Review: LastPass password managerby Steve Ragan - Jul 27 2009, 20:00
Review: LastPass password manager.(IMG:J.Anderson)
The next in our series of password manager reviews is LastPass. Like RoboForm, LastPass is an add-on to your browser, and offers many of the same core features. However, there are some obvious differences. The Tech Herald tested LastPass 1.51.2 on Firefox and Internet Explorer 8, we were pleased overall with the results, as you can read below.
LastPass is a relatively new addition to the world of password managers. However, it started with the aim to be the best online, and the first step to that was cross platform usage. To this end, LastPass will work on Linux, OS X, and Windows. Firefox and Internet Explorer are supported, Safari support is on its way, and USB drives can be used for support without installing. Mobile support is available for $1 USD monthly, supporting Android, BlackBerry, and Windows Mobile. LastPass says iPhone support is coming, and YubiKey support is included in the monthly fee as well.
Many people compare LastPass to RoboForm. They are similar, but several differences keep them from being exact clones. Overall, you can safely say that LastPass is a free alternative to RoboForm, as the basic functionality is there. During this review, we will compare the two often, since this is what many people suggest as an alternative. The heavy comparison is the reason for the length of this review.
RoboForm has more options, but LastPass compensates for this by offering easier to access central control. The standout difference between the two is the installation process. RoboForm installs quickly, and the main setup step is to create a master password and watch the tutorials. LastPass will require that you create a master password as well, which is actually the same password needed for your LastPass account, but there’s much more to do before the service is ready to use.
Installing LastPass starts by selecting a language, followed by installing the components needed for Internet Explorer and Firefox. (Both were used during our test.) If you opted for the advanced install settings, the difference is that you have granular control over what browser is configured as well as desktop shortcuts for the Vault, and who the application is installed for, such as the currently logged in user, or everyone on the system.
Moving forward, you will need to create a master password as well as setup your LastPass account. The master password is used to access the account, offer layered security to various options, as well as unlock LastPass within the browser. The master password is also graded according to strength. If you need help, LastPass offers to generate one for you and allow you to pick from a list. However, while they offer this option, they would prefer you not use it, as it is best to pick a password on your own.
The account creation process is simple enough, but like other password managers, you are warned that this master password cannot be recovered. LastPass will send you an email with a pre-defined reminder, but that is it. If the reminder isn’t enough to jog your memory, then the account is a lost cause. LastPass also reminds you to make sure that the reminder isn’t something someone else can use to guess at your account password. If that happens, the security could be compromised, so the reminder and master password should be unique to you alone.
After this step, you will need to opt-in to allow LastPass the ability to keep a logins and form fills history, as well as agree to the EULA and confirm you’ve read the privacy statement. The next step is where you confirm your master password, which seems out of place, but that’s an opinion and not a real negative on the testing.
LastPass will scan your system during installation and look at the stored passwords within the installed browsers. It will import them for you, and if there are any stored, it is wise to let this process happen. (You can say no and it will not import a single item.) After this import is complete, LastPass will ask to delete the imported passwords from the browser so they do not exist in more than one place. If you delete them from the browser after import, the only place they will exist is encrypted on your drive. It should be noted that this wasn’t done during the installation of RoboForm.
Now you move onto the form filling setup. You can skip this step, but considering that it is part of the overall offering, it would be smart to use it. Like RoboForm, LastPass will store plenty of information about you. Both will encrypt and secure this information, but you need to have a good deal of trust to use it.
Our suggestion is to stick with the basics, such as information needed to register for new accounts online and skip the other stuff. LastPass will allow you to auto fill all the normal personal information (Name, Address, Phone, City, State, Zip), as well as Social Security Numbers, Banking information (though not as detailed as RoboForm), as well as credit card information. You can also create profiles and store information on a number of users or levels of account information.
Since you are still in the setup at this point, we recommend that in addition to using the auto fill functions for forms, that you layer the security as well. You can check a box on the auto fill form that will require the master password be entered before any forms are filled out. This prevents information from being entered when you don’t want it to.
After all of these steps, the last installation requirements are to select if you want to remain logged into LastPass (recommended) or use an auto-logoff. You can go either way here, but we suggest auto-logoff on shared computers. You can also make the LastPass Vault your start page when the browser is launched. (This step was not used during testing, and for basic security isn’t recommended. If you need the Vault, call it on demand.)
Lastly, all you need to do is select finish, and watch a 72 second video. This video explains how to use LastPass, and there are several other tutorial videos on the LastPass site. Much like RoboForm, you should watch this video, as it covers exactly what you need to know.
Out of all the reviews so far, LastPass had the longest setup process. However, this is forgiven, as once everything was complete, LastPass is ready to go with very little management needed from the end user. You can adjust settings and use other features by accessing the Vault. However, the basic usage controls and the features that the majority of users are expecting will work instantly after the installation is complete.
Another note is that during installation, there was a clear explanation of what information was being asked for, as well as what options are available to the user. You’ll find it difficult to get lost during the installation, as LastPass works hard to make it as painless as possible.
