Thursday, December 09, 2010

LastPass vs. Xmarks: Password Synchronization

Since Xmarks announced that they were being bought by LastPass, I decided to give LastPass another try.  In the past week I have done so.  Here are my thoughts.

LastPass Vault
Last time I tried the LastPass Firefox extension, I was put off by the requirement to log in every time I started the browser.  Subsequently, I've taken a different posture with regard to the security of my sensitive data on computers, and in particular on laptops.  I have now taken the tack that sensitive data needs to remain secure, even if a data thief has access to the hard drive.  As such, I started using KeePass to store my non-web passwords (whereas before I kept them in a plain text file), I created a TrueCrypt vault in my Dropbox folder in which I keep tax records and other sensitive documents, and I have started encrypting the passwords stored in the browser.

Initially, this meant that I had to swallow the enter-a-password-whenever-you-start-the-browser pill.  I didn't like this, but I adjusted my behavior to minimize instead of close the browser, and I used suspend or hibernate whenever possible instead of shutting down.

Well, with LastPass, you don't need to keep your browser running in order to stay logged in.  They have a desktop app which stores your logged-in state at the OS level, and communicates with all of your browsers.  That means you sign in once in Firefox, and you're automatically signed in in Chrome.  If (for some unknown reason) you are compelled to use MSIE for something and you're logged in there too.  (LastPass also supports Safari and Opera, but I don't currently use those.)

This scores major points with me in the trade-off between security and convenience!

LastPass Menu
Since I'm comparing LastPass to Xmarks, I should mention the basics.  Both services are ways of synchronizing your passwords between all of your web browsers on each of your computers.  Both services encrypt your data on your computer before transmitting it to their servers.  Xmarks uses your browser's built-in bookmarks database (which can be encrypted with a password or not), while LastPass uses its own encrypted vault to store the passwords.

The premise behind LastPass is that the password that encrypts your data could be "The Last Password You'll Have to Remember!"  If you only need to remember one password, then it can be a strong password, with different character types and such.

They certainly do go a long way towards making it possible to not type in (or even know) your passwords for any website.  LastPass can (optionally) create strong passwords for you that it will auto-fill and auto-login when you visit the appropriate site.  They have excellent browser support across all the major platforms, including smartphones, which brings us to their business model: LastPass is a freemium service.  They give you basic functionality for free, and when you're ready to be a power user, you can pay for the next level of service.  In the case of LastPass, this next level comes in the form of their smartphone apps, which, as I am not a premium member, and do not have a smartphone, are beyond the scope of this review.  I did, as promised, pay for Xmarks Premium, however.

So what happens when you can't install the LastPass extension?  As it happens, I'm not allowed to install the LastPass extension on my work computer.  That's OK though, because LastPass has some very excellent bookmarklets that allow you to fill in login information, form data, or simply log you in (as in automatically fill login information and submit).
A bookmarklet is a piece of Javascript that is stored in a bookmark.  You drag a link to your bookmarks bar or right-click to add it.  LastPass creates bookmarklets especially for your account (probably because it's more secure that way), so you'll need to log in to get them.  Instructions are here.

Anyway, at work, I stuck the "LastPass Login!" bookmarklet in my bookmarks toolbar, logged in to LastPass, and viola!  Instant access to my passwords.  (Okay, I had to add to my third party cookies whitelist, but that isn't necessary unless you block third party cookies.)  You can't add login information or form data to the LastPass vault with the bookmarklets, but you can do that with the website.

LastPass behaves much like your browser's normal password saving feature.  When it detects something it can do, a bar will pop down from the top of the browser until you take an action or dismiss it.  LastPass puts its logo inside form and password fields that it wants to interact with.  You can also access the LastPass menu from a button installed in your toolbar.

If you choose to save some information, you are presented with more options:
Saving a site's login information with LastPass
More things that LastPass can do:
Stored password
  •  Store and fill shipping and contact information, credit card data, or any other specific form on the web.  After installing the plugin, LastPass had collected much of this information from saved form fields (not credit card numbers though, obviously).
  • Store passwords and other form data for sites that normally prevent your browser from storing the information.  One such site that blocks normal password saving is
  • Import passwords from browsers and just about anywhere they're stored (including KeePass).  It will export to Firefox if you decide to stop using it.
  • Store, retrieve, and print secure notes - something that might come in handy should the need arise.
  • Share selected passwords with another user - this is useful if I want to be able to log in to Google and Facebook on my wife's computer and we each have separate accounts (or if we share access to a credit card account and the credentials change).  If I update the password in my LastPass account, the correct password shows up in hers as well.
LastPass confused by a Facebook form
LastPass isn't perfect, but it's pretty good, and I've decided to use it going forward.  One drawback of Xmarks' password syncing was that if you had more than one saved password with the same user ID (or no user ID) for a site, Xmarks would refuse to sync your passwords until you had either deleted one of the passwords or created separate profiles for each of the passwords.  One reason you might have two passwords with no username is on sites such as, which save your username, but don't create an auto-filled form field for it and ask you to just re-enter your password.  LastPass handles this situation by giving you the option to select which credentials you want to use from a drop-down menu, or using keyboard shortcuts.