How to Manage Hundreds of Passwords with LastPass

Our pick for this week's question for the LastPass team:

What's the best workflow for managing hundreds of passwords and accounts? - David P.

Once LastPass becomes the hub of access to your online life, the number of stored accounts and data in general will grow. Organization becomes essential, and there are a number of tricks that will help you more easily manage your data and get the most out of LastPass as your password manager.

Organize Sites into Logical Groups

As you add sites to your vault, logical "groupings" of your data will likely emerge.

To get started with grouping your sites:

• Click the "Create Group" button on the left of your vault to add a new group
• Drag-and-drop individual site entries from one group to another to re-organize them
• Create group names that differentiate by category, such as "Shopping", "Financial", or "Social"
• When saving new sites, click the "Group" field to choose an existing group or create a new one
• Create "subgroups" within groups to further divide your sites

Create Identities for Different Environments

If you're using LastPass in different environments, such as a personal computer and a work computer, Identities will help you separate your data based on what you need access to in each environment. To get started with Identities:

• Select "Add Identity" by going to the "Identities" tab in the vault
• Create a name for your Identities to easily distinguish between "Home", "Work", etc.
• Move all relevant data from your main vault to the new Identity
• When you switch to a different identity, from the dropdown in the LastPass vault, only data available in that identity will be filled as you browse, filtering out anything you don't want to see in your vault
• Edit an Identity at any time by clicking the "edit" option in the Identities tab

Use the Right-Click Menu Options for Quick Changes

As you continue to add more data to your vault, you can keep up with your organizational system by dragging and dropping your sites between groups, or by using the right-click menu options to quickly move your data or make changes.

Right-click on a group name to re-name it, create a subgroup within that group, or delete the group to remove all sites stored in it.

Right-click on a site name to move it to edit, delete, or move the site to a new group or subgroup.

These are just a few tips to better organize and manage your data in your vault. What tips would you share for managing hundreds of passwords with LastPass?

Have a question for the LastPass team? Let us know in comments or send us a note at marketing[at]lastpass.com. If we choose your question, you'll get a Tshirt!

Twitter Releases Two Step Login Verification

Twitter has officially released multifactor (otherwise known as two step) authentication for logging in to user accounts. The company announced on Wednesday that it now supports SMS-based multifactor authentication to verify accounts. This method involves setting up a designated phone number with the Twitter account, so that each time the user wishes to login to the account they are sent a text message with the randomly-generated code that they must enter before gaining access to the account.

We strongly encourage anyone using Twitter to get started with their login verification today. To do so:

1. Visit your Twitter account settings page.
2. Select "require a verification code when I login".
3. Click on the link to "add a phone" and follow all prompts.
4. After you've enabled the login verification, you'll be asked to enter the six-digit code that Twitter sends to your phone via SMS each time you try to login.

They also created a great short video on getting started:



The only downside we currently see is that Twitter does not support "page admins" at this time. A company must have one Twitter login to manage a brand page, unlike Facebook and G+ that allow individuals to have their own logins who then have admin access to manage a brand page. This means that the company must enable the login verification set-up with one particular phone, and ensure that whoever needs access to the brand's Twitter account has access to that phone.

In general, though, we applaud Twitter for releasing two step authentication, and it seems to reflect a greater trend of services implementing improved security options for their users. And we agree with Twitter's previous statements that companies and individuals also have a responsibility to follow best security practices, which includes the use of a password manager and following through on enabling available security options. We hope to see brands and individuals taking advantage of the new offering.

Will you be enabling Twitter's two step authentication option? Share your thoughts in the comments below.

Network54 Hacked: What You Need to Know

Network54, a host of online communities and message boards, confirmed on May 17th that it was hacked via a SQL injection attack, affecting 2.4 million emails and passwords. LastPass has partnered with Network54 to encourage their user base to utilize a password manager moving forward to help mitigate any potential risks of future hacks.

Enter your email address in our tool here to see if your Network54 account was affected. Even if you don't recall signing up for an account, we strongly recommend checking.

The tool asks you to enter your email, then computes its SHA-1 hash, then sends the result to LastPass.com to search our list of the leaked email hashes. A hash is a mathematical function that is simple to perform in one direction but is difficult to reverse, meaning it would be difficult to re-construct the email address that you enter into the LastPass tool. The hash will not be stored or logged.

Unfortunately it appears the passwords were stored in the clear, so we strongly recommend that anyone affected update their account password immediately, and work to update any other weak or duplicate passwords for other accounts.

