I have been using a freeware product called “password safe”, and it was OK, but using it at work and at home meant I had to keep two databases up to date, which was a pain.

However, thanks to a tip from my friend Jeff, I just switched all my stuff (home and work) to LastPass (www.lastpass.com)

Why did I do that, and why would I tell the world where all my passwords are?  Well, it’s a really great system, and ULTRA secure.

In a nutshell, it stores your stuff in the cloud, but in encrypted form. Encryption happens on your computer, so they never have your unencrypted information, and have no way of getting it either! They also never store your personal information, or userid, or password in unencrypted form. So their system only contains encrypted blobs which are useless to anybody without the decryption key (your userID and password). So, they can cooperate fully with the FBI or foreign governments, and give them all the data they want. It’s still useless. There isn’t even any way of knowing who owns which blobs of encrypted data. How cool is that!  Well OK, so it’s probably only really cool to security geeks like me.

Anyway, you can store passwords & sites, and it will auto-fill for you when you go to log in with your browser (if you want – you can decide on a site by site basis). In addition, you can store personal info and credit card info on there and it can form-fill for you when you are at a checkout form on a website. You can also store notes of arbitrary text data, for any purpose you want. It generates passwords for you.

What! Put my credit card data out there? Are you nuts?  Well possibly, yes, but that’s another subject.  But yes, it’s secure enough to do that.  Once you "get” the security model, it’s clear that anything you store in this “vault” is accessible only by you, and so go ahead and use it for any bits of information, not just websites and passwords!

I mentioned that the system can generate passwords for you.  Here’s why that’s useful:  Most people tend to use 1 or 2 passwords for everything they do.  That means that if somebody learns, or guesses your password, they have access to a TON of stuff.  This is what we in the security business call “bad”.  If you use the system to generate a password for you when you sign up to access a website, it generates a nice secure password that is really hard to hack, and you would never remember it; but you don’t have to!  The password is stored with the site information, and when you go to that website, it automatically logs you in.  You never really even have to SEE that password.  You can view it if you want, but it’s not necessary. 

If you do this, not only are you creating logins for websites with a GOOD password (instead of the lame ones most of us use because they are easy to remember), but each site is different.  So in the unlikely event that somebody manages to get one of your passwords (no idea how that would be possible, but maybe a key logger on a public coffee-shop computer or something – work with me on this), then they only have access to one website because all the other websites you access have different passwords.

Another distinction is that since your information is stored “in the cloud”, you can access it from anywhere.  So, even if your computer dies in a fire, your important information is still out there.  If you use multiple computers, like I do, then this is really convenient because you don’t have to worry about keeping multiple databases of passwords up to date.  Any bit of information you store on one computer is available to you on any other computer.  Handy!

In addition to just storing stuff, you can share your passwords or notes selectively with other people. For instance, if I have a website with my personal login, and I want to give you access to it, I can either share the whole entry with you, allowing you to see the password, or I can share however much of it I want. This lets you use it by double-clicking (it then launches a browser, goes to that webpage, and logs in for you), but doesn’t let you see my password. Also, I can revoke the share any time I want.  This would be great for an employer to give an employee access to some business site (the company bank account, for instance), but without giving the employee the password.  They can do their job, but if they leave the company, there are no worries about having to run around and change the password – you simply revoke the share to that person!

They have a “premium” mode which is $12/yr which allows you to access all this from a mobile device too, and from a browser without installing their plugin, and also allows you to sync shares. So, if I’ve shared a login with you, and I change the password on my side, yours gets automatically updated.

If you want even MORE security, you can go for “two-factor authentication”. http://www.yubico.com/yubikey is inexpensive ($25 each, quantity 1), and works like an RSA token, but is actually a bit more secure because there is no LCD readout, and you never see the digits. If you buy a yubikey, they have a bundle where you can get a key and a year’s premium lastpass subscription for $30 (I wish I’d seen that before I sent my $12 in – LOL)

Anyhow, its very cool technology, and I have yet to read anything about this that’s negative.