SEARCH

How-To Geek

The How-To Geek Guide to Getting Started with LastPass

2011-04-29_110338

It’s all too easy to get sloppy with your password security as the number of accounts and accompanying passwords pile up. It’s time to start letting LastPass generate and manage your stable of secure passwords.

What Is LastPass and Why Do I Need It?

LastPass is a password management tool that takes all the effort out of managing your passwords—it’s so effortless, in fact, that it’s the most popular password management tool among How-To Geek readers. We all have reasons, most of them in common, for not using passwords as strong and varied as we should: it’s a pain to remember them, it doesn’t seem that important to vary passwords wildly, entering complex passwords for each web site we visit is a big hassle, etc. LastPass removes those barriers by making password generation, management, and deployment dead simple and seamless.

LastPass combines a local password manager with cloud-based storage. Your password database is decrypted locally on your device and is stored in the cloud, encrypted with 256-bit AES. Your passwords are only accessible via local decryption or by logging into LastPass’s secure web site using your master password to decrypt your password database over the SSL pipe.

In addition LastPass also includes password generation tools, automatic form filling, as well as automatic login/password completion. Once you’ve got LastPass up and running you’ll never have to worry about weak passwords again. LastPass is available for Windows, OS X, and Linux as well as iOS, Android, BlackBerry, Windows Mobile, Symbian, and webOS. LastPass also supplies add-ons for Internet Explorer, Firefox, Safari, Chrome, and Opera. You’ll be hard pressed to find yourself, on any platform or with any browser, separated from your passwords.

Signing Up For and Installing LastPass

2011-10-18_143214

The first thing you need to do is get yourself a free LastPass account. Head over the LastPass.com and download the appropriate software for your machine. We’re going to download the package for Windows, but the steps for each OS are pretty much the same. Run the application; you should be greeted with a run wizard that looks like the screenshot above. Check the web browsers you want to install LastPass on. The advanced options gives you more control over the specific aspects of those browser installs; skipping the advanced section is fine for most users.

2011-10-18_143403

Select that you do no have an account and wish to create one.

2011-10-18_143926

Type in your primary email address and select a strong password. You’ll only be using this password to access your web password vault and to login once every browser session to the local database. Now is a great time to start using a passphrase instead of a simple password—i.e. HowToGeekR0cksMyB0xIn2011.

2011-10-18_144119

They can’t stress it enough and we can’t stress it enough on their behalf: if you lose your LastPass password you’re totally out of luck. Again, use a strong and memorable passphrase. If you have to, write it down and tape it to the bottom of your desk drawer or otherwise hide it away.

2011-10-18_144351

At this point you’ll be prompted to import all the passwords from your web browsers into LastPass. There’s really no good reason not to do this. Even if you’ve used “password” for all your passwords, it will at least build a list of sites you’ve been using insecure passwords on so that you can later go back and update them. In the next step it will list all your saved sites, their username/passwords, and a toggle for you to select and deselect them for import into LastPass.

2011-10-18_144720

We’re almost done! The last setup step is to specify whether or not LastPass should log you out when the browser closes and whether or not your LastPass Vault should be your homepage. We recommend setting it to log you out and not using your vault as your homepage. We double recommend against those things if you’re using LastPass on a portable computer or mobile device.

2011-10-18_145021

After you finish the LastPass installation, launch one of the web browsers you specified in the first step of the setup. In the toolbar of the browser will be a dark LastPass icon (which looks like an asterisk). Login using your email and LastPass password. We let LastPass remember our login but leave the password blank. Once you login the LastPass logo should switch from dark gray to red and white.

2011-10-18_152148

Clicking on the logo yields a drop-down menu filled with LastPass goodies. The first thing we want to do is hit up the Preferences menu. Click on it now.

 2011-10-18_145305

LastPass is notoriously chatty. We happen to like the notifications but many people aren’t so fond of them. We’d recommend leaving the default notifications in place as they serve as excellent reminders to use LastPass and to generate secure passwords. As you get more comfortable using LastPass and need fewer reminders, go ahead and return to this menu and toggle some of them off.

From this point forward LastPass will automatically detect when you’re visiting a website that you’ve already created a login for and will prompt you to generate a secure password for new web sites you’re joining. In the next section we’ll take a look at that process.

Using LastPass to Generate and Store Secure Passwords2011-10-18_153646

When you create a new account for a web service, LastPass will prompt you to generate a secure account. In the screenshot above we started the signup process for a Yahoo! Mail account. When you click the generate button LastPass will open a new tab with the password generator.

