Lastpass for assholes. LastPass is a free browser-based password manager

The first and simplest option is the standard password manager of Chrome, Firefox, Opera or Vivaldi. Almost all modern browsers can save and automatically insert logins and passwords into the required fields. Yes, this option cannot be called very functional, since it lacks some additional features like a reliable combination generator and secure notes. But you can use it completely free, and there is synchronization between different devices, which works, of course, only if you use the same browser everywhere.

Simplicity, accessibility, free. Synchronization between different devices.
− Low functionality and security.

1Password

1Password has been around for over eight years, but has always been overshadowed by LastPass due to its relatively high cost. It can store passwords, bank card data, software licenses and other confidential information in a secure virtual storage. This storage can be located on a remote server or a local device. It is possible to synchronize via Wi-Fi, Apple iCloud or Dropbox. The developers paid special attention to security and encryption algorithms, thanks to which this service was not noticed in high-profile scandals.

Reliability, cross-platform, functionality, synchronization.
− High price.

KeepPass

If you are looking for a free solution and are not afraid of difficulties, then be sure to try KeePass. This is a completely open source project created by independent developers. It has a huge number of possibilities thanks to the presence of a whole arsenal of various add-ons, plugins and auxiliary utilities. However, in return, you will have to come to terms with the typical disadvantages of free software in the form of high complexity of development and instability of some elements.

The password database created in KeePass is stored in the form of a single file, which can be placed on your hard drive or in some cloud service. In the latter case, you can implement data synchronization between different devices. There are plugins for popular browsers that, with varying degrees of success, provide substitution of logins and passwords on the desired pages. In addition, KeePass is also available on mobile devices.

Free, functional, secure.
− A solution for geeks who can select and correctly configure all the necessary components.

Dashlane

This password storage service appeared relatively recently, but has already managed to prove itself on the positive side. Dashlane has a nice appearance, good functionality and ease of use. The password database is stored in the cloud in encrypted form, and there is synchronization between clients for different platforms (Mac, PC, iOS and Android). Among the additional features, it is necessary to highlight the function of automatically filling out forms, a password generator, the ability to change passwords in one click, and convenient tools for online shopping. But all this splendor may fade for you if you want to use data synchronization between different devices. To do this, you will have to buy an annual subscription costing $39.99, which, you see, is quite a lot.

Appearance, reliability, cross-platform, digital wallet.
− High cost, lack of local password storage.

Which password manager will you choose if LastPass does become paid?

Back in the summer of 2016, Google Project Zero specialist Tavis Ormandy sincerely said: “Do people really use this LastPass thing?” Then Ormandy discovered a vulnerability in the code of the LastPass add-on for Firefox 0-day, which made it possible to remotely compromise all user passwords.

Now, almost a year later, the expert once again decided to test LastPass's security, and, unfortunately, the application cannot be said to have passed the test. Ormandy writes that he discovered a problem in the official LastPass extension for the Chrome browser. According to the researcher, the extension's content_scrip contains a vulnerability that, if attacked, could lead to the compromise of all credentials stored in the application. Moreover, to carry out an attack, the attacker only needs to lure the user to a malicious site.

The researcher explains that the script is only used to access a specific domain on lastpass.com, and if you take a closer look at how it works, it looks like this:

Here, as Ormandy notes, lies the mistake. The script proxies unauthenticated window messages to the extension, which can be dangerous because anyone can do the following:

This will give the attacker full access and force LastPass to execute RPC commands, of which there can be hundreds, but the most dangerous, of course, is the ability to copy and fill passwords. In some cases, this can even lead to the execution of arbitrary code on the user's machine, through the exploitation of openattach. As an example, Ormandy demonstrates running a regular calculator (calc.exe).

LasPass developers, apparently, have already fixed the problem in the Chrome extension by disabling 1min-ui-prod.service.lastpass.com. However, some users note that the server is still running for them, and the vulnerability is still relevant. Users of LastPass for Chrome should probably disable the extension for now and wait for a full patch to be released, as version 4.1.42, dated March 14, 2017, was still vulnerable.

It is worth noting that last week Tavis Ormandy found another very similar bug in the LastPass add-on for Firefox. The vulnerability also allows you to extract all user passwords if he visits a malicious site.

This problem has not yet been fixed. The LastPass developers have already prepared a patch, but the corrected version 3.3.2 is still being reviewed by Mozilla specialists. The LastPass authors also emphasized that the 3.x branch is still considered obsolete, and users are recommended to switch to the more secure 4.x branch.