The LastPass Security Challenge will help you identify any weak or duplicate passwords stored in your LastPass account, so you can launch those accounts and go to your settings to update the stored password. Use LastPass to generate a long, unique password, and save your changes to the account itself and to your site entry in LastPass.

Want to learn more about increasing your security with LastPass? Check out these related blog posts:

Get Proactive With the LastPass Password Generator
Multifactor Authentication: What It Is and Why It Matters
How to Create a Secure Master Password

Make Password Management Easier on Android with These Tips

In the inaugural post for our series featuring questions asked by LastPass users, this week's question is:

"I would like a lot more detail on how to make the LastPass Android app work with apps that require logons and passwords. I love how LastPass works on my laptop and desktop machines; using it here has been second nature to me. But I find myself logging onto my phone's LastPass app and cutting and pasting. Surely there's a better way?" - Keith K.

A great question, since the mobile experience is inherently different than the desktop experience. Because the mobile platforms are more closed, we can't integrate into the mobile browsers and apps as easily. This means that LastPass can't "see" into those other browsers and apps in order to fill your data there, unless you're using Dolphin Browser or Firefox Mobile on Android, for which we do offer addons. The LastPass app does allow you to login, view your stored data, and tap an entry to launch it within the LastPass app, where LastPass can fill the data and you can login to your sites.

Copy-paste is one option for logging in on other apps or browsers. On Android, if you long-tap on a site entry in your LastPass app vault, you can choose the "copy username" or "copy password" options to then multitask back to another browser or app and paste there.There are, however, a few other alternatives on Android that may be more useful for your workflow.

LastPass Copy Notifications

There are two ways to activate the copy notifications:

1. In the LastPass app, tap and hold on a site entry and select "copy notifications"
2. The username and password fields will appear as notifications in your phone's notification bar
3. Drag down the bar to tap the "copy username" notification
4. Paste your username in the browser or app where you want to fill your data
5. Repeat those copy-paste steps with the password

You can also set the "copy notifications" feature to be the default action for tapping your site entries in the LastPass app vault. In the vault, tap your device's "menu" button, select the "More" menu, then open the "Preferences", and set the "Default site action" to "Copy Notifications".

LastPass Input Method

The LastPass input method allows you to switch to a LastPass keyboard that has a special button for autofilling your passwords in other apps or browsers. To get started:

1. Enable the LastPass Input method in your LastPass app Preferences menu
2. Multitask to the app where you want to login
3. Long-tap in the app field, and select "Input"
4. Tap the LastPass option to switch your keyboard
5. Tap the asterisk button in the keyboard to display any matching logins
6. Select the entry you want to use, and submit the login for the app

You can then switch your keyboard back at any time by long-tapping in a field, selecting the Input option, and switching to the default or another keyboard.

We continue to look at ways to expand the feature set on mobile, and to expand integration with other browsers and keyboards (for example, we're waiting on Google to provide support for addons in Chrome mobile). Hopefully these tips will help improve your workflow on Android!

Have a question for the LastPass team? Let us know in comments or send us a note at marketing[at]lastpass.com. If we choose your question, you'll get a Tshirt!

Make Online Shopping and Surfing Easier with These Form Fill Profile Tips

As we move more and more of our daily lives to the digital realm, online shopping and registration for services is now an everyday activitiy. While shopping and registering for services online is convenient, the repetitive typing of forms to complete checkout or sign-up processes is time-consuming and redundant.

LastPass form fill profiles help reduce these processes to just a few clicks. By creating and using form fill profiles, your personal information is accessible but secure.

Setting Up A Profile

Getting started with form fill profiles is easy, and you can create as many profiles as you wish for your personal information, business information, and different credit or debit cards.

Click your LastPass browser icon, and select the "Fill Forms" menu to then choose "Add Profile" or "Add Credit Card".

In the dialog box to create the form, you'll fill out all relevant details you may want filled for you, such as your name, address, and other contact information.

If you have several credit or debit cards, we recommend setting up one profile with your billing information, and separate credit card profiles for the credit card numbers themselves, so you can mix and match profiles as needed.

Using A Profile

Once you've created a profile, LastPass will show the fill form notification menu when it recognizes you are on a site with a form. You can also click in the first field of a form to trigger the fill form notification.

When the notification appears, you can click the "fill form" button, and select the profile you want to use on that page. It's that easy!

Getting the Most Out of Form Fill

Once you've set up a few form fill profiles, here are some additional tweaks to help you get the most out of the feature:

• Mix and match profiles by selecting the "Choose profile and credit card" option in the notification menu.
  
