LastPass email login vs recovery

Question

I recently started using a password manager, specifically LastPass. I have understood how the app works internally to store, encrypt and give me access to my passwords. My question that does not feel intuitive is what is the best policy to create a login for the app.

Of course I need to use an email account to create the LastPass account. My concern is that is if I use LastPass to store my login credentials for that email account, then forgetting my master password means that I have no access to my email. And no access to my email equals no way to recover my LastPass account. On the other hand, if I keep my email login independent, then my LastPass account is as safe as my email password.

Should my email and LastPass accounts have 2 different strong passwords, the same password, or let LastPass create a login for my email? The first choice makes it harder to remember two different complex passwords. The other two choices have obvious drawbacks in case you need password recovery.

Answer 1

LastPass only keeps the password to your email account and nothing prevents you from entering manually that password when logging to your email account.

Forgetting the master password in effect denies you access to your LastPass database of form-fills & passwords, but does not block any of the services whose forms & passwords you have stored in LastPass.

It is still a good idea to keep the password somewhere safe and to define a good hint (which is absolutely not identical to the password). If LastPass is hacked, which did happen in the past, then only your hint is compromised.

The data LastPass keeps for you is encrypted and without your password it is unusable to anyone who hacks the LastPass website and gets it.

---

I am very much against the reusing of passwords, so would not advise reusing the same password for LastPass as for your email. An attacker would only need to crack one password to achieve access to multiple accounts of yours.

LastPass offers the option of generating the password per site. This I also don't like, since these passwords are long and without meaning, so are impossible to remember. This means that you may only access your email using LastPass, and need to install it on every device where you want to consult your email.

You can easily create memorable passwords for websites by embedding parts of their names in a sentence that is easy to remember. For example, "++this is my password for supersuser of the com domain!!" is easy to remember but impossible to crack mechanically. LastPass then will make login easier, but will not be essential or irreplaceable.

Answer 2

LastPass only Stores your passwords, it isn't the only way to login, even if you use a password generator. You can still manually enter your password into GMail or Outlook without LastPass.

I would use my main email and still store it in LastPass, then write down my email/Master password down and lock it away in a safe.

Edit: I just realized that harrymc pretty much answered the question before me.