Is LastPass the Password Manager for you

What is LastPass

LastPass is a web password manager that works on both desktops (Windows, OSX, Linux) and mobile devices (Symbian, Windows Phone, Blackberry, iPhone, and Android). Additionally, LastPass covers the major web browsers (Internet Explorer, Firefox, Safari, Chrome). To put it simply, when you navigate to a site the prompts you to logon (Facebook, Twitter, Digg, GMail, Yahoo, Windows Live Mail, etc) a password manager (LastPass) will automatically fill in the credentials for you. Many people allow the browser to save their passwords but that is extremely insecure as access to the clear text password in all browsers is a single click away. Additionally, the saved password is only stored on that computer in that browser. The promise of LastPass is a secure method to store your password so it is accessible, provided you have internet access, which is when you need to use them. Additionally, because your information is stored in the web, you can transition from computer-to-computer to mobile device without the need to synchronize updated information.

Positives of Web Storage

LastPass stores your passwords in the cloud. I believe there is both positive and negative of LastPass storing all your information “in the cloud”. The positive of this is that it allows for seamless credential management across OS’s, browsers, and mobile devices. Another key advantage of web storage is the user has little need to manage a backup process for your LastPass data. A computer crash or lack of access to your computer does not prevent you from accessing your saved passwords. This came in handy for me when my Mac’s touchpad was locked in a depressed state and I would not click on a window. I was able to jump on my Windows Machine and quickly access the needed websites after retrieving my password from the LastPass web portal.

Negative of Web Storage

The negative of storing your information in the cloud is that your putting your passwords on a server outside of your control. I should warn I am somewhat hyper sensitive to security and privacy issues so for many users this will be a non issue. Initially, I was concerned, as I would be using one of my least secure passwords to protect access to all my other passwords. To clarify this, all my 90 passwords in LastPass are 10 – 25 character/symbol/numbers/Toggled case passwords, but to access those passwords I needed to use something I could easily remember. When I say easy, I am talking about a 20+ character passphrase that is a mix of all the things mentioned earlier. That password is not exactly easy to hack, but it is not as random as the stored passwords. This is not a design flaw, but something to remember as your setting up. It is the same with most password mangers as they all use a “master password” to protect your information. The core difference is where your passwords are stored (locally on your computer vs internet on servers of LastPass). It may just be me but I believe LastPass is a high value target for hackers. I should say many of my concerns around that had been put to rest when I realized I could utilize my YubiKey.  The YubiKey security only applies to access from a web browser vs the mobile app but in that avenue your data is in theory more secure.

I have used a variety of password management solutions like Roboform and 1Password. The promise of LastPass is huge as it addresses most of the limitations of existing password solutions. Some of the limitations revolve around multi OS support and portability of passwords to other machines you cannot install software on. My goal in testing LastPass was to find a single solution to manage all my passwords. I already feel Roboform (Windows) and 1Password (Mac OS) are the best solutions for their respective platforms but I wanted something that bridged the platforms. More important I like the idea I can get my password when sitting at a friends house on his computer.

How Passwords are Initially Stored

I believe all consumer focused password managers, like the ones mentioned above, are somewhat flawed in how they initially store your data. When your creating a new account online with Windows Live, Google, Yahoo or many other vendors, you often fill out a form with information like first name, last name, email address, birthday, requested username, password, and many other details. After clicking submit on the form is when your prompted to save your information for this site. By design these applications save all the information submitted on the form but it also saves the account creation URL. This is what I feel is somewhat flawed. Remember you only fill out the account creation once. You actually want it to remember or store the URL for the log on page and not the account creation page.

This issue does not prevent usage of the saved username or password but it does present a challenge when on a mobile device. It is important to understand how a desktop password manager differs from a mobile device password manager. On a desktop, the user often navigates to a URL and leverages the password manager to submit the needed information, for example username and password. On the desktop the application takes advantage of browser plug-ins or extensions so the interaction between the password manager and browser are seamless. On a mobile device due to restrictions placed on the browser by the vendors, these plug-ins or extensions are not possible. To provide the most simple experience the solutions leverage the saved data for each site to help automate the log on in a browser window hosted by the password manager. The bad URL that was stored at the time you saved the credentials will now be used on the mobile device to launch the browser session to log you on. The result is you get sent to the account creation page for say Gmail vs the log on page.

The Desktop Install

Installing LastPass on the desktop/browser was simple. I had one of my less technical friends perform the install and I got questioned quickly as to which install he should use. I believe for most users reading this it will be a non-issue.  Hopefully LastPass will put the effort forward to have a universal installer that asks the user questions during the install such as:

Enable Last Password

• Internet Explorer
• Firefox
• Safari
• Chrome

By default all installed browsers would be selected and the user can deselect any browsers they do not want.  32/64 bit issues should be detected and handled in the installer.

The Android Client

I was able to get the client in the Android Market Place and the install was like any other mobile app install. I put in my information and watched all my passwords flow down to the device.  I took only seconds to realize the level of effort put into the mobile application was minimal.  If you ignore all the esthetics and graphical things that user like the app still is sub par.  There was little consideration around usability.  Your credentials are presented as a simple list that are simple to navigate with a blackberry trackball or stylist.  Finger touch takes a bit of effort but is possible.  It is almost like it was designed by someone that ignored all the successful design principles of iPhone Applications.