  This makes it easy to have multiple billing, shipping, and credit card profiles that can be used simultaneously.
• Select the "default form fill profile" option in the Preferences menu of the LastPass browser icon. You can then set the hotkey for the default profile in the Hotkeys tab (such as Ctrl + Alt + T). Next time you need to autofill your default form fill profile, you can simply use the hotkey.
• Since LastPass makes it easy to fill out forms as needed, consider removing your stored credit card information from online accounts. If you frequent sites like Amazon, Barnes and Noble, and other retailers, you can login to remove your stored information and rely on LastPass to securely insert your data when you need it.

Happy Shopping!

What Do You Want to Know?

Hey LastPass-ers - we want to hear from you!

We're looking to build more of a conversational series of blog posts, especially for Fridays, where we post answers to your questions, spotlight helpful tips, conduct polls, and more.

So to kick off the series, what would you like to know more about from LastPass?

To prompt some potential topics:

• What LastPass features would you like to know more about?
• Which technical concepts would you appreciate more information on?
• What's going on in the news or the tech community that you're curious about?
• If you had the chance to chat with a LastPass team member, what would you ask them?

Post questions in the comments or send them our way via Facebook, Twitter, or Google+. For questions that we end up choosing, you have a chance to snag a LastPass T-shirt!

In the News: Use LastPass To Create Secure Passwords

LastPass had a shout-out on KTLA the other day, in which reporter Rich DeMuro highlights the risks of poor password practices and the need for a tool to help you generate secure passwords. While discussing the challenge of the current password system and the tendency to use the same password everywhere, DeMuro suggests turning on two-step (or multifactor) verification and using LastPass to streamline the password process.



We're especially impressed that multifactor authentication was top among their recommendations, in addition to highlighting the need for different passwords on all accounts.

And we're excited to see LastPass mentioned as the choice password manager!

Multifactor Authentication: What It Is and Why It Matters

There’s a lot of buzz right now around multifactor authentication, and the need for more services like Twitter to support it, so we figured our users could benefit from a clarification of what it is, how it works with LastPass, and why it matters.

What Is Multifactor Authentication?

Multifactor authentication simply refers to the requirement of a second piece of information before allowing access to an account. By adding another authentication step, you are requiring that the user enter two forms of data - typically the first being something the user knows, like a username and password, and the second being something the user has physical access to, like an app on a mobile phone that generates one-time codes or a device that plugs into the computer to scan a fingerprint. After enabling multifactor authentication, the user is required to enter both pieces of data (username/password + generated piece of data) each time they login to the account or service.

Why It Matters

Good security is about being proactive and mitigating risk. Multifactor authentication increases security by adding another barrier to entry, decreasing the likelihood that a “pretender” can break in. It makes it harder for someone who has stolen the password to gain entry to the account. Unfortunately, many websites don’t implement this second form of authentication, which is why implementing it with your LastPass account is critical - and arguably more effective.

If you enable multifactor authentication with LastPass, you have significantly increased the security of your LastPass account itself, which is the hub of your online life. If someone compromises your master password, they can't gain access to your account without the second form of authentication. Since LastPass gives you the tools to generate secure, non-guessable passwords for all your accounts, if you then launch all of your sites from LastPass, you are eliminating risks of phishing attacks and other threats because you are going directly to your sites and logging in with LastPass. By enabling a mutifactor authentication device, you are by effect enabling it for each of the sites in your vault as well. For Enterprise, if your Identity Provider utilizes multifactor authentication, as LastPass does, you also get the full benefit of multifactor authentication without passwords at all sites that you've implemented it on.

How It Works With LastPass

Once you enable multifactor authentication with LastPass, you'll be required to first enter your email address and master password, then the multifactor authentication data. LastPass offers support for several multifactor authentication methods:

• Google Authenticator (Free): Utilizes a Google app, available for Android, iOS, and BlackBerry, which will generate a code every 60 seconds that you will enter when prompted.
• Grid (Free): A unique, generated spreadsheet of random values that resemble a Battleship grid, each section containing a different letter or number. Once enabled, you'll be prompted to find and enter four values from the spreadsheet.
• Sesame (Premium): Generates unique One Time Passwords (OTPs) each time you login. The feature can be run from a USB thumb drive, and you have the choice to copy the OTP to the clipboard or launch the browser and pass the value automatically.
• YubiKey (Premium): A key-sized device that you can plug into your computer's USB slot, and generates a unique, One Time Password each time it's pressed. YubiKeys are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors. The key can be purchased from Yubico and bundled at a discounted rate with LastPass Premium. No batteries, waterproof, and crush safe.
• Fingerprint Reader (Premium): LastPass has support for a small selection of fingerprint readers, including Windows Biometric Framework, UPEK, and Validity.
• SmartCard Reader (Premium): LastPass has experimental support for SmartCard readers. See our help article for more details and limitations.

