How I finally started using a Password Manager and learned to love Security

Image by Uwe Baumann from Pixabay

I have heard for years that using a password manager was kind of a big deal.

I never seemed to have the time to set one up, I worried it would be annoying to use across devices, and I felt overwhelmed by the amount of choices of vendors.

But this year, I finally got over myself and did it.

Here’s my experience of selecting the password manager, setting it up, and other interesting tidbits I found in the process. Hopefully this post helps you brave the level of effort and commit to a password manager too!

I ended up selecting LastPass to set up across my Android Phone, PC, and MacBook Air.

The Search

First step was to search for reviews on Password Managers. It can be hard to tell which websites to trust for reviews, since so many get paid to advertise, but here’s the reviews I liked.

• Wired.com — The 4 Best Password Managers were two paid options (1Password, Dashland) and 2 free options (LastPass, KeePassXC)
• WaPo — Also recommended 1Password, Dashland, and LastPass
• Consumer Reports — Seems like the top 4 are 1Password, Dashland, LastPass, and KeePassXC.

Highly recommend reading through all those three articles, they do a great job introducing how to use password managers and the pros and cons of each.

The Selection

I was about to sign my life away with 1Password, but I decided to another round of research on the security of password managers before pulling the trigger. I found another excellent Washington Post article, which happened to mention midway that a critical security vulnerability in password managers in Windows machines was left unpatched and de-prioritized by 1Password.

I built my own PC a few years ago, and I am and just always going to have to interact with Windows machines.

The two companies WaPo called out for immediately updating the bug were LastPass and Roboform. Quickly reviewing the two companies security pages, I really liked LastPass’s transparency about their process, especially the bug bounty program looked interesting. Roboform had a white paper you could sign up to download, and had a couple items but just not as much content relating to their security practices as Last Pass had. Plus I like the name better, LastPass is chosen.

Last Pass

Here I want to share the process of signing up, and what I considered as I was going through.

On the home page you can see pricing options. I saw the Family option for $4 a month and got a little excited about the opportunity to have everyone be more secure — especially my parents. But I’m going to hold off on paying until I see how easy it is to install and set up.

I’m the family IT support. So if I say we should secure our online accounts, you bet I’m going to be the one setting up Grandma & Grandpa’s account on his home computer and phone. And explaining how to use it.

Ok so moving forward…

Starting with the free version.

Terms and Agreements

I’m the kind of nerd who actually reads the agreements, and even sends in questions to companies about it. Here’s what I found and the questions I had:

• Privacy Policy — LastPass is owned by LogMeInInc, which also makes GoToMeeting. You can go down a bit of a rabbit hole going through all the documentation for LogMeInInc, but I decided to limit myself a little bit just to LastPass.
• “We may also collect usage and log data about how the services are accessed and used, including information about the device you are using the Services on, IP addresses, location information, language settings, what operating system you are using, unique device identifiers and other diagnostic data to help us support the Services.” — what do you do with the data? How is it stored, how frequently are they collecting this data?
• “ Third Party Data: We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide products and services that may be of interest to you.” — which third parties do you share information with? What is the approval policy for acquiring new parties?
• “LogMeIn may access (which may include, with your consent, limited viewing or listening) and use the data we collect as necessary (a) to provide and maintain the Services; (b) to address and respond to service, security, and customer support issues; © to detect, prevent, or otherwise address fraud, security, unlawful, or technical issues; (d) as required by law; (e) to fulfill our contracts; (f) to improve and enhance the Services; (g) to provide analysis or valuable information back to our Customers and users.”
• “ We may utilize precise Geolocation data but only if you specifically opt-in” — gonna double check that one to see if I’m really not automatically opted in.

Overall, the terms were readable and seemed pretty standard. They also provide opportunities to provide feedback twice. I may have some prior tech prejudice creeping in from experience in large corporations and GoToMeeting, but at this point it’s just time to get on the bus and go. Briefly looked at LogMeIn, a similar product owned by the same parent company, and there were several paragraphs written in all caps about indemnity and I’m still not entirely sure I know what that means.

Set Up

I picked a long, memorable phrase and a good reminder and hit “sign me up it’s free”. I also made sure two factor authentication was enabled.

I downloaded the browser extension, and it asked me what sites I use.

1. Added Google. This was fairly painless.
2. Tried to add Facebook. It didn’t really work.

I’m the kind of person that occasionally looks up and checks what URL they’re at. Oh does that now say I’m on an insecure site? well no thank you can’t have my personal information. Since LastPass is a chrome extension, the form to add a password for a site looks a bit odd to me. It looks like it’s storing my passwords in an encrypted folder on my local drive. I am also tired at this point and decided to take a break and come back to it the next day.

Taking a fresh look, I can see three ways to use LastPass

• As you browse and go to different sites, when you log in, LastPass pops up and asks to add it to the tool.
• You can hit +add site, but then you have to remember your log in credentials for the site, which you might not, then you have to go and reset your password.
• You can have LastPass generate a complex password for you and copy and paste that into the site.

The third bullet is particularly useful when you’ve logged into a site that has the same password you’ve used for multiple sites, LastPass pops up and says hey, why don’t we create a new password for this site.

Only issue is if I go to a new site Chrome also wants to store the password. Should I be storing it in Chrome or in Last Pass or both? This becomes important for Mobile set up.

I have a Pixel 2, and a bunch of apps that I only use on my phone. When I go to LastPass and settings, for auto-fill I have the option of using LastPass for autofill, or Chrome. I’m a little worried that I’ve been heavily using Chrome to log into sites, and some might not work. However I decided to just do it and see what happens. So far so good, everything works just the same.

In Conclusion

I do see the benefits of using a password manager for managing complex passwords across multiple devices. If I need to get a new device (or need to re-wipe my MacOS again) it would be very nice to have. Particularly for my financial sites that I’m not able to log in with my google account and tend to reset my password every time I need to log into the site.

I feel that as I’m using it, I might run into issues. I certainly haven’t added ALL the sites I go to yet, and it’s going to take some time. If I find any hiccups I’ll be sure to share them here.