I’ve recorded my enthusiasm for Lastpass here before. It’s a browser plugin that remembers all your passwords for you and stores them securely on the web. It can enter login credentials automatically and effectively provides you with a single sign-on across the web.
Of course, you need a password to secure all this. Lastpass provides a variety of ways to keep your encrypted password collection secure. One of them is a hardware device called a Yubikey, made by Yubico in Sweden.
In a nutshell, it’s a chip with a USB connector and a button and it functions as a keyboard and emits an identifier and a unique password whenever the button is touched for a second or so.
In principle it means that even if you use a PC with malicious software installed on it your login details can’t be compromised. The passwords it issues are one-time passwords and are not reused.
If the site you log into supports two-factor authentication (something you have and something you know, i.e., a key and a password) then possession of the key alone will not provide access.
The lastpass screencast here shows it nicely (click on How to use LastPass with a YubiKey) and answers the inevitable question
But what if I lose it?
What finally pushed me to try out this was Fastmail’s decision to support it (announced here) — on their beta server for now.
So, I looked to order one and I ended up taking advantage of a special offer which expires this month: two Yubikeys and a Lastpass account for $40. At that price the keys are $14 each, which for serious security is a bargain.
The keys arrived the following day by registered mail — they clearly didn’t come from Sweden.
It works beautifully and is strangely satisfying to use.
The only problem I had was that two-factor authentication didn’t work with Fastmail if a single-factor Yubkikey login was also configured among the alternative logins.
You can tell Lastpass that your home computer is secure and that you don’t need to use the Yubikey with it, and when traveling you can fetch it out of your wallet and use it on other systems with some peace of mind.
Unless someone gains access to the key, and your lastpass password, or your lastpass password and your email account, your passwords are secure.
I think I might have preferred a key in the form of a USB stick with a retractable connector, like the Cruzer USB memory sticks, and a hidden purpose. But that’s a minor quibble. (I can’t put it on my keyring because I have a memory stick there already and one would have to come off to enable both to be used simultaneously).
How much do I like it? Enough that I would change banks for it. It’s a lot better than entering selected letters from my memorable word + decoy characters (or vice versa) when logging in to my account.
It might be the gadget of the year. It’ll surely be a contender in the bang for the buck department. But the special offer ends this month.
Update: it will not work with the new iPad — it has no USB port!
Related posts:
- How Not To Lose Your Yubikey Keeping the Yubikey on a keyring poses a small problem: how to plug in both the Yubikey and a USB memory stick on the keyring...
- LastPass Password Manager I have used a TiddlyFolio, an example of a TiddlyWiki, to manage my passwords for the last year and half or so. In the process...
- Introducing the Wiki Wallet: TiddlyFolio If you've got a USB memory stick on your key ring here's a useful and free "wiki wallet" application (open source) that runs in your...
- The Princess And The Pumpkin At midnight the Internet turned into a pumpkin and, to my amazement, the Princess went to bed. This is not a fairy tale! Of course,...
Related posts brought to you by Yet Another Related Posts Plugin.
An Apple user, noting my unhappiness over the lack of a USB port, sent this:
http://www.techcrunch.com/2010/01/30/ipad-v-a-rock/
(difference between an iPad and rock)
Another Apple user says: “I am very happy with 1password, which also has a single passkey to unlock everything and which can be carried around on an ordinary stick, or saved to something like Dropbox for use on more than one machine”.
I gave a Yubikey to the boy who tells me that lastpass is much better than 1password (better browser integration). Lastpass is more secure, and it works across platforms.
Another defector:
http://bob.archer.net/content/goodbye-roboform-and-1password-hello-lastpass
[...] decided not to keep my Yubikey (recent gadget of the month) in my wallet. The key is small and overlookable. Sooner or later, having taken it out, I’d [...]