With all multifactor security options, you have the ability to mark the computer as "trusted", leaving multifactor enabled but not requiring it on that particular "safe" location.

Get Proactive

Passwords are not going anywhere soon, and because sites have implemented different security standards and requirements, we strongly recommend enabling a form of multifactor authentication with LastPass. This will help you better protect and mitigate risks for your LastPass account, and your online life as a whole.

The LastPass Team

For the Love of Security: End-of-Week Link Round-Up

Tech news this week was dominated by the LivingSocial hack, which affected some 50 million customers. LivingSocial advised that all users reset their passwords, and as we mentioned earlier, you can use LastPass to login and generate a new password for you, and also update the passwords for any other accounts using the same or similar password. See Monday's blog post for more thoughts.

A few other articles that caught our eye:  

Why your password can't have symbols--or be longer than 16 characters << Ars Technica discusses the sheer variety of password practices across sites and services, some of which are counter-intuitive and maddening. There's no question of the need for a password manager to centrally store and "remember" your passwords for you, since it's near-impossible to cope with all the variations of password requirements.

Twitter Warns Journalists: We Believe These Attacks Will Continue << Twitter sent a memo to news organizations stating that, while Twitter continues to work to improve security for its users, the organizations are also responsible for implementing better security standards. Amongst their recommendations were the company-wide use of password managers, with a nod to LastPass as a solution. This is a message we hope continues to spread; as we said above, end-users need to be just as proactive now in protecting their online life.

Teenage Password Security: Risk of Identity Theft << While they're arguably the most tech-savvy generation, the current teenage population is opening itself up to significant risks of identity theft due to poor password strategies coupled with over-sharing online. We'll add that this demographic typically believes they "don't have data worth stealing", so it's clear more education is needed here to provide tools for better password hygiene while highlighting the true costs of identity theft.

And can you believe it?

AP GraphicsBank

The World Wide Web turns 20! In 1989, the World Wide Web was invented by British physicist Tim Berners-Lee. Check out CERN's article for some more fun facts. Not to be confused with the Internet - the Internet is the technical system that makes the World Wide Web possible. The Web can be thought of as an "application" that runs on the Internet that allows us to share information and interface with each other via the web pages that load in our web browsers, so we can share all those awesome cat memes.

Happy Birthday, World Wide Web!

LivingSocial Hacked: What You Need to Know

LivingSocial confirmed on Friday, April 26th that they experienced a cyber-attack on their computer systems that resulted in unauthorized access to some customer data on their servers, including names, email addresses, date of birth for some users, and encrypted passwords (hashed and salted). The daily deals site joins a growing list of services who have been hacked in the last year and a half, including Zappos, Evernote, LinkedIn, eHarmony, and Last.fm.

Update Your Password, Now

Although the passwords were hashed and salted, and there are no known dumps of the stolen data, it's plausible that a percentage of the password hashes are known or have been brute-forced to reveal the plain text passwords, given the increasing speed at which brute-forcing can be performed and the proliferation of weak and duplicate passwords.

Echoing LivingSocial's recommendations in their email to the 50 million affected customers, we strongly recommend that anyone with a LivingSocial account follow the steps to update their password immediately, and update the password on any other accounts that used the same or similar password. Launch LivingSocial, click the "Create New Password" button on the top right corner of the homepage, and update the password to a new, randomly generated one using the LastPass password generator, located in the Tools menu in the LastPass Icon. The LastPass Security Check, in the Tools menu in the LastPass addon, will also help you identify any weak or duplicate passwords.

Now Is the Time to Be Proactive

We're seeing a trend that highlights some critical truths about passwords:

• Hacks of popular services are inevitable, and their frequency is increasing - password re-use and weak passwords make the situations that much more damaging
• The end user must be as proactive as possible about protecting their data - this means using a password manager to create strong, unique passwords, and following best security practices - like avoiding open WiFi, running up-to-date antivirus, avoiding public computers, and backing up your data
• Companies need to take responsibility in educating their employees and providing tools, like LastPass Enterprise, that help them better protect corporate data and enforce high security standards

Help us spread the word about secure password management to family, friends, and coworkers who would benefit from the ability to achieve higher security standards while making their online life easier. With generated passwords, hacks like these are less likely to pose a risk to their personal data, and recovering is a matter of a few clicks to generate a new password.