TABLE OF CONTENTS
Generating, remembering and maintaining unique passwords is challenging and nearly impossible. As the number of mandatory passwords, password length, and password complexity increases, it becomes harder to remember them without relying on risky alternatives such as writing passwords down or reusing passwords for more than one application.
The use of a password manager can greatly improve upon this problem and IT User Support strongly recommends the use of a password manager, such as LastPass.
LastPass, or other password managers such as 1Password, helps ensure that your passwords are maintained in a safe, encrypted vault and makes it easier for users to protect their online identities by using hard to crack passwords.
LastPass resides in your browser and helps you store, manage, automatically provide account name/password information to web applications. As you enter login/password information into browser enabled applications, LastPass automatically helps you store these passwords in your safe, encrypted vault. When you are prompted to provide an account name/password, LastPass will automatically help you identify the right information to autofill into the application and will complete the login information as you dictate. The only password you need to remember is your master password, which you only enter at the start of a browser session in order to unlock your encrypted password vault.
In addition, LastPass provides many other useful features including:
- All your log in information is available on any device you use
- Integration with iPhone or Android phone browsers
- Ability to identify if you are using a weak or repeated password and easily fix this problem
- Ability to securely store other critical pieces of information such as notes
- Support for automatically reseting password with many applications
- Ability to link and unlink personal LastPass accounts
- Ability to generate very strong random passwords, and have these unlocked via your master password – so you can set up an account password, use an autogenerated strong password and not remember or directly use, the actual password LastPass has created. This makes losing, forgetting, or inadvertently disclosing a password for an application almost impossible.
Upon termination, LastPass accounts will be automatically disabled and held for 6 months after which user accounts will be deleted.
Follow these steps to get up and running quickly with LastPass:
- Users should go to the Software Download Page (https://software.lbl.gov) and request a software license, it is free
- Download and install the universal installer for your operating system from https://www.lastpass.com to make activation of your account seamless when receiving your LastPass invitation
- An email invitation from LastPass will be sent to your Berkeley Lab Identity account, accept the email invitation
- Change your Master Password to a passphrase you will remember, Warning: LastPass admins do not have the permission to recover your account, do not forget your master password.
- Enter a Master Password Reminder
- Log out of your LastPass account and log back in using a browser add-on/extension and not the website LastPass.com. This method ensures you can recovery your master password with a one time password if needed. Note: Log in from another browser to provide you with another option should you clear your other browser's cache, thus eliminating the ability to recover your master password with a one time password recovery option.
- Set up an SMS Account Recovery Phone number
- Set up options for a Master Password re-prompt to protect your vault
- Set up a Security Email and test it
- Set up Multifactor Authentication with LastPass Authenticator
- Set up Trusted Devices, Note: these devices are only trusted for 30 day periods and must be reauthorized after 30 days
- Add Sites, Secure Notes, and any Fill Forms
- Run a Security Challenge to determine if you have weak passwords, duplicate passwords, etc.
- Address any weaknesses in your password strategy
For further information, see Getting Started with LastPass.
The Laboratory currently utilizes 1Password as the supported password manager, but this will deprecated as of August 31, 2017. LastPass will become the password manager of choice. LastPass implements AES-256 bit encryption. Data is encrypted and decrypted at the device level. The data stored in your password vault is kept secret even from LastPass. Your master password and the keys are never sent to the LastPass servers and are never accessible to LastPass. These capabilities help ensure complete security.
LastPass provides additional features that 1Password does not at this time. They are:
- Two-factor authentication to access password vault
- Push tokens
- Support for Linux
LastPass Best Practices
- Always log into LastPass via the browser plug-in/extension.
- Always log into at least two different browsers a day to ensure that your encrypted safe is cached in each browser. This ensures if you wipe away the cache of one browser you have a backup in the other. This will become important if you have to revert back to an old password to recover a lost master password.
- Immediately update a mobile phone number in your account once it is activated and always keep this up to date. If you lose your master password you can recover to a one-time password using the sms recovery process.
- How do I use LastPass from a mobile device?