Do you use the same password for more than one site? Most websites? Is your password less than 16 characters? Do you constantly reset passwords because you don't remember them? If you had a "Yes" anywhere in there you're doing it wrong.
The biggest problem most people have with passwords is how darn hard it is to remember a random 16-digit string of characters for each of the hundreds of sites you check every year.
LastPass is a security software that manages all of my passwords. I have been using it since they started in 2008. It creates passwords for me, keeps track of them and fills them in for me. Best of all it doesn't know or store my passwords.
"But wait . . . " I can hear you saying, "Doesn't that mean if someone has my LastPass password they own me?". Not unless you do two things you shouldn't: Set a crappy password for your email or fail to use the multi-factor authentication option. But we'll get back to those. Let's talk about why LastPass is awesome.
LastPass learns your passwords automatically
Once you add the LastPass extension to your browser it will offer to save any passwords you enter. It works exceptionally well on pretty much every site I've tried. In fact, when you first load it, it's going to search your machine for unsecure passwords. Once it finds them it will offer to save them and clear them from your machine. Accept this offer.
LastPass fills in your passwords for you
LastPass will enter your user id and password for you. You can also choose to auto-login and you will just skip past the login page. This works pretty much everywhere I've tried. The few times you have trouble you can right-click and use the LastPass menu to copy and paste your username and password for the site. It can paste nearly everywhere, even in places where you usually can't paste.
It works everywhere
Windows, Mac, Internet Explorer, Firefox, Safari, Chrome, Android and iPhone. If you want to use it on mobile platforms, you'll have to pay $12-a-year for the app (more on that below) but it is definitely worth it. Recent updates mean you can use LastPass to login with your phone's browser which works especially well with the iPhone thumbprint reader.
It fills in your address and credit-card forms
Enter as much or as little info as you want - name, gender, birth date - and you can use LastPass to fill out online forms. And you can save multiple identities. Click the fill form button and watch the fields fill with your preset answers. This saves me tons of time when setting up new accounts or filling out shipping info and is indispensable for managing several credit cards and addresses. This also evades clever key-loggers which can pick up your credit card info without you having any idea.
Yes, free. You can pay $12 for a year of premium features and it is worth all 1,200 pennies. Mostly because that means you get access to the mobile version. It helps with the frustrating combination of tiny screen, slow Internet and complicated password. All your passwords are a click away. Mobile versions for the iPhone, BlackBerry, Windows Mobile, Android, Symbian S60, and Palm webOS.
You can share passwords without anyone knowing them
LastPass would be worth it for this alone. I work on several sites that I need other people to have access to. Rather than send them my password - which is dangerous on multiple levels - I can share access to my site and they'll never be able to see the password. Both parties need to have a LastPass account but hey, both of you should. The best part is if you change the password it will push the changes to everyone you've shared it with so you don't have to update anything (you can turn this off). You can also revoke access at any time. This has changed security management at several companies I've gotten to try it.
Make you passwords more secure
Since you don't have to remember them you can make your password insane. Most of my passwords are 17 characters and include uppercase, lowercase, symbols, and numbers. I let LastPass create them according to my settings.
Keep track of all your passwords
What's the worst part about a logging into a site you haven't visited in a while? You have no idea what your username is much less your password. You don't even remember what email you used. One of the most satisfying parts of using LastPass is when you are visiting a site you haven't been to in forever and LastPass just fills it out for you.
Defeat the key-loggers
Key-loggers record every keypress. More advanced ones record mouse movements too. If someone sneaks a key-logger onto your machine they won't see your passwords because you're not typing them anymore. You can use a digital keyboard to sign in to LastPass too in case you're wondering how to avoid the Key-logger when signing in. This is especially important when you consider that many employers can legally record your every keystroke. Let that soak in for a bit.
But, is it safe . . . ?
As I said above, LastPass does not know or store your passwords. All encryption/decryption takes place on your machine or device. But let's talk about the biggest problem with these kinds of systems: user error.
First, your email password. It should be super-secure since you can use it to reset pretty-much all of your passwords. Follow Edward Snowden's advice and use a passphrase rather than a password. purplezebraslikeeating74Hippos is infinitely better than 1234568 (you're not fooling anyone with that missing 7).
Anything less than 12 characters or without symbols is useless. U-S-E-L-E-S-S. Read more about how long it takes to crack a crappy password if you dare. Do not use the details of your life to make up passwords. And don't base your password hints on pop culture. Hackers know pop culture better than you do. Or they can search for it on a forum where there are people who do.
Second, multi-factor authentication. What does that even mean? It means you have to do more than enter your password to access a site on any device you have not designated as safe. So if someone tries to login to your gmail account in Estonia here's what happens:
1. Google will notice that someone is logging into your account from a new place.
2. Google will send a text to your phone with a newly-generated code (a 6-digit number currently).
3. The Estonian hacker will need that code to enter your account; no code, no access.
4. You'll know someone's tried to login to your account because you got a text. Google also emails you with info about the attempted login.
Facebook, Twitter, Dropbox and many others offer multi-factor authentication and you should turn it on wherever you have data you want to keep private. Here's a list of places that offer multi-factor authentication.
If you don't turn it on anywhere else, set it up for LastPass. That way, even if someone gets your password (not impossible in today's world of video cameras) they can't get into your account.
So LastPass is secure. Almost certainly more secure than your current system. But that's not enough for you because no one's going to use a service that's a PITA.
The truth is LastPass is so convenient that I was a committed user long before I searched for information about its safety. It's not hard to setup and it's so much easier than whatever you're doing now. Still, in the seven years I've been using LastPass pretty much the only way I've ever gotten someone to use it is to force them. It goes like this:
Me: Use LastPass, it's awesome and secure and easier than what you're doing now.
Them: I hate change and it sounds complicated.
Me: It's not. I'm installing it on your computer and browser. Make up a password now.
Them: AHHH but I'm scared, what do I have to do?
Me: Just fill in your passwords like normal. Soon it will do it for you.
Them (two weeks later): "OMGOMGOMGOMG LASTPASS IS THE BEST THING EVER!!!!!!!
That's why I'm writing this. I'm not helping any more people live. Not for free anyway. In fact, you might be reading this because I refused to tell you about it and sent you a link instead. You're welcome.
I think it’s important to ask “How safe is this compared to what I’m doing now?” instead of the more general “How safe is this?” although both are important. While LastPass does make you vulnerable by keeping all your info in one place, the multi-factor protection gives me peace of mind. Compared to using the same crappy password for your bank, email and that stupid download site that stores your password, it's a great alternative. Unless someone is targeting you specifically and very good at what they do LastPass will keep you safe. And even if they are LastPass is probably your best bet.