Before passwords got complicated, and before the massive data breaches scared the living daylights out of us, LastPass was the perfect app for remembering my login information. It stored all of my passwords on my laptop and recalled them securely whenever I needed them.
Until one day, it didn’t.
That day finally came last week when LastPass surrendered its last password. It turns out I’m far from the only one who’s had a problem with a password manager. But this story is about more than a “free” app giving me what I paid for (nothing). It’s about the changing nature of computer security and what it means for you.
What is LastPass?
LastPass is a password manager that stores all of your passwords in encrypted form. You can install LastPass as a plugin on your browser and download it as an app for your phone. When you type in a password, it asks if you want to remember it; when you need to recall a password, LastPass offers to fill in the information automatically.
Computer users like these programs because they never have to worry about remembering their password. Except for one. In the case of LastPass, if you are using the “free” version, you must remember your master password. If you forget your LastPass login, you lose all of your passwords.
How I lost all of my passwords
And that brings me to my sad tale. At the start of the summer, I made a difficult decision to restrict my daughter’s computer access. She had developed an Anime habit that was keeping her from doing her schoolwork. She’d be up all night watching the latest episode of Dr. Stone or KonoSuba.
In retaliation, my daughter threatened to hack my computer. She waited for me to leave my laptop unattended and then pulled up my LastPass screen. I would return to my laptop to find the LastPass tab active. There’s no evidence that she ever obtained my master password. But it made me far more aware that LastPass login could be a security vulnerability.
I’m not the only one who is worried. Last year, Google warned that LastPass could be hacked by embedding malicious code on a site. Although no passwords were reportedly compromised, the report made many customers uneasy about their passwords.
So last week, I opened my laptop and logged in to the content management system for this site (I am being deliberately vague about some technologies we use because, as you probably know, this site is a favorite target for hackers. The less said, the better.)
LastPass demanded my master password — the key to my entire password vault.
I typed it in.
It didn’t work.
What to do when your LastPass login doesn’t work
LastPass allows you to recover your password in several ways. One of them is to send yourself a hint. I did, but the password still didn’t work. Another one: If you’re still logged in on your browser, you can reset the password. I tried that, too. But while I was updating the password, I encountered an “encryption” error. And then the new password didn’t work, either.
I was locked out.
‘No problem,” I thought. “LastPass is a big company. They’ll have technical support and will be able to help.”
Not really. The page for contacting LastPass just takes you to an online knowledgebase. There’s no chat or email form. I found an email address for LastPass and sent the company a message. I received an autoresponse that asked me to fill out a form on another site.
About two days later, I received this response:
How did LastPass — or LogMeIn, or whatever it wants to be called now — do? Well, I lost all my passwords. How do you think it did?
And who is Daniel?
My LastPass login still doesn’t work
I deleted LastPass — permanently. And not just because of LastPass’s incompetence or the thousands of one-star reviews from users who lost their LastPass logins, too. It isn’t even the small number of Elliott Advocacy readers who have complained to us about their LastPass logins over the years.
It’s that the idea of a “free” internet-based password vault is obsolete. Most of my banking, insurance, and email accounts insist on verifying my identity with additional safeguards like a text message to my cell phone or two-factor authentication. My computer and cellphone use biometrics to verify my identity.
When I did have access to my LastPass account, I remember getting regular warnings about compromised passwords. That’s when there’s a data breach, and someone gets access to one of your username/password combinations. A clever hacker can try that same combination on other sites, often gaining access to personal information.
I’m happy that LastPass stopped working. It happened on a slow Wednesday in August, when I had plenty of time to reset my passwords and store them in a more secure location. I believe the day when we rely on a password to gain access to secure information online is quickly coming to an end. Might as well make the transition sooner than later.
How to keep your passwords safer than LastPass
I’m no computer security expert, but I’ve been giving a lot of thought about ways keep my information safer.
- Switch to a cloud-based keychain
Both Apple and Google offer their own internet-based keychains to store all of your passwords. You can access them with a password or with biometric data. I still use passwords, but each account now gets a different, randomly generated password that gets stored in my keychain and then forgotten.
- Use your phone as a key
Google already allows you to use your phone to verify your login. If you’re looking for even more security, try its Advanced Protection Program, which uses a physical key to keep your information secure.
- Know the limits
Bear in mind that switching to a combination of random passwords, biometrics and physical keys is not foolproof. I’ve written about the security risks of being online. A law enforcement agency could force your internet service provider or email service to hand over your passwords and keep it a secret from you. Or your phone could get intercepted at the airport. If you want guaranteed security, you need an air-gapped computer with 256-bit encryption on all of your files.
- So here’s my advice.
If your LastPass login stops working, don’t bother trying to recover it. Give your passwords a security overhaul and stop entrusting sensitive information to a company that doesn’t care.