We all know how important it is to use a structured and secure password strategy. This sounds good in theory, but the reality is that passwords are almost never changed and often used multiple times. The simple reason for this is that it is much more convenient to remember a password, and since you don't want to remember too many passwords, you use one for everything. What this can lead to in the worst case can be read in Mat Honan's "Epic Hack".
A new level of complexity is reached when access data is shared, as is probably the case in every company. This starts with WLAN, VPN and FTP access, concerns shared web services, CMS backends, or e-mail accounts and sometimes even access to online banking, credit cards, or other highly sensitive data.
This data is shared by e-mail, collected in a document in a central location, or written down somewhere by hand, which then either leads to a great deal of searching, or again results in a drastic simplification à la "one password for everything".
One solution - LastPass
So we looked for a solution to the problem, and after some searching and trial and error, we decided on the cloud-based password management system LastPass.
LastPass is available in a version for individual or private users - which one or the other knows for sure - and in the Enterprise Edition for companies. Unfortunately, the user interface is not a beauty, but that's not the main point here.
The principle of LastPass is the following: Each user has his own "safe", i.e. an encrypted file containing all the access data relevant to him. This file is stored locally and secured with a password, hence the name LastPass - the last password to remember. With the help of a browser extension or a smartphone app, the safe can be opened and managed. Thanks to Cloud-Sync, the current version of the vault is stored on every device.
LastPass proves to be a useful helper in the browser, as it can automatically enter login data or directly accept new access data. This means that the password can be made as cryptic as you like - a password generator is also available, so you can forget it again.
In addition to access data for browser-based applications, LastPass can also handle so-called secure notes, which can contain any kind of confidential data, from FTP access to credit cards to driving licenses.
The Enterprise Edition extends the basic functionality to include the possibility to share access data with other users or user groups. Nevertheless, each user has his own safe, which nobody else (not even an administrator) can access.
Using LastPass Enterprise Edition
First there is an invitation from the administrator to use LastPass. This is in the form of an e-mail containing an activation link, which among other things determines the master password. The LastPass installer can then be downloaded from https://lastpass.com/misc_download.php The installer installs LastPass in all available browsers and stores the Tresor file centrally in the system. This is where LastPass differs from a simple browser extension, which normally does not leave the browser context.
If everything went well, a button will appear in the browser to open the vault.
To manage all access data, simply click on "My LastPass Safe". Here you can add websites, secure notes, groups or shared folders via the left column. A shared folder can be shared, so that all access data in this folder is visible to other users or user groups. There is also the possibility to limit the access rights so that users are only allowed to read, for example.
LastPass can also be used from the popup after clicking the browser button. Here you will also see directly matching login information, i.e. if a page is open for which there is access data in the Vault, it will be displayed directly or, depending on the settings, entered directly into the login form. This is visualized by a red border around the input fields.
A click on the entry in the popup shows further options.
When creating a new account it is recommended to use the already mentioned password generator. Since you do not have to remember the password, it can be very complicated.
In summary, the use of LastPass can solve all the security problems described above. There is no need to use easy to remember but insecure passwords, you can easily create a separate password for each access and sharing in a workgroup is no longer a security risk.
In addition, LastPass is also available as a mobile app for Android, iOS, Windows Phone, Blackberry, etc., so that you always have your confidential information and access data at hand when you are on the road.
Since only the 256-bit (AES) encrypted file is transmitted via SSL, I think LastPass is already sufficiently secure, because even if someone should get to the Tresor file, it is almost impossible to open the file.
If you want to add an additional protection layer, we recommend the 2-Step verification developed by Google, which can be used with LastPass. With this, in addition to the password, you have to enter a further code, which you receive by call, SMS or app on a previously registered cell phone, and which is only valid for a short time.
If you want to bring order into the password chaos you should have a look at the LastPass.com Enterprise Edition, you can learn how it works here.