Update: LastPass has been hacked!
We wrote this guide because LastPass is one of the most popular password managers and we wanted to create an easy-to-follow guide for our audience. Unfortunately, as of August, 2022, LastPass has been hacked. It’s unclear how much customer information was exposed – password vaults seem to be in the hands of the hackers! LastPass has not been upfront about the severity of the incident, which doesn’t inspire much confidence.
In general, we remain fans of password managers (for now) for the average consumer (check out more security tips here). There are Open Source alternatives to LastPass, such as BitWarden. As with all things cybersecurity, it pays to research the alternatives and stay vigilant.
We’re posting the guide here for posterity or in case parts of it remain useful. Be careful out there, privacy people!
This guide will teach you everything you need to know about LastPass.
Advanced security.
Cool features.
And three entirely different case studies.
Let’s get started.
Chapter 1: Password 101
Passwords are the most important part of any account security.
This section will teach you how to make strong password that is difficult to guess, but also easy to remember.
(finish writing chapter intro)
What’s Typically Told:
We’ve all been told to use a password that is
- Use at least 10 characters
- Use letters
- Use numbers
- Avoid using the same password for more than one account.
However, following these requirements can still produce a weak password.
For example, Password123! Meets all the above criteria.
But the above format is very predictable and easy to crack.
Sarah Pearman co-authored a study on passwords.
As Sarah puts it:
“If a password that you use is in the top 5,000, 50,000 or even 500,000 most commonly-used passwords, it’s very likely to be guessed, or cracked.”
Solution?
What You Should Actually Do:
Use a passphrase.
A passphrase is a simple method for producing master passwords that are memorable yet challenging to crack.
It contains at least 20 to 30 characters that only make sense to you.
Combined with LastPass’ AES 256-bit encryption, passphrases will take many lifetimes to crack.
Now let’s look at some examples of passphrases.
For this example, let’s say I’m interested in keto.
My passphrase will probably look something like this:
IstartedKetoJuly4,2022
whenIstartedKeto,IhadDiarheafor3striaghtDays!
whenIstartedKeto,IwasSickfor3striaghtDays!
Notice how these passphrases are random, unique, and easy to remember.
Just be sure to add a few symbols, numbers, and uppercase letters somewhere in the passphrase to increase its strength.
Update Your Master Password
Ready to update your master password?
All you need to do is go to Account Settings in the bottom left-hand corner.
Under Login Credentials, click Change Master Password.
Now enter your new master password using the tips from the previous section.
Chapter 2: Setting Everything Up
You already know that LastPass is a password manager.
But how does it work?
And how to set it up?
Well, LastPass has some pretty nifty features that make saving your username and passwords an absolute cinch.
And in this chapter, I’ll show you exactly how to set them up.
Step #1: Download BrowserExtension
This allows you to save passwords and automatically log into any site on the internet.
And it couldn’t be more easy to set up.
All you have to do is visit your browser’s plug-in store and download the LastPass browser extension.
Or you can visit this page to find and download the browser extension directly from LastPass:
Once you download the extension, the password generator icon should pop up in your login fields:
If there are any passwords stored in LastPass, you can click the icon and fill in your login credentials.
There’s one minor tweak to get the most security out of the browser extension.
But we’ll discuss that later in Chapter 4.
For now, let’s move on to the next step.
Step #2: Download Mobile App
The major downside to LastPass free account is that you can only have the mobile or the desktop version.
But you can’t have both.
They give you a chance to try both version out before you have to fully commit.
Naturally, I went with the desktop version.
But I found it super annoying to manually type in my login credential on my mobile device.
And if you’re like me, you probably log in to your online accounts from your phone as much as you do from your computer.
So, I finally cracked and bought the paid version.
But here’s the question:
Was the paid version worth it?
Two words:
Hell yeah.
Besides, it’s only $36 per year.
Step #3: Download Authenticator App
The LastPass Authenticator app is a multifactor authentication mobile app.
Once activated, the LastPass Authenticator app adds an additional layer of security to your standard username and password.
