Wednesday, October 19, 2016

Using a Password Manager

Using a password manager has been something I have toyed with for a number of years.  The more and more that services are being hacked and data is being exposed, my normal approach of just tiering passwords per application importance just wasn't cutting it anymore.

You only have to follow haveibeenpwnd on twitter to see how many data breaches have been loaded into the service run by Computer Security legend Troy Hunt.

So I decided to give it a go.

User Experience

Now my biggest concern of using a password manager was the user experience, especially when using it on a machine that I cannot load extensions on e.g. My work XenApp server.

I had a quick look through the options and initially tried 1Password as it had a 6 month free trial.  I quickly dismissed this as an option for a couple of reasons.

1.  The login process on the webpage was a bit too complicated then it needed to be.  When going to the web interface, you had to enter my in the below text box and press continue.  Seems odd, I suspect it might be due that you could host the vault in your own location.

What?  Entering my and pressing enter gets you through
2.  There isn't a full featured Windows application or Chrome extension on Windows.  This made it pretty laborious to add new passwords or auto sign in to applications.

After this, I looked at LastPass

I was immediately more impressed.  The 14 day trial was nice but only allowed access to use from one device, which was frustrating.  The pro service is only $12 a year though, so I stumped up the cash and really went to town.

Now...I would love to show you some screenshots and talk you through my setup, but I don't really fancy publicly showing which sites and services I use!

Below is a screenshot from the lastpass website which shows the interface of the websites you have saved.  You can use this as a launchpad to open your web applications.


So far so good, but what about machines without the ability to install extensions etc?  Well, going to lastpass.com and logging in with your master password brings up the same interface.  Now you can't launch the applications natively, but you can copy the passwords to the clipboard and paste them in.

Some services will try and stop password from being pasted in to try and makes things more "secure".  This isn't a great idea and if you want to read more on this, check out this blog from none other than Troy Hunt.

Generating new passwords
After installing the extension to Chrome (or equivalent), when you try and sign up to a new service, you will see an icon which allows you generate a new random password


How easy is that!

Saving existing passwords
When logging in to an existing website, you will be presented with the banner asking to save this site.  If this is not appropriate, you can say never which will stop this from popping up.



Mobile
What about Mobile?  Well I was very impressed here.  The mobile app comes with a built in browser which can be used to auto login to web applications.  But what about native apps or you just prefer using something like Chrome?

LastPass makes use of the accessibility options in Android.  This allows them to review the screen estate and paste your login credentials in the appropriate fields


In practice, you can see that logging into the MyFitnessPal app, you can open the LastPass helper and it will either auto fill the screen, or let you copy/paste the password.


LastPass also allows you to use Google Authenticator as two factor authentication when logging into your vault from a new device.  As you are putting a large emphasis on one master password, two factor authentication is an absolute must!

Conclusion
The process of moving old accounts over to using new randomly generated passwords took a bit of time, but overall I am very pleased.  I think having a password manager has taken a lot of stress away from me when signing up for new services.

I don't have to try and categorise a website and choose an appropriate password.  I don't have to worry about websites weird password policies and whether I have had to make odd variations to an existing passwords.

I just sign up, use a random generated password, save it, forget about it.

Now is LastPass the right platform?  It works well for my needs but I am sure others would work perfectly well for others.  Let me know if you use a password manager and how it works for you.

0 comments:

Post a Comment