwords. On the flip side, if you need to remember the password and can accept a security hit, the Make Pronounceable option gives you passwords like ogypropoitio or morefesticku.
When you do sign up for a new account, LastPass captures your credentials, and it offers to update its saved password when you make a change.
This works whether or not you accept the aid of the password generator.
I wish this component had gotten just a little enhancement in the move to version 4.0.
True Key by Intel Security defaults to generating 16-character passwords using all possible character types. Most users won’t bother to change the defaults, so they’ll get less-secure passwords from LastPass.
With the move to version 4.0, the online LastPass Vault got a significant makeover. From the vault, you can view, edit, and organize all of your saved logins. You now have the option to see them displayed in a grid of tiles, much the way Dashlane 3 does. LastPass’s tiles are rather large; the new ability to collapse the left-hand menu makes more room for them.
A new multi-purpose Add button lets you add a new folder, secure note, or site, or share an existing item with other users (more about sharing later).
In addition, you can now select multiple items at once and perform bulk actions like moving them all to a folder, sharing them, or deleting them.
The concept of setting up a way for your heirs to inherit your passwords originated with the Digital Legacy feature in PasswordBox. PasswordBox has since been subsumed into True Key, but the concept lives on.
For example, Dashlane lets you set up any number of emergency contacts to receive all or some of your passwords. With the free LogMeOnce Password Management Suite Premium, you can define one heir for your entire collection and five for individual logons.
Emergency Access in LastPass works almost exactly the same as the similar feature in Dashlane. You enter your recipient’s email address and define a waiting period. Recipients must install LastPass, if they haven’t already, and accept your connection request. Now if something happens to you, the recipient simply requests access to your account.
Dashlane does let you pass along just a subset of your saved credentials—for example, you might define a co-worker as recipient of your work-specific passwords.
That’s not an option in LastPass.
Here’s where the waiting period comes in.
Suppose your supposedly trusted recipient decides to jump the gun and get your passwords before you’ve kicked the bucket.
The initial request for access triggers an email to you, and you can deny the access request at any time during the waiting period.
In a real emergency, your recipient automatically gets access after that time elapses.
Clicking Emergency Access lets you view two pages, People I Trust (your password heirs) and People Who Trust Me (those who’ve made you their emergency access contact). On the People I Trust page you can delete anyone from the list, or change the waiting period. On the People Who Trust Me page, you can bow out of the emergency access role.
We normally recommend against sharing your passwords promiscuously, but there are situations that merit sharing. You and your spouse may share a bank account, for example.
If you must share, you should do it safely.
Sharing passwords with other users is a fairly common feature among password managers, though it’s found more in commercial products than free ones. 1U Password Manager limits sharing to its mobile app.
Enpass Password Manager 5 sends the credentials as an encrypted data block. Users of the free LogMeOnce can share just five passwords.
That makes LastPass the most flexible free password manager as far as sharing goes. Just point to an item in the vault to reveal the new hover-style choices, click the sharing icon, and enter the recipient’s email address. Recipients who already use LastPass will see a notification that a new share has arrived; others will get an email message explaining how to create an account and accept the share.
The recipient can use the shared item to log in; you choose whether or not to make the password visible.
The new Sharing Center within the online vault lets you easily manage your shared items.
As with emergency access, you can relinquish access to credentials that others have shared with you, or cut off others with whom you’ve shared passwords.
There’s also a tab for managing shared folders. However, if you try to make use of it you’ll quickly learn that folder sharing is a Premium-only feature.
Filling Web Forms
When you’ve got a product that can automatically fill in login credentials, it’s just a short step to making it fill personal data into Web forms. However, not many free password managers include this feature. LastPass and LogMeOnce are among the few, along with Symantec Norton Identity Safe.
You can define any number of full identity profiles in LastPass, each of them including a variety of personal and contact information along with one credit card and one bank account.
Those with a certain level of Web-design expertise can define custom fields, meaning that when LastPass encounters a field with a specific internal name, it will fill that field with the selected data.
