The 'Heartbleed' bug that has affected most of the internet's popular websites has exposed usernames and passwords along with other secure certificate data. Even after a site has fixed this bug, it's still essential for everyone to change their passwords because the data could have been intercepted before the site was patched. This is a great opportunity to create more secure passwords, and to start using a password vault like LastPass.
LastPass is a cross-platform, "trust no one" system, meaning not even employees of LastPass or the government an see any data stored in it. LastPass is free to use in a desktop web browser, with a premium version for use on mobile platforms for $12 a year. Here's how to install and get started with LastPass:
First install LastPass and create an account at lastpass.com. This will install as an extension to your browser. It's important to create a strong password for LastPass because this will be the key to access all of your passwords. A good way to create a secure, yet memorable password is to use a mnemonic. For instance, use the first letter from each word in a phrase from a book or movie. Make some of the letters capital where it makes sense, and include punctionation. Then add "padding" to this by adding a zip code where you grew up, or a childhood phone number. In the "password hint" field, make sure it's vague enough that no one else will be able to figure out the password.
Once it's installed, click on the asterisk symbol next to the URL bar and log in. Now when you click on the asterisk, you'll see a list of menu items. The Vault is where all of your passwords will be stored. To add a site to your vault, go to the login page of the website you'd like to add. When you get to the username and password field of that site, you should see the LastPass asterisk symbol appears on the righthand side of each field. Every site is different, however, so it is possible that it won't appear this way. After you log into the site, you should notice a blue bar at the top that asks if you'd like to save that site. If this doesn't appear, you can click on the asterisk inside the password field of the site's login page and then choose "Save Site" from the dropdown menu.
Now that a site is saved, it will be added to the Vault. This is where you can see information about the entry and edit it. You can put it into a group to organize it, and make it a favorite so it shows up at the top. Once the entry is saved, when you visit that website, LastPass will fill in your username and password. It will also show you how many passwords are saved for that site in the login fields. If you have more than one account, you can select which account you want to login with.
LastPass can generate very secure passwords as well. There's an option to do this from the dropdown menu accessible from the password field of a site, or from the main LastPass menu. You can choose how many characters long the password should be, whether or not it will contain special characters, how many digits will be included, and more. It also has an option to avoid ambiguous characters so that it'll be easier to read if you have to type a password by hand. Leo recommends making a 20 character password if the site allows it.
The passwords in your LastPass vault are synced to all of your computers and mobile devices. Passwords are stored with LastPass in an encrypted form that they cannot read. There are settings in LastPass to make it even more secure, though. Go to your LastPass Preferences, then select "Account Settings." Under General, make sure the "Password Iterations (PBKDF2)" is set to 5000, as recommended. This makes it harder to brute-force passwords. You can choose to only allow logins from select countries, disable logins from Tor, keep track of login and form fill history, kill other sessions on login, and more.
You'll also find Multifactor Options in settings, and Leo recommends enabling it. This requires a second factor of authentication the first time you log into a site on a new device. There are several methods of second factor authentication you can choose from, including Google Authenticator. LastPass will provide a QR code that can be scanned using the Google Authenticator app. There's also an option that requires prior authentication before allowing a login to LastPass from a computer or mobile device.
LastPass has the ability to add other information securely. For instance, you could store your Google Authenticator QR code or even Social Security numbers in LastPass. Credit Card numbers can be added in the Form Fill section, so that LastPass can autofill that information when needed.
LastPass will audit all of your passwords and tell you how secure everything is. It checks to see if you are using a password more than once, what passwords may need to be strengthened, your overall ranking and more. It even has a Heartbleed check that will tell you if an affected site has fixed the problem, and whether or not you should change your password.
LastPass is a very secure vault. There are others including Roboform AI, 1Password, and the open source KeePass, but LastPass has been vetted by security expert Steve Gibson. Its "trust no one" encryption ensures that only you can see your information. Not only is LastPass secure, it also makes it very easy to sign up to new sites, log in to existing accounts, and pay for things with your credit card. This makes it possible to be as secure as possible, and all with one single password.