Paired with a fingerprint scan, the LastPass Authenticator app is actually more secure than your master password.
Here’s how it works:
First, go to Account Setting, select Passwordless Option, and click Enable Passwordless.
From the popup menu, select Use LastPass Authenticator.
Enter your master password.
Now your device can use LastPass Authenticator to log in instead of your master password.
For example:
Your login should look something like this:
Helpful Tip: If you don’t receive the push notification in your authenticator app, click ‘Having trouble?’ and enter the one-time passcode instead:
Chapter 3: Password Vault
All of your passwords and other important data are stored by LastPass in what is called a “password vault”.
Imagine it as a physical safe for your digital valuables.
From the LastPass vault, you can:
- Launch websites
- Create strong passwords
- Log in to online accounts
Everything you’ve saved, such as passwords, notes, and credit card information, can be secured in your LastPass vault.
Once in the vault, your data is encrypted and kept secret (even from LastPass).
Let’s see how the password vault works.
Add Sites
Adding sites is pretty straight forward.
Import Passwords From Other Sources
You may have already stored your user names, passwords, and other data in another password manager.
Luckily, LastPass makes it super easy to import your stored data from other platforms (like password managers, web browsers, and CSV files).
Just head over to LastPass Support…
…and choose a step-by-step guide:
Bingo.
Run Password Security Scan
Once you’ve stored all your passwords in your LastPass vault, click the security dashboard to see your password security score.
This tool analyzes all your stored passwords and gives you a score for your overall password security:
The security score checks all passwords for length, uniqueness, and strength.
So you’ll know which passwords are putting you at risk and what steps you need to take to fix them.
Now it’s time to…
Make Every Password Unique
This is easy.
But it’s also the most time-consuming.
(Depending on how many passwords you have to update.)
That said:
Here’s how to secure weak passwords flagged by LastPass.
First, click View passwords in the Security score to see all passwords that need to be improved.
Next, click Change password to update weak or reused passwords.
For example, my Google password is weak.
To strengthen it, I’ll click Change password and follow these three steps:
Helpful tip: If the link to the website doesn’t work, just run a Google search for website domain + change password.
This will bring you to the direct page where you can change your password:
Next, I’ll use LastPass password generator to create a secure password:
As you can see above, you have options for how complex you want your password to be.
Follow these exact steps until you secure all your weak and reused passwords.
And after you’re done, it’s time to sync everything up.
Chapter 4: Cool LastPass Features
In this chapter, you’re going to learn about some of our favorite LastPass features.
You’ll see exactly how to use LastPass to check your email addresses for data breaches, create a secure username, save credentials with autofill, and monitor your credit report.
So without further ado, let’s dive right into Chapter 4.
Dark Web Monitoring
Here’s the truth:
Any information you store online could potentially be on the dark web.
So: what is the dark web exactly?
Daniel Moore and Thomas Rid of King’s College monitored 2,723 dark web sites…
…and found that 57% host illegal content.
Needless to say:
The dark web is a hub where you can buy credit card numbers, various drugs, guns, counterfeit money, and stolen account credentials.
The question is:
How do you know if your information is on the dark web?
Use LastPass’ dark web monitoring.
LastPass regularly monitors the dark web and will immediately alert you if your credentials have been compromised.
Under the Security Dashboard, click Start monitoring to help protect your credentials from cyber criminals.
Username Generator Tool
If you’re like most people, you probably use the same username across various websites…
…which makes it easy for people to find and track you online.
In fact, one study found real-life identities 42% of the time by simply cross-referencing usernames.
That said:
Here are some rules to follow to make sure your username is hard to guess:
- Don’t use your email.
- Don’t use popular usernames.
- Don’t use your real name or surname.
- Don’t use personnel identifiable information (like phone number, address, etc.).
If you’re having trouble coming up with a unique username for each account, try LastPass Username Generator Tool.
The Username Generator Tool instantly creates a secure, random username.
For example:
You can select which characters are used in your username and how long you want it to be:
Form Autofill
According to Freedom to Tinker, some ad networks use tracking scripts to steal email addresses from auto-fill features.
