I’ve been running LastPass for just over a year now, and if you are like me and you have added lots of passwords, but haven’t ever run a Security Challenge, then read on, because I can save you stepping into the same issues that I encountered, and maybe make the tidy up of your passwords fairly painless.
Unfortunately I don’t have a screenshot of my “before” Security Challenge results. Needless to say it was bad. I had about 3 passwords used across many sites, as well as one of them also being my master password. Additionally, I hadn’t changed any passwords since I added my sites to LastPass. All of the score values were in the red (I have about 85 passwords in my database too).
This is my current score and results. A big difference after a couple of hours of work. You can see the red warning symbols in the steps below – they look worse than they appear. Ill explain below.
Some important explanations and information before we proceed:
- Some of these Steps will have Change with one click / Auto-Change Password options. This is where you can tick the entries to change, and simply click on the Update Now button to have LastPass automatically go in to each site and change your passwords to a randomly generated password, and update those entries in LastPass with the new passwords.
- The Auto-Change Passwords doesn’t always work! I have found it works with the big and popular sites (eBay, Amazon, etc), but don’t use it on other sites. Also, do not close the page or browser while its working – give it time to complete (10 minutes?).
- You can also click on the Launch Site button to open up the website for each given password entry. Once there, you can go through the process of updating your password. LastPass should see this happen, and when you click on save/update/change password it should ask you if you want to update the password entry with the new password. This doesn’t always work either!
- If your LastPass database get out of whack (the password saved does not match whats on the site), edit the entry, and click on the clock looking icon to the right of the Password box. This will show the password history. Hopefully one of the older ones still works.
- Be prepared to use the “retrieve lost password” function on a few sites, if you make mistakes like I did.
- You probably will not be able to fix all of the issues listed in the Security Challenge results. Ie. I have a few sites that log in with a combination of text and a pin, rather than a typical password. LastPass views these as Weak Passwords, but there is no way to fix this unless the site changes it’s security / password process.
- I have a few Change Reused Passwords entries too. I kept a few sites the same, and they are ones I need to be able to recall easily at various times. Ie. Steam often asks for verification by re-entering the password on restarts. Some games require a login and I prefer it to be easy enough to recall. TBH, this is a poor practice, and I would be better off changing them all to be unique, but that’s for another day.
- You might wonder why LastPass does not work well on some sites, and why I’ve said above that some things do not work. That’s a bit simplistic on my part. As a developer, I can imagine the complexity and variety of websites out there that have different ways of managing logins and security, and LastPass has to be told (by the people who make it) how to better manage each these new websites. It is a very difficult thing to get working on all websites.
Given that there are sometimes issues with these more automatic functions, here is the process I found was easiest and most painless:
- Note: These are general steps, and will vary from site to site.
- Start up your web browser of choice, and open the LastPass Vault via the add-on/plug-in/extension.
- Run the Security Challenge, and be prepared to get a really bad score (or you are already here because you have run it, and have seen the results).
- Note: Do not close the Vault and Security Challenge pages.
- Security Challenge’s Improve Your Score area: Click on each Step to open up the list of entries. Compromised Passwords are your passwords that have been used in any leak from various website hacks. This will hopefully be small. If you want to know about what hack they each were involved with, click on the grey information icon. The other steps should be pretty self explanatory.
- Click on the Launch Site button next to the entry you want to improve. Hopefully the link you have on that entry is correct, and it will open up the login page for that site. If not, find the correct page, then go back to your Vault and find the entry, edit it, and update the webpage link. Don’t forget to save any changes you make. Note: This will not make the Security Challenge Launch Site link work – but next time you run the challenge, it will be.
- With the website open, log in with your existing information, then find the Change Password link / area. This will probably be in an area called something like Account Settings, Security, Profile, User Details etc.
- Right Click on any part of the main window, and choose LastPass -> Generate Secure Password. Keep this tab open too.
- This generator tool will let you set rules about the password it is generating, and the red Refresh button will randomly generate a new password with those rules.
- Click Refresh, then highlight the new password, and Copy it (right click -> Copy, or CTRL+C).
- Go back to the website’s tab where you are changing the password.
- Paste the new password into the New Password box (right click -> Paste, or CTRL+V)
- Also Paste it into the Confirm Password box
- If it has a requirement to supply your old password (it should), use the icon/symbol in the text box to get the current password from the Vault.
- Check for any errors. Some sites will automatically tell you, other will only let you know when you Update / Save the new password.
- Press the Update / Save button and check for any more errors.
- If you encounter a problem, see what it says, and adjust the Generator settings to suit, and go back to Step 10 above. Do not forget that you should change the settings back before generating another password for the next site. The default settings are very good for security. Only, I did find a few sites that particularly did not like symbol characters ($%#&^% etc).
- If it is all good, then LastPass should pop up an option to update your entry with the new password. Again, this may not always happen. If it does not happen, go to Step 19. Otherwise you are done for this site. Go to Step 6.
- If you have to update the LastPass entry manually, go to the Vault tab, find the entry, and click on the Pencil / Edit button.
- Highlight the existing password (shown as a line of dots), and Paste the new password in here (remember, it was copied to the clipboard in step 10).
- Click Save, and the tab should close, and LastPass will update the password.
Do this for all of the entries in each Step of the Security Challenge’s Improve Your Score area.
After you have made a bunch of changes, re-run the Security Challenge and see how much of a difference these changes have made. I did this a few times to keep up my motivation to work through the list.
Having done that, a fair chunk of your passwords should be updated, and your Security Challenge Score should be a lot healthier.