 2011-10-18_153840

There you can set your password length, accepted characters, and other parameters. You can accept the password or generate a new one with new variables until you’re satisfied. When you hit accept LastPass will automatically fill it in for the site (and remember it on your behalf).

2011-10-18_154335

When you’re done filling in your new account information LastPass will again detect that there is activity with the new account. It will ask you to either confirm that you’ve changed the password or to save a new site as a new entry in your password database. Since we just created a new account, we’ll click Save New Site (if you’re changing the password on an existing site that is already in your LastPass database, you’d click Confirm instead).

Now, although LastPass is pretty awesome at detecting things, initial registrations usually have unique URLs and can often throw LastPass off. When you click Save New Site, make sure to check the URL and Name spots. The default for our Yahoo! Mail account looks like this:

2011-10-18_154649

We took a moment to clean it up to reflect the URL we’ll be routinely using to login to Yahoo! Mail:

2011-10-18_154750

This is also a great time to start using the Group function. You might, for example, group your financial, gaming, communication, and work web sites into separate groups. From this menu you can also toggle things like autofill/autologin and require master password entry before accessing that particular entry.

Now is a great time to start going through your existing logins to upgrade the passwords using LastPass.

Going Further with LastPass

2011-10-18_155509

If you never use LastPass for anything other than generating and storing secure passwords you’ll be miles ahead of 90%+ of the average computer user. LastPass has a slew of additional features, however. Once you have LastPass installed on your primary browser here are some of the extra things you’ll want to check out:

The LastPass Security Challenge: This is a fun tool for your LastPass Vault that analyzes your logins/passwords and generates a score passed off of the uniqueness of your passwords and other factors. Increasing the strength and variety of your passwords will increase your score in this security game.

LastPass Screencasts: If you’re unclear on how the major components of your LastPass vault work, there’s likely a LastPass created screencast to show you how to use it.

One Time Use Passwords: Your master password is important and needs to be protected. What about when you want to access your LastPass account away from home? Don’t risk your master password on a computer with unknown security. Generate a single use password for your LastPass account. You can use that throw away password once in the future and then it will never work again—extremely handy for logging in from an internet café or at a friend’s house.

LastPass Mobile: Although it requires upgrading to the $14 a year premium plan, LastPass has mobile browsers/password managers for every major mobile platform. Take your passwords with you wherever you go.

Import: Have a bunch of passwords already stored in another program like KeePass? No problem. Import them all using the LastPass Import function.

Multi-Factor Authentication: Although it may be overkill for some, you can easily turn on multi-factor authentication that links your LastPass account with a USB key, Yubikey, Fingerprint reader, or Smart Card reader.


Have a LastPass tip, trick, or add-on that has helped you stay on top of your passwords? Let’s hear about it in the comments.

Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on if you'd like.

  • Published 10/18/11

Comments (37)

  1. jim

    a must have util by far.

  2. Tony Silva

    #1 web service.

  3. Irish_IT

    that still scares the bejesus outta me thinking that all my passwords could be out “In The Cloud” where anyone could have a fair crack at them with enough time to decrypt……….PASS!

  4. John

    Good article – Great to see LastPass promoted. In my opinion it’s the top password manager :)

  5. pthubbard

    @Irish_IT When someone with ‘enough time’ does unencrypt them, you’ll be long gone. Consider what you’re using for passwords NOW compared to what you could do with LastPass and possibly more conveniently.

  6. ...

    that still scares the bejesus outta me thinking that all my passwords could be duplicated or written on some paper pad that someone could grab and know all my passwords……….LASTPASS!

  7. Paul

    I’ve been using that for 2 years or so.

  8. nt0xik8ed

    i downloaded it a few months ago but never used it. this might get me to

  9. Samon53

    I’ve used Lastpass for about 3 years now and can’t recommend them highly enough. They’ve setup an excellent system that works cross platform with client-side encryption and multi-factor authentication. Simply put there is no better way to handle your passwords. The more people that try them the better as they massively increase your security.

    Note: If anyone has any worries about security then don’t worry their security is world class and as the encryption is client-side not even they can decrypt your data. They’ve even been recommended by Steve Gibson on his Security Now Podcast!

  10. dima

    i’ve been using KeePass, but I don’t like that it’s not integrated into my browser. Gonna give LastPass a try

  11. Mr. X

    LastPass is AWESOME….

  12. Trevor

    I have been a longtime user of 1Password. The mac version is great and incredibly simple to use. The windows version could use a bit of a face lift but it still gets the job done wonderfully. I am mostly curious if anybody has some reasons why I might want to consider switching to LastPass. Does it support User Accounts (I use 1Password to manage lots of server logins, databases, and FTP accounts)? Does it support storing my credit card info?