These scripts run in the background to create fake login and password boxes you can’t see.
From that point, it’ll attempt to automatically fill in the fake boxes with your login credentials.
You can try it for yourself by visiting this demonstration page by Steven Englehardt.
Fill in the fake email and password and hit summit:
You’ll be asked to save your email and password in your browser’s password manager — save it.
The invisible script will run in the background and capture your email and passwords:
Fortunately, LastPass did not have any problems with this demonstration page.
That’s because you need to interact with the icon to generate your login credentials.
But any password manager tool that auto-fills your credentials without intervention is vulnerable (including LastPass).
So to be on the safe side, right-click the LastPass extension icon and select Options.
Under the General tab uncheck any boxes with the word ‘automatically’.
Credit Monitoring
LastPass provides credit monitoring alerts for all paid plans for users in the United States.
This service provides email alerts if their credit report suddenly changes.
These alerts allow users to proactively monitor their credit report and provides an early warning for signs of identity theft.
To enable credit monitoring, go to Advanced Options and fill out your credit monitoring profile.
Chapter 5: Case Studies
In this chapter, you’ll see three LastPass case studies.
Specifically, you’ll learn how “normal” people used LastPass to manage login credentials, improve enterprise security, and more.
Although this chapter is more business centered, individuals can also benefit due to remote working.
That said, let’s take a look at case study #1.
Case Study #1: How SMA Technologies used single sign-on to secure global offices
SMA Technologies uses LastPass to support their team across global offices and easily access their application from any device.
Their company is predominantly cloud-based and relies on password sharing to access shared accounts.
In this case, they needed a solution that would provide a secure method for sharing login credentials.
SMA Technologies went straight to LastPass to reduce the number of passwords and logins needed to access their accounts.
They looked at features like SSO (single sign-on).
With single sign-on, they only need to provide credentials once to gain access to many of their work applications.
Then they relied on LastPass password management to secure all applications excluded from single sign-on.
They also utilized encrypted folders to share login credentials.
According to Tye Summerville, the IT Manager at SMA Technologies, they’ve been able to minimize where end users have to log in each day while ensuring high security standards.
And Tye attributes this to LastPass single sign-on and the password management tool.
Case Study #2: How Redbility used password generator to manage expanding clientele
Redbility is an award-winning digital strategy company founded by Mario Sánchez García and relies heavily on LastPass.
Every day Mario and his team use LastPass to manage log in credentials for high-profile clients like Nestle and Heineken.
According to Mairo:
“There are two services that are core to our business: Google Apps and LastPass. Today, the security of our projects depends on LastPass – it’s an essential tool.”
This is largely because they use LastPass to organize passwords by project and restrict access only to employees working on specific projects.
They also used the password generator to replace all of their easy-to-guess passwords with randomized ones.
Mario is now confident that his team has put in place the safeguards to keep their clients’ information secure and private.
Case Study #3: How November Five used multifactor authentication to improve cyber security
November Five notice the need for more strict security practices.
SpecificallySpecfically, they wanted to enforce password policies, monitor usage, and share encrypted accounts.
So they teamed up with LastPass to integrate more than 60 tools and systems.
Now it just takes a few seconds to add a secure password and access accounts.
And the security scan makes it easy to for administrators to regularly check on password practices.
The company also used multi-factor authentication to provide an extra layer of protection.
Nick Verbanendert, the Co-founder of November Five, says:
“LastPass gives us the peace of mind that a large part of our security strategy is taken care of.”
With the rise of data branches and ransomware attacks, Nick points out “it’s reassuring to have a system that protects us from those threats.”
Conclusion
There are a few options for password managers and one of the most popular is LastPass.
Every password manager has its pros and cons.
With LastPass, you get ease-of-use and wide adoption, but you sacrifice cost (the best LastPass features are not free).
Or, if you want to research alternatives to LastPass, check these out:
- KeePass
- Open Source
- Good for power users
- Free
- Bitwarden
- Open Source
- More modern interface (similar to LastPass)
- Free
- 1password
- Paid app
- More features