UPDATE: Around 2 months after writing this post, I moved back to Passpack. I wrote about serious data integrity andÂ security concerns with Lastpass hereÂ and my interactions with their support team regarding these issuesÂ here. In my opinion, Passpack is significantly more secure, stable and reliable – rather important requirements for a password manager!
UPDATE 2: See related post on how I securely backing up my Passpack account.
I started using an online password manager around 8 months ago, and have never regretted my decision. I used to use an excel spreadsheet because I thought it was easier – both of these tools are significantly better than that!
I was used to opening the spreadsheet, copying and pasting the password and entering it into the relevant website I was using. I used the built in browser password manager quite a lot as well. This was amazingly insecure. If my computer was stolen, then all of my passwords would be vulnerable.
I checked out a few password managers and tested them based on a few criteria. I wanted it to be online so that the data is available anywhere in the world, preferably good integration with my Android smartphone, easy to use, reliable and most importantly – secure. I was not keen to give my 250+ passwords to anyone – let along a dodgy website. The chances of my computer being stolen by someone who is interested in stealing my passwords is a lot smaller than the attractiveness of hacking an insecure password management website with thousands of user’s passwords.
I started off using Passpack. It gives a free account of up to 100 passwords which is great – it gave me a good amount of time to try it out. I was hesitant to pay for something, but their range of accounts is good, and I could get away with $1.50 a month – not breaking the bank!
Essentially, I chose it because it’s a bit like an online spreadsheet. You can add entries in the nice interface and can add secure notes and share them with others easily. When you log in, you can copy the username/password of entries without actually opening them (little icons next to the name), and when you do open an entry the password and notes are hidden by default – great if someone is looking over your shoulder. You can tag up your entries as well, which makes them super easy to organise.
Passpack It Button
It was a few months before I investigated the ‘Passpack It’ button. It’s a bookmark toolbar button which when clicked automatically enters your username/password into the fields on the webpage and clicks the login button for you. IE you only need to click once to log into a webpage. However, you need to show your bookmarks toolbar – something I don’t do by default and it can reduce your viewable page size if you’re using a netbook or small laptop. Furthermore, if you have more than 1 account for the webpage you’re on then a pop-up box appears and asks you to choose which one you want to use, so essentially 2 clicks. If you have lots of accounts, then you may need to scroll down the box to find the one you want. All in, the costs outweighed the benefits and it was my manager of choice.
Then I started using Magento! Passpack It requires training on some new websites – you need to tell it where the username/password fields are so that it knows where to enter the data. Unfortunately, it required training on every Magento login page. Magento logs you out then attempts to log you back into the page you were on, so essentially the login URL changes every time (unless you purposefully go to the default login page via a bookmark). This was a little bit of a pain as you can image – 1 click login to 8 clicks over 25-30 seconds.
By this time I was also managing 4 accounts for the guys in my office – sharing passwords between us all. Everyone found the Magento issue a pain. Also, everyone I shared the passwords with continued to use their built in browser password manager – they had no incentive to go and use a 3rd party tool which didn’t work that well. If I change a password that they use, then it’s likely they have difficulty logging in, until they go to Passpack and get the new one. Critically, passwords shared with other users are visible to them. They can copy and paste them into an email very easily – not very secure if you’re sharing passwords with many short-term team members.
One of my original attractions to Passpack was the security. All data is encrypted locally via your own encryption key which you need to enter to gain access to your account. That means to gain entry you need the username, password and packing key (essentially a 2nd password). You can read more about Passpack security here.
Lastpass offers a free account and a premium paid account for $1 a month. The only features of the paid account that I use are the password sync (when you change a password it gets synced to the people you share it with) and the Android app.
Disclaimer: I’ve been using it for about 10 days now so my impressions may be premature.