  13. Anon

    I was just thinking a few hours ago “I Love Lastpass” while signing into somewhere.

    I just scored 85.4% on the LastPass Security Challenge ranking 3034th overall. It securely analyzes the strength of your passwords, alerts you if you have any duplicate or weak passwords, and tells you how to make them more secure.

    Give it a try and see if you can beat my score!

    LOL^

    85.4% pretty good.

    Somehow they decrypted my vault and analyzed my passwords :O Lastpass has my passwords now. Makes me wonder.

  14. Roy

    It should be remembered that there was a possible break-in at LastPass, in May this year. They detected some unusual activity and as far as I can remember, there was a possibility that some data may have been taken.

    I don’t think this was ever proven, but what was proven, at least to me, was that the guys at LastPass acted in the best way possible. Their initial response was quick, and good. They didn’t try to hide the problem, they kept users updated on what was happening, and what they were doing about it. There were some problems with users being locked out of their vaults, but they learned from these problems and in my estimation the event did us all a favour in making the system stronger than ever. It appears that even if there was some data leakage then it was strongly encrypted and of little use to any attacker ….. as long as your master password was STRONG. So a lesson to users as well!

  15. hellerdude

    What I want to know is what do I do if I go to an internet café whilst on holiday and want to login to FB. How do I access my LastPass generated passwords from there as I would not be able to install the client?? …and my mobile does not have internet access at that location (that is why I am in the internet café first place)…

  16. David

    Love LastPass, I would recomend it to everyone.

    @hellerdude. You have a few options. Log into the website and use their web interface or get to your saved username and passwords, use the portable Lastpass on a USB stick, or use the app offline on your phone.

  17. Wayne

    @hellerdude, create some remember able passwords for sites you may need to access without Lastpass. For instance my Facebook password would be something like ‘FBStringNumbers!’. I also have it setup to text me whenever I log in from an unknown device. On other sites, I use the same String and Number sequences. However I only do this on sites and services which allow remote authentication via text message or an authentication device. So for me that is limited to my bank, Google, Facebook, Battle.net, and PayPal

  18. Tony

    HI i was going to try this out but my question is dose lastpass auto log you into the sites you setup passwords for? like what i mean dose it autofill in your passwords for sites you have accounts for.

  19. chungle

    After battling with KeePassX, Gpassword Manager, Revelation, and Password Gorilla, I am absolutely blown away by this. I’ve known that my security habits were appalling, even at the base consumer level, but refused to maintain a list of separate, secure passwords for all of my online accounts. This almost holds your hand and walks you through the process of moving from vulnerable to locked down in seconds.

  20. John T. McF. Mood

    How about a utility that does NOT rel;y on the “Cloud”. I still don’t trust it, I am just waiting for some hacker to break in and have the keys to the castle…

    Is there a good one that you can use on a strictly local basis?

  21. Ralph

    I’ve been a LastPass user for about a year and love it. It’s installed on my laptop as well as home computer. There’s no way I can remember each of the 12 character random passwords for all my accounts, but I don’t have to. And that’s the point: they’re all different. Those that are worried about keeping passwords in “the cloud” needn’t as they’re encrypted. I’d rather LastPass keep my information encrypted than have everything written down. How safe is that paper? And where is it kept?

  22. Don't Tread On Me

    Being a former lifetime, fully registered user of AIRoboform LastPass is far superior replacement. My issue with AIRoboform is they came out with a Windows 7 version and tried to charge me for it.

    LastPass is a must have. Recovering from a disk failure this app literally saved my a$$.

    Used in conjunction with another app; Speed Dial; has made management of my system fun. Speed Dial allows you a graphical listing of your websites and clicking on the link with LastPass auto login option makes navigation a breeze.

  23. Richard

    @ DIMA

    If you use Firefox as your primary browser you can install a FF add-on which fully integrates KeePass into FF. The add-on is called KeyPass and it works great. I’ve been using it for around a year with no problems!

    Richard

  24. Malcolm Sutton

    If you have machines with different OS and you access the same sites from both machines then each site will need the same password from each machine. Can this be set up?

  25. phil

    @Mr. Mood

    Keepass is the best local option I know off. Encrypted local database of passwords with one master password to unlock it. There are a couple ways to integrate it with browsers (though I don’t think any are as integrated as lastpass), but I stick with the standard double click to copy the password (deleted from your clipboard after a set amount of time).

    a more low tech option is passwordcard.org. it basically gives you a printable card of random letters, numbers, and symbols. Only you know what password is where. Keep in your wallet – arguably one of the safest places you could keep your coded passwords.