As you will see with the Blackberry, iPhone and Windows Phone reviews the app works but I hope the company actually puts some effort into the development as it is behind other mobile vendors for quality mobile app design and usability.

The Blackberry Client

Special thanks to Robb Dunewood of RIMarkable for the review

LastPass for BlackBerry is a no frills, no thrills application. The development team created functional application without busying themselves with aesthetics or design. LastPass for BlackBerry actually looks like a selection from your “Options” screen as there are no graphics to speak of.

LastPast for BlackBerry does one thing extremely well. It synchronizes your LastPass Vault information with your BlackBerry, and, as a password keeper, LastPass fits the bill. LastPass also allows you to launch sites that require authentication directly from your BlackBerry Browser with your credentials already populated. I must say, however, that this feature is sketchy at best. Not because of any shortcoming of LastPass, but, because the BlackBerry Browser is such a horrible mobile browser that it isn’t capable of accessing many sites that require a user name and password. Some sites work. Many sites don’t work.

I could almost recommend LastPass for BlackBerry simply as a password vault which keeps you passwords and other sensitive data synchronized with the desktop client, but as subscription service as compared to a one time fee, there is a lot of intended functionality lost because BlackBerry Browser currently has no legs.

I am on day 11 of my 14 day free trial of LastPass for BlackBerry, and, because I have so many passwords on so many websites, I may go ahead and pay the $12 annual fee. I will just say that if you decided to check out LastPass for BlackBerry, truly put the mobile client through the paces and make sure it offers enough functionality for you to pay the yearly fee.

iPhone Client

LastPass as with many other vendors have build a superior app on the iPhone while putting forward a subpar junior developer effort with the Android, Blackberry, and Windows Phone clients.  They did add icons that you see in the web portal to the lists on the iPhone.  Believe it or not but a list with icons looks 10x better than a list without.  That is minimal effort for maximum return.  Also they provided a dedicated area to edit the saved password information this is a better experience on Android.  I thought it was odd that the edit are is sorted alpahbetical where the vault ares is ordered by groups.  It is this lack of consistency that drives the quality of the app down for me.

Windows Phone Client

Chris Ashley did such and extensive review of the Windows Phone Client we put this in a seperate post.  See LastPass from a Windows Phone Perspective.

Concerns with Online Storage

I wish there was a way to store my password data in an Amazon S3 account. It it nothing against the guys at LastPass, I guess I would just feel better if the information was stored with a larger vendor I have heard of and feel I have already established a trust relationship with. All the security features of LastPass do relieve much of my stress around storing my passwords with them but I have decided to remove any passwords that had direct or indirect access to accounts with money in them. Again, I am hypersensitive about this security thing and if there is a breach I don’t want to be concerned that someone could access my banking accounts.

Concerns with Pricing Model

LastPass costs $12 per year assuming you want access to the premium features. The premium features include the mobile application, no ads in web portal, multi-factor security (Yubikey), and support. Initially, I hated the idea of never owning LastPass. My concern is what if they go out of business my $12 per year does not allow me to keep using the service like a desktop app. When I looked at it compared to what I already own, 1Password at a cost of $39.95 and Roboform at a cost of $29.95, it will take a couple years for the cost of this to equal out. Plus I don’t have pay for upgrades which I recently did with 1Password at a cost of $19.95 when I upgraded from version 2 to 3 for Snow Leopard support.

For the $12 per year or put another way $1 per month LastPass is over priced for what you get for the cost.  Remember you paying for the Premium features everything else is free.  The lack of effort or caring about building quality mobile apps really drives down the value of LastPass.  I paid the $12 because I want to watch the progress but I will continue to use 1Password (Mac) and Roboform (Windows) as my primary password solutions.  LastPass will fill the gap on Android only.  For me it is over priced as I am paying $12 for a mobile App.  Remember the desktop app is FREE!

Overall Impressions

One feature I did not talk about that I will be using all the time now that I have some friends on LastPass is sharing passwords. I often need a friend to jump in and access something, now I can share the information via LastPass vs sending the information in an email or SMS. I can say I deleted all the information initially stored in LastPass. I wanted to use my 1Password UI to clean everything up prior to uploading again.  Using the LastPass web UI quickly annoyed me when trying to cleanup a couple dozen credentials.  One shocking thing is my other 2 applications have issues with Southwest.com login and LastPassword works flawless. I am not over my security concerns but I have taken the proper measures to protect myself.

Shortly after posting Joe Siegrist from LastPass contacted us to explain we had misunderstood the security. He better explained the technology used, Host Proof Hosting. I thank Joe for contacting to ensure our information is accurate. I can say my concerns are gone so here is what I am going to do. Uninstall Roboform and 1Password for the next 90 days and blog about my experience. Hopefully, I will never have to reinstall.

Tagged as: Desktop Password Manager, Password Manager, Password Vault