Feb 8, 2012

Resolutions with LastPass: #10 Strengthen Your Master Password

For the last installment in our resolutions series, we wanted to touch upon an important aspect of using LastPass: the strength of your master password. At LastPass, we've always touted we're "the last password you'll ever need". With only one strong password to remember and a host of customizable security options, you can let LastPass take care of the rest. So it goes without saying, then, that your LastPass master password should be strong and unique while still memorable.

Test the strength of your master password today by running the Security Check, located in your LastPass Icon menu, under the "Tools" menu. Once complete, you can scroll down to "How strong is your LastPass master password?" section.

The strength meter uses an algorithm that measures unique characters as well as number of different characters such as letters, numbers, symbols, including uppercase and lowercase. Your master password remains secure since the check is done entirely locally.

Less than satisfied with your score? Consider updating your master password. One of our recommendations for creating a strong, unique master password is to break down a memorable phrase into letters, numbers, and symbols.

For example, let's take: "I got 99 problems but a password ain't one". Thinking of memorable characters to assign to the phrase, we could end up with: "Ig96pZb@pwA1". And voila - a 12-character random password that you'll remember because you can say it to yourself as you type out the character that's associated with each part of the phrase.

If you want to update your master password, you can do so by going to "My LastPass Vault", launching the "Account Settings" link, and entering a new master password in the field. Practice logging in a few times with the new master password to ensure you'll start committing it to memory!

Best,
The LastPass Team



Have a LastPass tip of your own? Or a feature or question you'd like us to cover? We'd love to hear your thoughts at press@lastpass.com.

13 comments:

  1. All very nice on a PC with a physical keyboard. But have you ever tried typing “Ig96pZb@pwA1” on an iPhone or Android touch screen keyboard — most of which have only three rows and no dedicated keys for dot comma and whatever else?

    ReplyDelete
    Replies
    1. A trick I used was to structure my password so that numerals and special characters are all in continuous string, as are the alphabetics. That way it's easy on your android/iphone. You key (for example) the alphabetic string, then switch to the numeric/punctuation keyboard for the next string. I agree that going back and forth (or having to hold the key to get the numeral) is impossible.

      I can't think of any security improvement to interspersing them.

      In principle, you only have to do this for your master password, since Lastpass will fill in all the rest...

      Delete
    2. Thanks for the feedback, Martin, it's not optimal although we do provide the pin-code reprompt option so you only need to type the master password once during a session and then enter the 4 digit pin when relaunching the app.

      Janet has some interesting suggestions as well. We'll continue to look at improvements.

      Amber

      Delete
  2. @Martin:

    Fat fingers? Boo hoo, you have to type in a complicated password if you want security. Lastpass *exists* to defeat the limits of your keyboard and your brain. Check the little box to save your password and bear the burden of typing it in once.

    ReplyDelete
  3. I heard about the idea of using the mnemonic of an easily-remembered phrase ages ago, and have used it ever since without problem. But one thing occurred to me in the early days: don't let your lips move as you say the phrase to yourself if you're with company while entering it - and if (like me) you use a song title for your phrase, try not to go round with that particular song on your brain for the rest of the day - somebody might put 2 and 2 together! :-)

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Come on last pass, start promoting easy to remember and type password.
    http://preshing.com/20110811/xkcd-password-generator

    ReplyDelete
  6. Would any hacker actually try a password like "I got 99 problems but a password ain't one"? Because I find a phrase like that would be quite good as a password in itself. It makes them extremely long quickly and it's freaking easy to remember. Add punctuation and numbers and you'll have something quite strong.

    ReplyDelete
  7. Personally,

    (1) for websites that I won't have to authenticate to manually, I let LASTPASS give me a random string that's as long as the site allows.

    (2) for websites that I will have type or tap in, I use four random words with a special characters as separators. And, I log in once from a real keyboard and let LASTPASS capture it.

    (3) for bank accounts and other sites related to finances, I do the old fashioned random sentence like "wrong#sign#bridge#fall#down#nooo#partial#credit". With a LASTPASS safe not with a reminder: "What did Doctor Zia say about a sign error? With #'s".

    I don't trust anyone with my money. :-) Even myself.

    Hope this helps?
    fjohn
    http://www.reinkefaceslife.com/

    ReplyDelete
    Replies
    1. Yes, but there is a subset of (2) which is the lastpass master password itself. The trick is to make it strong, memorable, and easy to type in on a small virtual keyboard. So my trick there is to put the #'s and symbols all together rather than interspersed through the alphabetics. As best I can tell it's just as strong, but much easier to enter on my Android.

      And contra @Martin above you really should not click the little box that tells it to remember your Lastpass password ! Then you are entrusting your (very strong) lastpass password to whatever security you have against someone who finds your lost phone (or steals it). That's like what: nothing? a 4 digit pin? a swipe gesture?

      And I agree with you on (3. Tor important stuff that I need to be able to get to no matter what - like my bank site - I make it strong but memorable. That way if something happens and I don't have Lastpass available I can still get in to it if I have to.

      And then Lastpass provides me convenience, and also a secure way to store them where the person to whom I've given POA (and who has the password from me) can find them and take care of my affairs after my stroke/debilitating accident/dementia/whatever. Obviously, the person who is your POA is chosen very carefully, since they by legal definition can do anything with your affairs. So that is a person you trust completely.

      Delete