Could LastPass Be the Last Word on Passwords?

Living in the age of cloud-based apps can seem like a double-edged sword sometimes. One one hand, new apps are rolling out nearly continuously that can help to make our workday and personal lives easier and more productive. On the flip side, we need to find a way to manage security on all these apps – and remembering all your online passwords across multiple apps is not always easy.

Enter tools like LastPass. They promise to manage all your passwords for online apps like Facebook, AirBnB, Pocket, as well as banking apps from Bank of America, CapitalOne and other applications you might be using for your business.

What is LastPass, how does it work, and is it safe to use?

What is LastPass?

LastPass is a password management service that stores encrypted passwords in the cloud. The idea behind it is that you have one (last) password that you sign in with. This is linked to strong passwords that you set for everything else. You then log in to LastPass, and it helps you log in to everything else.

LastPass offers a free version, as well as a paid premium and enterprise version. The free version works on any device or browser; it can save and automatically fill in passwords and form fields that are commonly used (such as names and addresses). It offers secure notes and a password generator with two-factor authentication: two-factor authentication allows you to change passwords more securely by requiring that you confirm password changes or unusual logins using a code that is sent to you via text message or email.

The premium paid version includes the above functionality plus the ability to sync an unlimited number of devices. It works great for families, allowing you to save passwords and information in a shared family folder. You also get priority tech support and “premium” two-factor authentication.

With LastPass Enterprise you get a more centralized version of LastPass appropriate for managing passwords for large numbers of users and applications, with a central admin console and more robust sharing tools. Admins can set security policies for the entire enterprise and set up single sign-on for all enterprise tools. LastPass integrates with Active Directory to automate account provisioning, deprovisioning, and policy management and can be used on teams of all sizes.

Is it Safe?

Since LastPass stores such sensitive information, users could be vulnerable if any of this information is compromised. So is it safe to use LastPass or similar tools to make our online lives go more smoothly?

This is an important question: recently there have been some reports of phishing vulnerabilities with the LastPass software. A security researcher has released a tool that can steal the login details and two-factor authentication key for the popular LastPass password manager, leaving users potentially exposed. The tool looks nearly identical to the actual LastPass login screen, so could fool some users. The researcher notified LastPass of the vulnerability in November 2015, indicating that the tool had not yet been used by hackers, but such an attack was possible.

These phishing vulnerabilities are not bugs within LastPass itself, but rather highlights the need for users to be wary of hackers who may attempt to gain access to their login credentials. According to LastPass, the company’s email verification process significantly reduces vulnerability to phishing attacks, “The attacker would need to gain access to the user’s email account as well, which could also be mitigated by two-factor authentication for their email account. Should a user see a verification request that they did not initiate, they can safely ignore it.”

Based on this, the main vulnerability associated with using LastPass is the possibility that hackers might be able to gain access to the passwords stored within LastPass via phishing attacks. Users can protect themselves by being careful about responding to messages from LastPass which do not originate from their own actions on the system, and by using two-factor or two-step authentication.

In other words, if you did not initiate a password change, do not respond to messages regarding such changes, and make sure to use two factor authentication to send a verification code to either your cell phone or email address.

Our Experience

Tolar Systems recommends LastPass. In our experience it is a great tool. It can significantly streamline user setup on multiple applications and makes sharing applications easier for teams. One of the best features is that you can link a personal LastPass account with your Enterprise account. This allows you to have true single sign on (SSO) across all the accounts you use and ensures the data is being saved in the right places.

Are you considering using a tool like LastPass? What are your concerns? We’d love to hear from you, so  send us a message.