We've been telling folks for years that you need to use a password manager to really protect your bank accounts, credit cards, and other important data, in combination with app-based two-factor authentication. But while we've talked about the general importance of these critical personal data security tools and others, it's been a while since we explained how a password manager works.
We'll use LastPass for Android as our example app, though Bitwarden and 1Password also come recommended. The setup process is pretty straightforward: Once you've downloaded and opened the app, it will show you a brief intro, and you swipe left to progress. Then tap on the red Sign Up button that shows up in the last part of the intro.
Enter the email address you want to use to log into LastPass and tap on Create My Account. On this next screen, you'll pick a "master" password; this protects your password manager account.
Note that, by design, only you will know what this password is, and LastPass will not be able to reset it for you if you lose or forget your login info. This helps to ensure that only you have access to your password library.
The password must be at least 8 characters long, can't be your email address, and it can't be "commonly used." So don't pull inspiration from your street address, birthdays, names of pets or children, phone numbers, anniversaries, or other data that can be found online.
This password library will be located in the cloud so that you can access it from multiple devices in multiple locations, so anyone who can guess your password will get the login info for all the online accounts that you add to LastPass and all other cloud-based password managers.
(If you prefer to keep your password library offline, KeePass is a great alternative desktop app, though the official version is Windows-only. Unofficial third-party versions for Android, iOS and other platforms can be found on the app's website.)
Next, the LastPass app will ask you if you want to use your phone's fingerprint sensor to log in, assuming it has one. If you're not guarding national secrets, then a fingerprint is a much speedier way to get into the app than typing your password every time.
If you want to go that route, tap on "Use fingerprint to unlock" and place your finger on the phone's sensor to confirm your choice. Then tap on "Go to my vault."
The AutoFill setting and how to use it
Next you'll be asked if you want to enable AutoFill. With this feature, LastPass will attempt to detect the presence of a login screen, and it will supply the login info that it thinks is a match. Tap on Next, tap on the radio button to the left of the LastPass entry, tap OK to confirm, and the app will now be set to scope for situations where you need to log into an app or website.
Note that only one password manager at a time can be granted this level of access, so if you're evaluating multiple apps of this type, it's probably best to test them one at a time as well.
If you are using Android 8 Oreo or 9 Pie, your AutoFill settings (accessible by tapping the hamburger menu in the upper left, then Settings in the lower left, then AutoFill) will have two sections: one for Oreo and later versions, and one for "legacy" apps that may have trouble recognizing when LastPass wants to make an AutoFill attempt.
We'd recommend leaving the Legacy section alone, until you encounter an app that has trouble with LastPass's AutoFill feature.
Other important app security settings
However, we do recommend diving into the Security section of the app's settings. Here you can tweak how accessible LastPass is when you're not actively using it. If you're using a fingerprint unlock, we recommend changing "Lock when app is idle" from 5 minutes to "Always," because unlocking with a fingerprint is fast and easy. We'd also recommend enabling "Lock when screen is turned off."
With this setup, if someone gets physical access to your phone while it's unlocked, they still have a few hurdles to jump through before they can get access to the app.
Note that the "Log out when app is idle" option will require you to type your password to regain access when that logout timer has expired. This is a good place to put a strict timer on the desktop browser add-on version of LastPass, but it can be a hassle on mobile devices unless you're pretty good with a virtual keyboard.
Once you're done tweaking the app's various settings to your liking, you should be ready to start adding usernames and passwords. If you already use a password manager and you want to switch to this one, LastPass has official instructions on its website.
Adding accounts to LastPass
The fastest way to add logins will actually happen via the LastPass desktop browser extensions for Mozilla Firefox or Google Chrome. That's because they will detect when you've logged into a website and offer to save that login to your LastPass account with one click.
If you stick to the mobile app, you'll need to either import your library from another password manager or enter your account info manually. On the bright side, once you have those accounts in LastPass, they'll get synced to wherever else you have LastPass installed, so each entry only needs to be created once.
If you need to manually create an entry for a pre-existing account, tap the hamburger menu, then Passwords, the "+" button in the bottom right, then Password. "Name" is just the label for the entry, not your username. The latter goes in the Username section.
The URL section is how a password manager recognizes a website where you have a pre-existing account, which triggers the AutoFill option. So for example, if your chosen website is Amazon, then the URL will be https://www.amazon.com. If you need to generate a new password for this account, tap the padlock encircled by an arrow.
The default password generation settings should be enough for most users, so you can just tap the Save button on the Generate Password window, and that will now be your password. If you check the "Favorite" box, that will put this account on a favorites list within the app, for easier accessibility. When you're done creating this entry, tap the Save button in the upper right.
Now when you go to a website or open an app where this login info is need, LastPass's AutoFill feature should pop up and be able to enter your username and password with a tap.
On some occasions, a website or app isn't set up to recognize pasting, only typing. In that case, you may have to paste, delete a character, then enter that character again.
Can you still get away with not using password managers or two-factor authentication?
Not for anything that remotely matters or contains your personal information, no. Two-factor authentication and password apps can be more awkward to use than manually typing a password, but your passwords are terrible, and even a great one won't protect you if your account security isn't backed up with a second factor.
- Google Chrome tool will tell you if your password has been hacked
- New data breach exposes 21,222,975 passwords; here's how to protect yours
- Microsoft Authenticator app now warns you of suspicious activity on your account
- You'll happily share your Netflix password, but there are risks (CNET)
- 7 security tips to stop apps from stealing your data (CNET)
- Forgot password? Five reasons why you need a password manager (ZDNet)
- 57% of IT workers who get phished don't change their password behaviors (TechRepublic)