But LastPass's problems don't end there. Today, March 22, 2017, Tavis Ormandy warned that the LastPass add-on for Firefox contains another bug that allows you to steal other people's passwords for any domain. Moreover, this time the more modern and secure version 4.1.35 is vulnerable. The expert promises to publish the details in the near future.

I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud

For a long time I used the Roboform program to store my passwords for sites and fill out web forms for registration on various sites (I was happy with everything about it, except that it was paid).

But somehow I got tired of constantly, before reinstalling the operating system, first saving the folder of the specified program, which is responsible for storing information with logins and passwords for my sites.

Then, after reinstallation, look for a new version again and carry out manipulations with replacing files and folders. And then the unexpected happened: after the operating system failed, I lost access to all data.

I don’t consider myself a specialist in recovering information from a hard drive, so I didn’t restore anything, but set myself 2 tasks: 1 - find a free and reliable password manager; 2- have access to all your passwords and logins from any place where there is an Internet connection.

While searching for an alternative password manager, I found an add-on for browsers (Firefox, Google Chrome, Opera) called LastPass Password Manager with all the functions that I need (remembering logins and passwords, filling out web forms, a password generator) and I don’t have to pay for these functions.

Plus, the data is stored in encrypted form, to which only you have access. The addition has shown excellent performance for more than six months. Let's do the installation using the Firefox Internet browser as an example.

After installation, restart the browser by clicking the “Restart now” link.

The browser is restarted and a window appears with the beginning of the LastPass setup procedure, where the first thing we need is to select a language and click the “Create an account” button.

In the next window, enter your current email address, the most important master password (you must remember it or write it down somewhere if you are forgetful. We will need it to gain access to all our passwords and the manager’s control panel.

Create a password reminder (optional), and be sure to check the box “I have read and agree to the Terms of Use.” Next, check the box “I understand that my encrypted data will be sent to LastPass.” Select the remaining items as desired and click on “Create an account.”

We read the extremely important information, enter your main master password again and click “Create an account.”

We import or not (optional) our logins and passwords from other storages of confidential information on the computer and click on the “Continue” button.

You can immediately set up information for filling out web forms.

At the last step, we accept Congratulations on the successful installation and click on the “Continue” button.

PASSWORD MANAGER

We are automatically taken to the online storage of your account.

A branded manager button with the functions we need appears in the right corner of the browser.

To make using a password manager as convenient as possible, I would recommend going to settings and unchecking the “Use compact toolbar” checkbox.

We will have a convenient control panel on top of the entire line in the browser. Now, when you enter your username and password on any website, LastPass will prompt you to save the information.

Now you can access any website you need using the website name dropdown in the manager's top control panel.

A convenient feature is to import all logins and passwords from various popular managers.

Worth mentioning is the highly customizable password generator.

Now, after reinstalling the operating system, be it Windows or Linux, you just need to install the LastPass Password Manager add-on and all your confidential data is back with you.

In conclusion, I will say that in the Google Chrome browser, its version for some reason has fewer settings (in particular, I did not find how to disable the compact toolbar to display the manager in the entire browser line). I will also mention that this password manager has not been tested in Opere.

A separate menu section is responsible. However, it is not convenient for all users - without synchronization enabled, this data is saved locally, and if the hard drive becomes unusable, fatal problems will arise with the operating system; it is easy to lose the saved authorization data without the possibility of recovery. In addition, even with synchronization enabled, the user is tied to a specific browser. Third-party tools allow you to avoid all these inconveniences while keeping your personal data safe. This particularly applies to LastPass, an add-on with a proven track record and useful features.

The main purpose of this add-on is to store all the passwords that you enter when logging in to websites in the cloud. Thanks to this, it is not at all necessary to be tied to one browser - just install the extension on another device, log in under the same account and easily access any sites for which passwords have already been saved previously. Creating your LastPass account is very simple:

1. Install the extension from Firefox Browser Add-ons using the site search or the link below.
2. Confirm the installation with the appropriate button.



3. After that, you will need to register in it: click on the LastPass icon that will appear to the right of the address bar, and click on the button "Accept".



4. A new page will open in your web browser where you need to go through the registration process. To begin, please provide a valid email address. The email address must be a valid email address so that if you lose your LastPass password, you can recover it.



5. The service requires a complex password: from 12 characters, containing at least 1 lowercase and 1 capital letter, as well as at least 1 number. Be sure to include a hint that will help you recover the key if you forget it.



