Being short on time I want someone to help me set up LastPass Chrome extension quickly. No time for reading manuals. Could someone help me out on this? Thanks in advance.
Not sure if this will hit the mark? Decide whether to trust the computer and store master-password or not (on startup). Go into preferences option from the toolbar icon, and set whether or not you want things like auto-fill and the highlighting of input boxes. This also gives you the keyboard shortcuts which you may want to get familiar with. As you generate passwords, you may want to set default patterns/lengths, though some sites will always throw a spanner in the works! Add different categories to the stored passwords as you go, and you can also assign them to shared folders as you go. The Account settings in the Vault page will give you access to things like setting up Two factor authentication to suit - you are going to use this, yes?!
Thanks @deBoetie Let me put things in context so you can understand my current scenario. 1. I have plenty of forums/websites logins with passwords, I want to change those with 50+ characters long pass. 2. They are saved in Chrome's system. Questions: 1. Do I have to login into every site and set the new password first? 2. Do I have to clear delete my current passwords in Chrome? I guess so. 3. Which one first 1 or 2?
Question: Even if I use a strong password (50+ charac.) different per site, does this guarantee its security after a site has been compromised?
Thanks. Then using a password manager along with very strong password is just to protect my credentials on my end only, right? What other real benefit using LastPass? I remember recent Yahoo's case. Isn't this an example of a high tech website, with allegedly super security, yet been breached recently and stolen users passwords?
From what I've seen from a quick search, it's possible to export Chrome's passwords in a CSV format. Likewise, Lastpass is able to import from csv, I can't recall the formats required. Alternatively, you could log in to each site using Chrome, then generate a new password in Lastpass and store the site in the Vault, using copy and paste to transfer. Have autofill off. Obviously test as you go. Once happy, turn off Google's password system in settings. Clearly, once you're satisfied, you would be safer deleting them in Chrome as they are a target. Then Lastpass can take over, including with autofill if that's what you want to do. I suspect 50+ characters is overkill for normal websites, that's at-rest encryption length for things like FDE. In any case, grotty websites will often face you with absurd restrictions on password length and character sets. But I'd personally settle for say 16-20 arbitrary characters, this "ought" to be long enough for login type applications with lock-out. Incidentally, I also populate any memorable recovery fields with random garbage, if you have a password manager and trust your own procedures, they are actually a big liability. The valuable features of Lastpass are that it will manage long strong individual passwords for each site with autofill (restricting the problem even if the site in question is storing the password in clear rather than hashing it properly). It also supports password histories and notes. Your vault is available on any machine anywhere once you've logged in. It supports two-factor, which in my opinion is essential in the circumstances. It is even (gasp) usable by non-IT personnel. Personally, I find Lastpass valuable, although I do not use it for all sites, and do use TFA. However, I would much prefer the day when each site supports TFA, but the progress on this is glacially and disgracefully slow, and many sites are disingenuously pushing smartphone & biometric as the second factor, both of which are fine for the supplier but bad for us as users. I'd much prefer U2F, but not many sites have supported that.
Yes, if that site doesn't encrypt/hash your password properly, a strong password won't protect you. However, if they're doing it properly but you're using a weak password it might still be prone to, e.g., a dictionary attack.
@deBoetie For me, great walk-through! Thanks a lot! I can infer from your comments (all of you guys), most important is the master pass. I want to make a very strong one but impossible to remember in my own memory. So I wonder if LastPass supports a key file.
I have used lastpass in the past but was wondering what happens if you use lastpass and your computer becomes unusable? are you still able to log into your sites?
At the login-dialog from the extension you can enable "Remember Password", but i think it's not a good idea if other people have access to the PC. --- You can rescrict logins to your vault (login allowed only for specific countries), or you can choose to disallow TOR-connections. There are some more options to tweak in Advanced Settings @ "My LastPass Vault"
As long as you know your email+password for LastPass, you can login to your LastPassVault from other PC's.
"As long as you know your email+password for LastPass, you can login to your LastPassVault from other PC's."'t remember it using the cloud to store that info. thought it was stored localy on the machine it was installed on only.
How do you use LastPass with an email notifier? Do you recommend one? Or how to get email notifications from email providers in combination with LastPass?
You'll get email notifications if important changes were made. Changing the Master Password, etc. And if someone wants to connect to the vault from an "unknown" device/location, you'll get this: This is enabled by default, and can be disabled. I would leave it enabled. --- If you're using 2FA, it's possible to allow the access to your vault while you are "offline": But this may be less secure. One Time Passwords - OTP: You can use them to login to your vault if you login from an "untrusted" PC, Internetcafe, etc. But first you have to generate them. Sidenote: After changing the master password, all generated OTP's are not valid anymore. New OTP's must be generated.
@mood Thanks again. But I was talking about email notifications of my email service providers. I use to set up x-notifier to notify me when a new message arrives. Note: I'm not using 2FA now or in the next future...
My personal preference is to have a limited set of long strong passwords - one of which is for the LastPass master password and similar. I generate this using physical dice and Diceware. Since there are a limited number of passwords to remember, I have not, in practice, found it at all difficult to remember them (you can usually cook up some absurd memorable story with the words). I also take comfort from the truly random and physically generated, away from any technology. Other people have shorter strong character-passwords, remembering via tricks like constructing a story from the characters in turn. My worry with the reverse is that they are not truly random, and hacking tools might get to know them (people tend to think in the same way for these things). For example tbontb is probably fairly common (to be or not to be), so could be recognised from common hashes for instance if salts aren't properly used. Some people who use password managers (including LastPass), do not store the complete site password in the manager's store, and do not use autofill with cr. So they decorate what's in the store with some short pin or other variant (entered from the keyboard manually), so that even if the master password is compromised, the actual site passwords are not fully owned. I would strongly encourage you to reconsider not using 2FA. Yubikeys are not expensive these days, they're very easy to use, and also secure my Windows login, for example; and having a second factor greatly reduces your risk of having the master password compromised or stolen by KSL. I wouldn't use any password manager without 2FA myself.
An alternative solution is the software WinAuth which is supporting Google Authenticator. This software can be used as a "fallback" if you loose access to your Smartphone and can't generate Authenticator Codes.