    I used password card for a while, but while being the most secure for use on public/school computers (as a graduate student, this happens frequently enough to be a concern), it takes to long to use, so I recently switched to keepass. I don’t like the way lastpass exposes my database to whatever computer I use it with, so I use keepass portable with dropbox.

  26. Bob Yandy

    This Bob uses RoboForm, sorry.

  27. robert75203

    Very satisfied with Keepass 0.4.3 for Linux. Remarkable the variation in password strength allowed from one website to the next.

  28. Robert

    Been using Lastpass for 4-5 years and have enjoyed its simplicity and value. Have only had a couple of issues while updating to updated browsers but the response from Lastpass has always been prompt and useful. I would hate to try to get by without it.

  29. mikebravo

    What is the business model for LastPass? Can I reasonably expect they will be in business and logging me in 15 years from now?

  30. Coffeeman

    LastPass with Xmarks are great tools, but for my passwords I use random.org’s generator.:)

  31. OzDave

    Am a Geek-wannabe and using Roboform for a year or so. Can anybody tell me whether there is any reason, excluding cost, as to why LastPass may be better or is it purely a matter of personal preference?

  32. robert75203

    @mikebravo

    I was thinking the same thing. What if you have all of your passwords stored in the cloud and the website either becomes unavailable or decides to charge a fee for access?

  33. rashad

    Cannot praise Last Pass enough. Has to be in my top 5 utilities of all time. Especially considering that at last count it’s managing over 150 logins/passwords/forms for me. And like the best utilities should, it just works with minimal maintenance.
    Good to see it recommended – and that others share my view.
    Cheers

  34. Jimbo

    Like MikeBravo and Robert75203, my concern would be the potential longevity of LastPass as a company. Just cannot see myself committing all my passwords to a “Cloud company” offering this service for free…..

  35. Ralph

    I saved all my LastPass data to a CSV file (there’s an option to this effect) and encrypted it. If they pull the plug tomorrow, I still have my data and hopefully will be able to import it to another program.

  36. Dark Reality

    LastPass is awesome, but you guys really did it a disservice by posting the Chrome version. I don’t know what it is about Chrome, but it requires all extensions to work within web pages and makes everything look all ’90s. It’s really off-putting, but LastPass has done the best they could with it. It looks so much better in Firefox. This isn’t about which browser is better, it’s just a simple fact.

    What I love about LastPass is that it allows me to browse in two layers. Someone can jump on my Firefox and look something up, they can even log into whatever and check their mail or their Facebook or whatever, it doesn’t matter. Or if I’m playing Fallout on the Xbox, I can slide over, fire up the Fox, and hit up the wiki. Now if I want to get into my Facebook or email, I gotta log into LastPass, and when I close the browser, it’s locked down again.

    The other aspect, which this article sadly did not touch on at all, is the portability of LastPass, even without Premium. LastPass completely supports PortableApps.com’s Firefox and Chrome builds, and I have it on both. Chrome’s my backup browser, and since it’s not my primary and I don’t want it to be, I just use the portable one. (By default LastPass does not log out of Chrome on its own. I had to dig in and fix this.) But on top of all that, I can hop on YOUR Firefox or Chrome, log into LastPass (adding it if you don’t have it), and access all my stuff, and the vault acts as bookmarks. Then I just log out when I’m done, and if you don’t have a keylogger, you can’t log into my accounts. That actually makes it a little more versatile than PortableApps.com’s solutions.

    As for the person who doesn’t trust the cloud, PortableApps.com has a portable build of KeePass. They only carry 1.x though, because 2.x requires .NET and I don’t think they’ve been able to make it portable. If you have a flash drive (though I recommend portable hard drives, they’re faster) you can get version 4.1 of their menu (latest as of today) and Firefox and KeePass (or Chrome and KeePass if you prefer… they also have Opera) and whatever other apps you like. VLC is a great app to have on you at all times too.

  37. Stan Brown

    @John T. McF. Mood

    Yes, I strongly recommend KeePass. It’s free and open source. You don’t have to install it; you can run it as an executable. I keep a second copy on my USB stick along with my password file (which is encrypted, natch).

    I agree with those who would not trust their passwords to the cloud. Let’s assume LastPass is secure today. Every Web site is secure — until the day it gets hacked. And if the Defense Department isn’t immune, I can’t imagine any other Web site is.

    http://keepass.info/

Enter Your Email Here to Get Access for Free:

Go check your email!