RoboForm lets you create multiple instances of any form-fill field, and Dashlane stores the various components of personal data (phone numbers, emails, and so on) separately. LastPass’s one gesture to the need for multiple fields is the ability to create profiles containing nothing but a credit card. When you go to fill a Web form, you can choose to use a personal data profile or to choose personal data and credit card separately.
In the vault, LastPass represents each profile by analyzing the associated credit card number.
It correctly distinguished the MasterCard, VISA, and American Express numbers I tried.
Dashlane takes this concept a step beyond.
It lets you identify each card with a color and bank logo, and displays replicas of the cards for selection when you’re filling a form.
To fill a form using LastPass, you need to find the little icon it adds to one of the fields.
Click that icon, select a profile, and boom! Form filled.
In testing, it proved more accurate than most.
It doesn’t matter how complex your master password is if a thief gets ahold of it.
From anywhere in the world, the thief can log in as you. LastPass does require email verification the first time you log in from a new device, which might help.
But you can seriously enhance your security by taking advantage of the available multifactor authentication options.
To set up multifactor authentication, you open LastPass’s Account Settings dialog, which looks much the same as it did in version 3.0.
In the free edition, LastPass supports Google Authenticator as well as such work-alikes as Duo Mobile and Twilio Authy. Linking your account is just a matter of snapping a QR code using your mobile device.
Thereafter, each time you log in you’ll need a one-time code generated by the app as well as your master password.
The free edition also supports authentication via the Toopher and Transakt apps.
These work more simply than Google Authenticator.
Instead of copying a one-time code, you simply accept or reject the connection attempt using your smartphone.
Those without a smartphone can print a wallet-sized authentication grid.
To authenticate, LastPass asks you to enter characters found at specific coordinates on the grid.
Two-factor authentication can get tedious after a while, so LastPass lets you define specific devices as trusted. When you log in from a trusted device, all you need is the master password.
In a similar vein, if you enable mobile device restriction, no login from a mobile device will be accepted if it’s not one of your own mobile devices.
Getting all of your passwords safely stored with LastPass is a good first step, but it’s not enough. Now you need to go through those passwords and fix the weak ones, and the ones you’ve recycled for use on multiple websites.
That’s where the Security Challenge comes in.
Click the security challenge icon, re-enter your master password, and get ready to see how good (or bad) your passwords are.
Do note that to get the full advantage of the security challenge, including automated password changing, you must launch it from Chrome.
As part of the analysis, LastPass sifts out the email addresses found among your passwords and offers to check them against known compromised sites. Naturally if you find out that one of these addresses is associated with a breach, you should change all associated passwords immediately.
At the top of the resulting report you get an overall percentage score, your standing within the LastPass community, and a score for your master password.
The overall score is mostly based on whether your passwords are strong and unique, but it includes other factors as well.
For example, you lose 10 percentage points if you haven’t enabled multifactor authentication.
If you like, you can follow LastPass’s prompts to fix four types of problems: compromised passwords, weak passwords, reused passwords, and old passwords. Note that “old” here is measured from the first time LastPass encountered the password.
You can also scroll down for a full list of all your passwords, along with a password strength rating for each, the time it was last changed, and a button to let you update the password.
For some common sites, LastPass displays an Auto-Change button; click it to have LastPass automatically update the password.
At present LastPass can auto-change about 80 sites, while Dashlane’s similar feature supports over 500. You can also check off multiple items and update them all at once.
If the site isn’t among those LastPass can handle, a Launch Site button lets you go make the change manually.
Still a Winner
Automated password updates slipstreamed into LastPass 3.0, but Emergency Access is new in version 4.0.
The updated user interface for the online vault is a welcome change, as is the handy Sharing Center.
And the breadth of features in this free password manager is amazing.
The fact that the free edition no longer limits you to syncing across devices of the same type is icing on the cake.
LastPass 4.0 remains an Editors’ Choice for free password manager.
It shares that honor with LogMeOnce Password Management Suite Premium, which also packs an impressive feature set into a free product.