Password management has long been one of the most crucial and most complicated tricks to safely and securely pull off. The browser add-on LastPass simplifies it all in a cross-platform tool that's a must-use — as long as you don't mind that it's all in the cloud.
Passwords have gotten so complicated that even people with ferociously sharp memories can struggle to recall the eccentric combinations of letters, numbers and symbols. There are passwords for personal email, work email, bank accounts, Twitter and Facebook, and woe to anybody who uses the same one for those two malware magnets. On top of that, it's recommended that you regularly change your passwords so they don't get compromised. Passwords are a pain, but LastPass slices through the Gordian knot of password management with a deft and effective cross-platform browser add-on.
Installing LastPass is straightforward, except that you can choose between the universal installer or browser-specific add-ons. The easiest option is the universal installer, which will work with Internet Explorer, Firefox and Chrome on Windows. Mac users will have to download individual add-ons for each browser.
After creating a LastPass account and master password, which is used to access your password list, LastPass will ask to suck up all your passwords into its cloud-based, AES-256-encrypted servers. This key aspect of LastPass, the cloud-based storage, is then followed by an option to remove all your locally stored passwords. This prevents them from being compromised after you've begun using LastPass, although it also means that you will be tied to LastPass from that point. You can always export your passwords later, although after using the add-on for more than a year we've had no problems.
After installing, restart your browser and you'll see a grey or red box icon on your browser's toolbar. Red indicates you're logged in, while grey indicates you're not. Once logged in, you can visit LastPass' spreadsheet layout of your passwords with one click. This is called your "password vault", and while it's navigable, it could use some tweaking, too.
You can organise your passwords into folders and groups, you're told up front how long ago the password was last used and there are quick links to Edit, Share and Delete the password. A search field at the top will automatically search through URL and username. You cannot search by password.
A list of global actions such as settings, import and export, history and manually adding sites lives on the left of the password list. To the right is a short list of options to be used when you select a password, currently limited to share, delete and change group. At the top of the interface are tabbed options for managing your form-fill profiles, identities, shares and applications.
Much of the add-on's heavy lifting happens in editing windows that open on top of your vault, but are not separate browser windows. This includes individual password editing and configuring and changing LastPass' settings. The separate window is understandable for security purposes, but it detracts from the overall experience as an overlay.
Features and support
LastPass offers a shocking number of features. The free version will be more than enough for most users, while upgrading to the premium version will get you LastPass for mobile devices and browsers, remove ads from your vault, provide priority email and phone support and give you multifactor authentication. This heightened level of security requires you to use a YubiKey or USB key in conjunction with your LastPass master password to gain access to your vault.
Basic and premium users alike will get LastPass' deep array of password-management tools. It will auto-detect username and password form fields. If it has the credentials for the page you're visiting, it will ask you to fill in the info. You can also set LastPass to automatically fill in credentials or even automatically log in. When you visit a site that you're creating new credentials for, it will ask if you'd like it to create a password for you. Via the vault, you can change the default level of security for generated passwords. It will also detect when you've changed the password for a site that's already saved and ask you if you'd like to change the saved version.
From within the Settings option in the vault, you can change your master password, configure the vault auto-log-off time, change the default security level to one of three presets or customise a fourth, and manage equivalent domains and URL rules for sites with more than one log-in.
While LastPass can be used solely from its website and provides a virtual keyboard so you don't have to worry about a keylogger swiping your master password, some key features come only with the add-on. One of these is the on-the-fly creation of a one-time password, and there are others. The add-on menu shows you a list of recently used passwords and allows you to copy credentials to your clipboard without revealing them first, fill forms, manage secure notes, customise hot keys and change the LastPass icons.
It doesn't skimp on password tweaks, and that's a good thing.
Measuring add-on performance is notoriously difficult, although Internet Explorer 9 Beta did note that LastPass only slowed down the browser's boot time by 0.16 seconds. The default threshold for warning the user about add-on performance impact in IE9 Beta is 0.2 seconds or slower. Google Chrome dev 9.0.587.0 put LastPass' memory usage at 14MB of RAM, high for an add-on. Browsing with the add-on versus without it revealed no noticeable slow-downs on a daily use computer.
Password security and management have long been a deficient part of any browsing experience and LastPass solves that problem while also making your passwords accessible anywhere. Cross-platform, cross-browser and secure with a hefty range of options, this is the gold standard for password management.