A password manager is a must-have weapon in your security and privacy arsenal. There are a few password managers available and my advice is to pick one and learn how to use it. My preference is LastPass which is a more mature product, has great security practices and is very transparent in their security practices.
But any password manager is only as good as how you configure it. The default settings are usually good enough but I want shoot for the optimal security. Here's how I set up my LastPass.
LastPass Settings on your Computer
There are different settings depending if you are using LastPass on your computer or smartphone. On your computer, the setting are managed via the web browser plug-in. To get there, click on the LastPass plug-in icon and select My Vault. Then click on Account Settings.
LastPass Login Screen
- remember email - check or uncheck; I leave mine unchecked for added security
- remember password - uncheck <<< very important; never check this box on any device with LastPass
General Tab - Advanced Settings
- Master Password Reminder - do not use; this could be used against you.
- Country Restrictions - United States or your home country; if you use a VPN or proxy, scroll to the bottom of the list for VPN/proxy option.
- Disallow logins from TOR networks - check; I recommend prohibiting LastPass logins from TOR networks as it is a commonly used attack vehicle for cyber-crooks. If you use TOR, I recommend disabling TOR, then login to LastPass, then re-enable TOR.
- Password Iterations - choose a random number between 5000 and 25,000. This will make your LastPass encryption key algorithm unique thus magnifying the difficulty of deciphering your key by a cyber-crook. You can change your password iteration number anytime and it re-encrypt your password database on your device and at LastPass and allow you to keep your Master password, which is a clever trick.
Multifactor Options Tab
- choose a multifactor login option such as LastPass Authenticator, Google Authenticator, Transakt or Yubikey. The rule of thumb is, if you are already using Yubikey or an authenticator like Google Authenticator for Google or Microsoft multifactor authentication, then select that option so you can continue to use just one authenticator. Otherwise, Transakt is an easy-to-use authentication that I prefer.
Leave other settings as default.
LastPass Settings on your Smartphone
An important pre-requisite to using LastPass on your smartphone is to make sure that all your devices are encrypted and have a strong passcode or password. iPhones have encryption enabled as long as you have a passcode/password. Some Android phones require that you install a 3rd party app to encrypt your phone. But encryption is critical to securing your LastPass database against compromise.
On your iPhone or Android smartphone, we are going to make using LastPass secure and easy to unlock by using your phone's touch ID. If your smartphone doesn't have touch ID, you will want to enable the LastPass Pin Code option.
Open the LastPass mobile app on your smartphone and go to Settings.
- Use Touch ID - enable; this is the preferred option if available
- Use LastPass Pin Code - enable if Touch ID is not available. Choose a strong, random 6-digit pin code
- Lock Options - immediately
- Auto Logout - never
- Clear Clipboard - 30 seconds
- Remember Email - enabled
- Remember Master Password - disabled <<< very important
Advanced - These settings configure LastPass built-in web browser for maximum privacy.
- Default Search Engine - change to DuckDuckGo (they don't store your personal data)
- Block Cookies - from third parties and advertisers
- Close Browser Tabs on Logout - enabled
- Clear Browser History on Logout - enabled
- Clear Cookies on Logout - enabled
Leave other settings as default.
Other Security Precautions
As stated above, make sure your mobile device is encrypted and that you use a strong password or passcode. Also, enable full disk encryption on your Mac or Windows computer. MacOS has a disk encryption option but it must be enabled in the settings. Windows users can enable BitLocker if their computer supports it (TPM chip plus Windows 7 Ultimate or Windows 10 Pro); otherwise, BestCrypt or Veracrypt are reliable encryption options.
Since you are storing your passwords on your smartphone/mobile device and your computer, it's critical to keep the unencrypted information from falling into the wrong hands. So make sure your devices are fully encrypted.