Once your account is created, you will need to make your first save. It works like this: Open the site whose account password you want to save in LastPass. Go through the standard authorization procedure. The extension will ask for permission to save the password, confirm this with the button "Add".



As an experiment, log out of your account on this site, and you will see that even if you do not remember the password in Mozilla Firefox itself, the login information will be substituted. If you have several accounts from one site, click on the button in the login or password input field and select the desired option. Different authorization data from accounts will become available only after you log in to them one by one.



Local encryption

The peculiarity of this extension is that all encryption that occurs in LastPass is carried out locally using a unique key, which is why passwords, even in encrypted form, are not transferred to the company’s server. In this case, AES-256 and PBKDF2 SHA-256 technologies are used. Thanks to this, the user does not have to worry about entering confidential information into the add-on’s memory: unauthorized persons will not be able to recognize it. Additionally, each important action requires you to re-enter your password - this helps protect personal data from other users who are at the computer in your absence.

Personal Vault

Each registered user is given a profile in which he can manage various functions. To do this, click on the extension button and go to "Open my Vault".



The most important thing is that here you can view all the passwords you have ever saved in LastPass, sorting them and distributing them into folders.



For each password, if you click on the wrench button in the tile with it, you can configure several additional options: view login, password, add a note, folder, the need to enter a master password before substituting the password in the authorization form, enable automatic login to the site with these data, disabling autofill (this particular login and password will not be automatically entered into the appropriate fields on the login page for your personal account on this site). It is even possible to add a password to your favorites and send it to a person you trust by mail.



Despite the name, in addition to the passwords themselves, this extension allows you to store some other data. Namely: notes, addresses/phone numbers, payment cards, bank accounts. This way, you can quickly access any of this sensitive information using your computer, mobile device, or Apple Watch where the LastPass app is available. The same goes for them: notes, credit card numbers, etc. can be easily viewed, sorted, distributed. All this is also easy to edit and delete when some information turns out to be changed or outdated.



Here it is also proposed to take advantage of secondary features, which we will not dwell on, but will partially consider further (since they are part of the extension menu), and make some basic account settings. Unfortunately, there is no Russian interface language here.

View recently used login passwords

This item and others are called up through the menu, which can be opened by clicking on the extension icon, as we said above. Therefore, we will not dwell on this in the future, but simply indicate the names of the points. Now we will talk about "Recently Used".



A list of the latest logins and passwords that were used to log into the sites will appear here. This, by the way, is a convenient thing not only for the account owner himself, but also for privacy purposes. Data from here cannot be erased, unlike browser history, so if someone was at your computer and entered sites without your knowledge by looking in "Recently Used" you will definitely know about this, even if your web browser browsing history has been cleared.



By clicking on any item, you can either go to the site itself, edit authorization data, or completely remove the login/password combination from LastPass.



Viewing personal information

Previously, we clarified that in addition to passwords, notes, card numbers and other data are entered into the extension. Via point "All Items" you can not only quickly view them, but also add a new item. This is convenient because there is no need to go to your personal account. In the future, all this information can be used to quickly register on websites, pay for some purchases, and invoices without having to manually enter payment information.



Adding personal information

This very personal data can be easily entered into the extension by going through the menu to the section "Add item". Here you can choose from several thematic templates, where you enter the necessary information. Some of them are not applicable to our country, but in general the fields are relevant to fill out, and thus you can enter information about health insurance, driver's license, passport, etc. All this is subsequently available for viewing through your personal account.



Generating a complex password

The extension invites users to create complex passwords that cannot be cracked by attackers. Going to "Generate Secure Password", you are asked to set the length of the future key, indicate its type (easy to pronounce, easy to read, with uppercase, lowercase letters, numbers and symbols). If you don’t like the result, change its parameters or simply generate it again.



Additional account options

Besides all these features, there are also a few technical and non-essential features that some may find useful. In the menu section "Account Options" you will find the following additional options:






To summarize, it should be said that LastPass is a fairly functional extension that has no analogues in its benefits for all those who actively work with websites on the Internet. LastPass is not very suitable for beginners who do not want to understand its functions and are not going to pay for the provision of advanced features. After registration, you receive 30 days of premium use as a gift, after which you will have to purchase the PRO version according to the prices of the service (look at the list of options that open when you purchase Premium - you probably simply do not need them). However, LastPass is also successfully used for general password storage: using it, you can easily use different browsers and on different devices, automatically receiving and managing authorization data wherever this add-on is installed.