Many of my clients complain about how many passwords they have or need for everything they need to do online.  The two most common scenarios I run into are that the same password is being used for everything or they just don't remember the password at all since their web browser has it saved and it they just automatically log in.  Neither of these scenarios are good!  Having one password means that if someone gets it then they have access to all your accounts (although it does make my job easier sometimes) or you are locked into your one PC with all the passwords and you constantly have to reset your password if you forget it or get a new PC.

The best thing is to have a different password for every website.  This can become complicated for people with a lot of passwords and usually leads to the paper notebook with various handwritten website names, usernames, and passwords of which most are out of date, indecipherable or just plain wrong.

I have, literally, hundreds of passwords for both myself and my clients.   I needed a way to be able to quickly and safely access all my passwords.  To do this I've used a combination of software (LastPass) and hardware (YubiKey).  Please keep in mind that you can just use LastPass as a great password manager.  I also use a YubiKey to add to the security, as I'll explain later.

LastPass is my favourite password manager for two reasons - it can be accessed from any computer and it's very secure (as long as you have a secure password for it).  First thing you have to do is set up a LastPass account - the usual username and password.  Make sure you have a very secure password because, as the website says, this is the last password you'll need since it will store all your passwords in one place. Next you need to download the LastPass app to your computer and that installs itself to your web browser.  Once you do, LastPass will ask for the username and password you set up.  Next, if you have passwords stored on your web browser, it will ask if you want to import these - say yes!  From now on LastPass will automatically fill in your username and password for all those sites you go to that ask for login details.  Going forward, any new websites you set up accounts for LastPass will ask if you want to store that information.

In addition to this, LastPass can also generate passwords for you that are much more secure than anything you could dream up.  For example - tz^Q2WKvh$Nc. This is not normally a password you or I would use since it's pretty much impossible to remember, but now that LastPass is managing the filling in of your passwords then it doesn't matter.

Another helpful feature is that LastPass will scan through all your passwords and give you rating as to how secure you are by finding the same passwords across your different accounts.  This should inspire you to go and change your password at many websites.

Finally for a whopping $12 a year you can have access to the LastPass app on your phone.  I use this as a way to look up passwords when I'm not on my own computer.

For myself, and many of my clients, LastPass has become indispensable.

As I mentioned above, LastPass can be used on it's own and it's a fantastic way to keep all your passwords organized and more secure.  For myself I've added an extra layer of protection - something called a YubiKey from Yubico.

The YubiKey is a small, inexpensive ($31 CDN) device that plugs into any USB port and is universally recognized as keyboard so no installation is required.  The YubiKey can be used many ways by those with high security needs, the simple way I use it is in conjunction with LastPass.  When I log into LastPass I first log in with my username and password and then I'm asked to log in with my YubiKey. By pressing the gold circle (or on the smaller version touching the exposed end) it enters in a pre-configured 128-bit encrypted password that I'd previously registered with LastPass & Yubico.  When using my smartphone I have another higher-end YubiKey that has an NFC chip built in so that when I log into LastPass from my phone it asks for my password and then it asks for my YubiKey which I just have to press up against the back of my phone.

With this second step of security someone could have access to my username and password, but they wouldn't be able to access my account without physically having my YubiKey to enter in that 128-bit encrypted password.

While nothing is 100% safe, with these two types of security I'm doing all I can to secure all my online information.  And to be honest, who really cares that much about my information to try to break both my password and the 128-bit key on the YubiKey?  But at least I'm doing all I can to keep my online presence secure and so can you by using just one of these security devices and not even spending a dime.