My first impression was not great – the interface is pretty ugly. I also don’t like the fact it’s recommended that you shut down all your browsers to install LassPass. It feels like you’re installing a desktop application, but its actually more like individual browser plugins. I exported from Passpack easily, and into LastPass easily – it has a predefined Passpack format which simplifies the whole thing. Unfortunately, it doesn’t support tags, so it turned my tags into categories – not ideal.
Bypass Browser Passwork Manager
Importantly, LastPass bypasses your browser password manager (if you let it) which forces you to use it. It also enters the most commonly used username/password into the relevant fields automatically, so you just need to click ‘login’. You get a dropdown box at the top of the page if you want to change which account you’re logging in with, or you can use the keyboard shortcut Alt+Page Up/Page Down – a nice touch.
If you’re signing up for a new site, LastPass automatically asks you if you want to generate a password for the site, then enters it into the password fields. Very nice feature. I have a separate password generator in my browser for this very purpose – but the LastPass one makes it much easier. Once, it didn’t ask me to save the site after generating a password, but clicking the LastPass button and there’s an option to ‘copy the generated password to clipboard’ – nice!
The LastPass toolbar (essentially just a button) sits at the end of the navigation bar. Very discrete, but also easy to get to and no extra bookmarks toolbar. Clicking the button reveals a menu which allows you to do a wealth of things like copy username/password of any entry, view accounts for the page you’re on, access your ‘password vault’, access secure notes, access ‘form fills’ (something I’ve not investigated), and more…
This brings me very nicely to the LastPass vault. When you click the button and view your vault – you’re shown what I think is the local vault. This is different to the online account. They look different and have different functionality…but it’s the same data – your data. Why? It seems you can only edit your settings in the online one, but if you want to edit a password and propagate that change to the people you share it with – you need to do it in the local one. I really don’t understand why there are two and think it adds complication and confusion with no benefit to the user.
There also seems to be some complication in the way that LastPass handles fields. One on entry, my username and password field disappeared behind a ‘show fields’ button. When I opened the entry, I couldn’t see the email address/password fields. No idea what happened there. I had to delete it and re-add it to get them back.
Quirks like this have happened a few times. As I imported my passwords, they are already saved in the system, but some of them haven’t been used through LastPass yet. I was able to overwrite passwords by messing around with the ‘auto login’ and ‘auto fill’ buttons that appear at the top of the page when logging into a site. Auto fill enters your username/password into the fields on the page, auto login allows you to enter username/password and login by clicking that one button. If I set up auto login with one account, then auto filled another account, then clicked auto login, it would overwrite the password for the 2nd account with the one for the auto login account. Gasp! LastPass will overwrite one of my saved passwords with one from another account without confirming with me first! I have been able to repeat this behaviour so it was not a fluke.
Occasionally no data appears in the username and password box and the auto fill button does nothing. Refreshing the page seems to sort this issue, although sometimes a browser restart is required.
It also seems to occasionally save passwords for sites without telling you. Or, it updates the site URL without telling you or asking you to confirm. I like to keep my data organised, especially my sensitive data. I want to decide what is stored and what is not, what is changed and what is not…I want control because it’s my data. There’s helpful, and there’s intrusive. When you don’t know what it’s doing – you don’t trust it.
LastPass allows you to share passwords with other people, and not allow them to see the password. Great feature when working with teams. However, to allow syncing of updates to passwords, you need to have a premium paid account, and you need to set the passwords to sync before you share them. IE if you share a password, then upgrade to premium, you need to cancel the original share and re-share your passwords. Slightly annoying.
LastPass only requires you to enter a master password. It encrypts and decrypts your data in your browser, so LastPass don’t actually see it, but it’s definitely less secure than Passpack in that someone only needs to learn your password to get access to your account – better make it secure! Read more about LastPass security here.
Both of these are great tools. At the moment, I find LastPass more useful, despite its faults, as the sharing and browser integration are superior. If Passpack worked in the same way as LastPass (browser toolbar button rather than Passpack It bookmark and sharing passwords without revealing them) then I would probably move back. Moving between them is easy which is great.
Hope I’ve covered everything!