There is a clear and noticeable difference in usage between LastPass and RoboForm. For example, the toolbar is a single icon on the right side for LastPass when we tested it on Firefox. The icon will appear on the left side in Internet Explorer 8. You can move it if desired, as depending on the toolbar settings for IE it might take a whole row. Yet, RoboForm takes up a whole row with their toolbar regardless of browser. Locating options and other features was slightly easier within LastPass than it was with RoboForm. At the same time, when it comes to options and features, Roboform will edge out anyone who wants to compete.
Since you watched the video after the installation, you already know how LastPass will work. The other tutorials, as well as the LastPass documentation (which uses examples and images), will cover the other features. Yet, this is another difference. At this stage, you know how to use and what to expect from LastPass. With RoboForm, there were several video tutorials to watch before you got over the learning curve. Both RoboForm and LastPass offer great documentation and support, so for basic usage, it will really come down to personal preference.
If you imported any saved passwords, then the first time you visit one of the imported sites, you will clearly see that LastPass is working.
Loading the test site, Google, LastPass used a browser notice to prompt us to allow the username and password imported during installation to be auto filled. There is also a clear visual of what fields LastPass has filled in. At this point it is worth mentioning that during usage for RoboForm, this visual cue is missing. RoboForm will use the toolbar to alert you to a stored password, but nothing like what you see in the image above.
Like we did with RoboForm, we created a new account profile online. In this test, we went to Yahoo and created an account, with the expectation to test LastPass’ password generation and form filling features. Once the account registration appeared for Yahoo, LastPass issued a browser alert and asked for permission to do two things. The first was auto fill the registration form with the information we entered during the form fill part of installation. The second was generating a password for the account.
Once the registration form on Yahoo was completed, LastPass offered to save the information. We skipped this, and denied the save. This is because of the account registration process used on RoboForm. With RoboForm you needed to complete the account registration, and then login using your username, and pasting the RoboForm generated password in to the field before RoboForm would create a PassCard for future use.
We had no idea if this test would work, as LastPass never mentioned that there were other options to save login data during the Yahoo registration. However, going on the assumption that both RoboForm and LastPass are similar in function and the generated password was reported as saved, we took a gamble. It paid off.
Entering the newly created Yahoo username into the proper field and right clicking on the password field and accessing the LastPass menu options, we were glad to see there was the option to copy the password for Yahoo. Once pasted into the password field, LastPass once again offered to store this data for future use the second we logged into Yahoo.
When it comes to forms and logins, both RoboForm and LastPass will allow automatic login to a managed site. However, while automatic login is instant, for both RoboForm and LastPass, the visual cue used by LastPass will remain. During testing the automatic login worked just as well as RoboForm’s did.
We were surprised that while Roboform offers the ability to launch automatic login from desktop shortcuts, the only way to do this in LastPass is to use the toolbar, under Sites, or by using the links in the Vault.
Other notable usability comparisons include import and export options. With LastPass you can import from almost any password manager, including RoboForm, but with the export options, you can only export to a CSV, the format used by the current browser, or a LastPass encrypted file.
In contrast, RoboForm will backup data only to Roboform formats for use with synchronization. This is a plus for RoboForm, as if you backup data in plain CSV formatting they are in clear text. The safest format for LastPass would be the encrypted LastPass setting in our opinions. If you are going to remove LastPass, then exporting to the browser would be the best bet.
Another option, offered by RoboForm and LastPass, is an onscreen keyboard. You can use this to enter the master password if you want for another level of security. Both RoboForm and LastPass can store notes and other information securely, so if you want those options, you can have them. However, they are a bonus to the overall aim of the software, which is securely managing account passwords so you don’t have too.
Overall, there is a good deal to compare between RoboForm and LastPass. Both are great applications and performed well during our testing. We can easily recommend LastPass, and if pressed on the issue, would do so over RoboForm. (KeePass offers some of the features as RoboForm and LastPass, but remember that it is mostly a desktop based product and not really on the same level as these two.)
Why would we recommend LastPass over RoboForm? Despite the fear some have about storing information online in a central location such as LastPass does, it is an easier application to use. Both RoboForm and LastPass support the two most popular browsers, and they both offer the same basic features. While RoboForm will cost money if you want all the options, even RoboForm offers a free version, so cost isn’t an issue.
The bottom line in this comparison review was how easy it was to get things up and running. LastPass took a long time to install, as you perform all of the needed setup and configuration during this process, but after that, you can leave it alone for the most part.
RoboForm has a learning curve, and once you are past that, it’s simple enough to use for the basic operations. However, digging into the options and configurations to get things running to that point could be a huge hurdle for some.
The point of password management is to make it so the user can create and use strong passwords, and never need to remember them as the management software does all the work. However, if the process is difficult on the user, then the security offered by management program fails and the application is useless.
LastPass was simply easier to use, and because of this, the majority of users who try it out will likely never use anything else for their password needs.
Download LastPass from https://lastpass.com and give it a spin. Long setup or not it's worth the effort.