The LastPass Security Dashboard

I just got an e-mail from LastPass regarding a new feature that I wanted to share. It is called the Security Dashboard, and it offers a couple of useful features.

As I have mentioned previously, I am a big believer in using a password manager, whether that be 1Password, Dashlane, LastPass, Keepass, or whatever. I actually use both LastPass and Keepass for two reasons:

  • Lastpass is designed for online use, which is great for Web sites, but problematic for some offline uses.
  • Keepass works much better on my Android phone while LastPass is awkward there and tends to get in the way instead of help me.

So, I tend to think most of them are good, the question becoming one of what works for you. The benefit, though, comes from actually using it. If you want to get some opinions on which program may be best for your needs, there are reviews available that can help you make a choice.

I could have listed many more reviews, so there is no lack of information out there. I went with LastPass years ago because Steve Gibson looked at the technical details and said they were doing it right. And Keepass is a stand-alone desktop program that has a Linux client and is licensed under the GPL. Also I can use it on multiple machines by putting the database in Dropbox where any changes I make on one machine get pushed out to all other machines.

Of course, the main reason you want to use a password manager, whichever one you choose, is so that you can put secure passwords on important web sites. And secure passwords mean long ones with a lot of entropy, as I covered in Passwords, Entropy, and Good Password Practices. Your pet’s name won’t cut it, neither does “leet speak” like substituting the @ sign for the letter “a”. If it isn’t long gibberish, it is not secure, and of course long gibberish is precisely what humans cannot remember. And that is the reason for password managers.

The big problem is that nearly every web site out there is now demanding passwords before you can do anything. And if you reuse passwords, you are at risk. I just checked in LastPass and I appear to have 478 passwords stored there. That is way more than anyone could possibly memorize, you simply have to use a password manager for that. Which brings us to the latest news from LastPass, the Security Dashboard

Security Dashboard

This feature is available to all LastPass users, including those on free accounts. But note that some features are only available to Premium users. To see your Security Dashboard in LastPass, you need to “open the vault”. Since LastPass is normally up and running on my browser (that is the first thing I do after rebooting my computer), all I have to do is click the LastPass icon to open the vault. Then on the lower left I can see the Security Dashboard. Clicking that opens the Dashboard, which has three sections: Security Score, Dark Web Monitoring, and Alerts.

Security Score

The Security Score is a calculated number based on several factors. First, of course, is how long and complex your passwords are. Then adding multifactor authentication to your LastPass account adds another 10 points to your score. A perfect score would be 100 points, but you have to have at least 50 passwords stored in LastPass to get this. That said, I am looking at the section for Security Score, and I don’t see a score anywhere. But the useful part id that I can see the “at risk” passwords, both as an overall percentage (OK, but not the most useful), and also a list of my passwords when I click the View passwords link on the right side of this box. There I can see all of my accounts and what LastPass thinks of my passwords. The information here is useful. The list has these columns in order:

  1. The Website
  2. The User Name for that website
  3. The password strength. The password is obscured, but you can click the eye icon to have it revealed.
  4. The risk if any. Red boxes have risks, green check marks are OK. The risks I see include Reused, Old, and Weak. Old is a matter of debate. I think the best research now says that making people change passwords just because they are old is more likely to reduce security than enhance it. For more on this, see SANS Security Time for Password Expiration to Die. Reused is a problem if you used the same password for anything that needs security. I don’t care if I reused a password because some blog demanded I create a password before reading an article, but I definitely care if I did so for my bank account.
  5. Action to take – This is not all that informative. If you have a green check mark, it will be blank, otherwise it tell you to change your password. But if you click this button, it will open the web site so you can do that, so it is helpful.

After reviewing my list, I noticed I have a lot of stored passwords for places I don’t go to any longer and for accounts I have closed, so no doubt a little pruning of the list is in the cards.

Dark web monitoring

This is all about whether your credentials have been found on the web sites where such things get traded around. Kind of similar to Have I been pwned in my view, but it does make things easy for you. This feature is only available to Premium users (of which I am one). For this, LastPass partnered with Enzoic to use Enzoic’s database of breached credentials. One useful feature here is that you can simultaneously monitor all of your e-mail accounts, or you can decide that some do not need to be monitored. I noticed that one “e-mail” was actually a typo I must have made at one time, and another was a work e-mail from before I retired, so I cut the monitoring there. Honestly, I don’t know that I would pay for a Premium account just to get this feature, but I like that I get it as part of the package. I could do all of this by just going to Have I been pwned and not spend money, but this is very convenient.

Alerts

This is tied to the Dark web monitoring. Right now it says I don’t have any alerts, but if one of my e-mail addresses/user names was compromised I would get an alert, and a button to click to take me through the process of changing my password.

Bottom Line

I am very happy to be a Premium user of LastPass. We have a family account for my wife and I and it works well. This update basically makes maintenance we should be doing anyway more convenient to do. And now if you will excuse me, I need to go clean up a few passwords.

Listen to the audio version of this post on Hacker Public Radio!