We've talked about passwords and password vaults a number of times in the past including here, here and here.
If you haven't read part 1 of this discussion, it's here.
Hopefully you are now convinced that you should be using a password vault, also called a password manager. Now what...?
Products & Costs.
A few years ago there were just a few key players in this field, but the list of products has grown and there are a number of good choices. I'll briefly mention four of the best known and provide some links where you can get more info.
- LastPass - the basic product is free. It has most of the features you'd want, but the free version only supports use in a web browser. If you want a mobile app and to support password fills in mobile apps then you need to get LastPass Premium, $1/month or $12/year.
- DashLane - this is another very popular product. It's free to download and use on any device. However to have your passwords synced across devices, a very important feature, you need to use the Premium product which costs $40/year.
- KeePass - this is well known and solid product. It always has been free and is open source. It was designed to support an exportable vault. That means the primary way to use this tool is to keep it on a thumb drive and plug it in to the computer you use it on. That can be either handy or inconvenient depending upon how many computers you have and how you do your work. With KeePassX you can store the vault in free cloud storage like GoogleDrive, OneDrive, Dropbox, etc. and can connect with apps on mobile devices.
- 1Password - many people like this product and consider it easy to use. It's design is similar to KeePass in that it's basic use is on a single system and you can share your vault using free online cloud storage services. It's free to download and there is a one-time license fee. There is also mobile support and that requires a valid license.
How to get started.
As always, I don't endorse specific products. I use LastPass because it meets my needs, so I'll focus on that for the examples below. You should look at some of the review articles and pick the product that you think will work well for you.
Once you've chosen what vault you're going to use, the steps to get things going are, for the most part, the same. I'll use LastPass as an example, but you will find similar steps with any of the products.
Download and Create an Account.
The first part is pretty easy. All of these products have download links on just about all their web pages. The basic download is typically a browser plug-in. LastPass has plug-ins for all the major browsers.
When you fire up the plug-in, you'll be asked to login or create an account. What you are creating is the "master password". This is the password that will be used to access or make changes to your account and to access your vault. So this is an important password - it's the only password you can't use your vault for. Well, to be more accurate, you can store your vault password in your vault, but it won't help since you need to enter it to access your vault. Make it a long password! It's really the only password you'll need to remember.
You can also setup 2-factor authentication for your vault. There are a number of options to do this and I highly recommend it. I use Google Authenticator, but there are other choices available.
The next step is to import any stored passwords from your browser into your vault. Now, I've discussed in the past that you should not use the native capability in browsers to store passwords. Some do this better than others, but this function has been successfully attacked in the past.
The install process will ask if you want to import passwords from your browser. You'll likely want to do that. Once imported, LastPass will alert you to duplicate or weak passwords.
Logging in to a site at which you have an account.
This is as simple as finding the site in your sites list, right clicking and choosing Go To URL. LastPass will bring up that site. If you've specified the login page the you'll be automatically logged in. If not, you may need to click a login link on the site. Some sites like banks and other financial sites break up their login process among a few pages so you may autofill the userid on one page and autofill the password on another. In any case, you won't need to know the userid or the password because the vault has this for you!
Adding new sites.
Adding sites is also very easy. When you connect to and log in to a site, if LastPass doesn't already have this site in your vault it will prompt you to ask if you want LastPass to save the site. Typically you'll say yes. You can also manually add a site by clicking the LastPass browser bar icon, then choose: Sites > Add Site. Either way, you'll see a box that looks like this:
If you auto-added the site then simply correct or add information in the fields as needed. If manually adding a site, then type in the information. In the Notes area you can include extra information like associated email addresses, secret question info or other account numbers or info.
Changing a site password.
Once you are logged into a site, such as Amazon, Facebook or other, you should change from your old, memorized, short password to a nice long random one! That's the whole point of having the vault!
How you change the password will vary from site to site. Typically you go to the "my account" page. There should be a link to "change password". You'll typically need to enter the old password (autofill by clicking on the 3 dots). Then you enter your new password. Here's where the fun begins.
At the right side of the "new password" field you'll see the "generate new password" circular arrow icon. Click on that to generate a new password. You can choose the length and what characters (upper case, lower case, numbers, symbols) will be in the password. I typically choose a length of 32 or the max allowed for the site, whichever is shorter.
Once you save the changes, LastPass will automatically detect the change and ask you if you want to update the record in your vault. If you have multiple accounts for that site, it will ask you which of the accounts should also get this update. Very easy!
Customized Form fills. , cc, checking info, airline info, other loyalty membership info.
In addition to saving basic login info, you can save whatever other you want for each site including membership number, "secret questions" and answers or other info.
There are also customized info you can store to fill forms. Choose Form Fills > Add Form Fill Profile. You can give the new profile a name, like "form fill 1". Then add information like your name and address, credit card info, bank account info, or other custom fields
I find that a real value-add is using my vault on my phone. LastPass has a separate app (fee). I can then get to all my data while I'm on the move. I can also fill in information in other mobile apps. There's probably too much to explain about how this works, but here is the LastPass Android FAQ, and here is the iPhone FAQ. (if you're on Windows or Blackberry then get a real phone! :-))
Here's an article explaining why the author feels that DashLane is the best password manager for Android.
I think one of the most important features of using a vault is the ability to check for weak or duplicate passwords. LastPass typically alerts you to this on a site-by-site basis, but you can also run an overall assessment. To run the challenge, click the LastPass icon in the browser toolbar, then choose More Options > Security Challenge. Click on Show My Score.
OK, that's quite a bit to absorb! It's really not hard... just get in there and start.