Jan 9, 2012

New Year's Resolutions with LastPass: #3 Replace Weak and Duplicate Passwords

With a newly reorganized vault and the results of the Security Check in hand, let's roll up our sleeves and go through the steps to update those weak and duplicate passwords.

We recommend starting with important passwords - online banking, email addresses, online shopping accounts with stored credit card information - that are critically weak (the bar is red in the results) or that share passwords with other logins. Set a goal to work on a handful of accounts at a time, over several days or weeks if needed, until all passwords are at a 'strong' level. This is likely the hardest resolution on our list, but an important step to increasing your online security with LastPass.

To start with the most critical areas first, we want to pay attention to the Security Check results that display the number of duplicate passwords, the number of sites with duplicate passwords, and the number of weak passwords:

The Security Check's detailed results makes it easy to identify these problems and correct them. The sites are ranked from weakest passwords to strongest passwords, with the weakest showing a shorter red bar, and the strongest showing a longer green bar.

As we've shown before, updating a site's password requires logging into the site itself, then using LastPass to go through the password change process. By clicking "visit site" next to the weak password in the Security Check results, LastPass will take us to the login page for that entry:

For example, if a Gmail login is very weak or is currently the same as another password, we'll click "Visit Site" and be directed to the Gmail login page, where LastPass will autofill the data:

We can then navigate to Gmail's "account settings" page, where we can access the page to change our Gmail password:


On the password change page, LastPass will present a notification bar, allowing you to first autofill the existing password, and to then generate a new password. Note that when you click the "Generate" button, you can check the "show advanced options" box to customize the length of your password, and the types of digits, characters, and letters that will be included in the generated password.

When the fields are complete, save the account changes. LastPass will present another notification bar, asking you to confirm the change to an existing account, or to save a new site entry. When clicking "confirm", a dialog will appear allowing you to select the entry to which you want to apply the change.You should then repeat this process with every site that contains a weak or duplicate passwords, working your way through the Security Check results. Note that, after updating the username or password for a site stored with LastPass, you can go to the "edit" dialog and click "History" to see a record of changes made to the entry:

We hope the article provides a helpful push for you to remove duplicate and update weak passwords. You're well on your way to topping the Security Check!

Best,
The LastPass Team

14 comments:

  1. I've also added google authenticator to my lastpass account and my gmail account.Highly recommended!
    http://support.google.com/a/bin/answer.py?hl=en&answer=1037451

    ReplyDelete
  2. What do LastPass recommend for those sites that don't even allow strong passwords? For instance I have Freq. Flyer accounts that enforce low digit count all numeric passwords... how do we convince them to upgrade their own security?

    ReplyDelete
    Replies
    1. It's a complicated issue that requires improvements from a number of places. We've certainly brainstormed on how we can be involved; for the time-being though users should create the best password they can given the site's limitations until there's more positive change.

      Delete
  3. yes how do we get websites with a 4 digit user pin to upgrade ? It shows weak password but the websites will not allow to input any other apart from a new 4 pin code?

    ReplyDelete
    Replies
    1. We'll certainly continue to find ways to be involved in improving the situation in the digital space, for now you'll have to work within the site's limitations.

      Amber

      Delete
  4. Is there a trick to find out the maximum number of digits/words a website will allow in a password? Some say "choose a password between x and y length" but many don't make it clear. So you have to either keep trying a variety of increasing digits until you get the maximum length and/or risk that only a fraction of your digits/word will get recognised when you change your password, meaning you'll have to reset your password (a pain) because you don't know which length password the website actually accepted!

    ReplyDelete
  5. @NSILMike - There isn't a good solution other than to make the best password you can, and perhaps change it periodically.

    We've periodically discussed this situation amongst our team and continue to search for ways we can make it easier for our users, as well as create positive pressure for online services to better their requirements of end users. Thanks for the feedback and suggestions!

    Amber

    ReplyDelete
  6. Thanks for the post. I didn't know this tool (the security check) and it's made me realize I need to update a number of duplicates.

    On a related note, I actually have a password that is password (not for anything important, of course) and the check gives it a srength of 46%. Might wanna lower the score for relatively long but unbelievably obvious passwords!!

    ReplyDelete
  7. As far as duplicates go, I use LastPass for both personal and company passwords. There are a lot of different sites at the company that all use my username and password. Could a domain default password be added to LastPass? Then if a URL matches a key, it still uses that key. Otherwise, recognizing just mycorp.com, it fills in my MyCorp credentials.

    ReplyDelete
    Replies
    1. Unfortunately there's no way to set a single entry as a "default" when you have more than one matching logins. If you want LastPass to use the same credentials across multiple work sites, adding them as equivalent domains in your LastPass Icon > My LastPass Vault > Account Settings link > Equivalent domains tab may the best option (for more information: http://helpdesk.lastpass.com/account-settings/equivalent-domains/). However if you want to separate out work and personal accounts on the same site, you may want to consider Identities, which you can switch between depending on your current needs (or location). For more info: http://helpdesk.lastpass.com/password-manager-basics/identities/

      Delete
  8. I wish the change password dialog would work for more sites. That is the one area that I find most difficult / frustrating about Lastpass is when passwords need to be changed. As a matter of fact, I have never seen the change password detection notification for any sites. Does it only work for Google accounts?

    ReplyDelete
    Replies
    1. Thanks for the feedback. It's supported on a range of sites, but we're still improving our accuracy. If you have a specific site or set of sites where you see errors with the update process, please submit a report to the team: https://lastpass.com/supportticket.php?lpnorefresh=1 or at support at lastpass dot com so we can investigate further and look at fixing.

      Delete
    2. Well, I can't say that I've seen any errors per se, it's just that I've never seen the change password functionality noted in this article work for any of the sites I use. For example, I just changed passwords for Discovercard.com and Facebook.com after using LP to login. On neither site was I prompted by LP on the change password page, and I had to manually update the password for the site in the vault using the one LP generated for me.

      Delete
    3. I do have to admit I just encountered my first "change password" process as noted above for linkedin.com.

      Delete