Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.


LastPass is a functional password manager with a slightly old-school interface, but a major 2022 security breach and poor disclosure handling make this industry stalwart one to avoid.


  • Wide range of account recovery options
  • Easy password sharing


  • Poor handling of recent security breaches
  • No true desktop clients
  • Free accounts must choose between mobile or desktop access

Key Features

  • SecuritySensitive data stored in LastPass is encrypted at the device level with AES-256 encryption
  • SharingFree users can share each password with one other LastPass user; paid users can share each password with one other plus an unlimited number of LastPass users; group sharing for family plans
  • Storage1GB encrypted attachment or secure file storage for paid subscribers


LastPass is one of the most popular password manager options, and previously ranked very highly in our Best Password Manager list.

However, a security breach in August 2022 has put its security credentials under scrutiny, especially its actions and behaviour in the months following the breach.

As a result, it’s difficult to recommend LastPass right now, and it will take a lot of effort from the company to restore confidence in its security.


A LastPass Premium account costs £31.20 per year, while a Families subscription gets you six accounts, plus admin tools that can help you reset any family member’s lost master password for £40.80 a year.

LastPass was once famous for its very capable free tier, but its features have been gradually pared away in an effort to prompt free users to start coughing up subscription fees.

Free users can still store an unlimited number of passwords, and access them from theoretically unlimited number of devices, but all of those devices have to be of the same type. This means that free account holders have to choose between accessing LastPass via browser extensions on a computer, or via one of its mobile apps on a smartphone or tablet.

On a free account, you’re also limited to only one-to-one (rather than one-to-many) password sharing, can’t set an emergency access contact, or use Yubikey tokens or fingerprint and smartcard readers as 2FA methods. However, free users now do get access to LastPass’s security dashboard with its password security assessment service, as well as dark web breach monitoring, which alerts you if your email address appears in any known breaches. Passwordless vault login using LastPass Authenticator is available for free, as well as paying subscribers.

Paying users also get 1GB of encrypted attachment or secure file storage and access to individual support, but the key incentive to subscribe is definitely having access to your passwords on your phone, as well as in your web browser – or vice versa if you’re a mobile-first user.


  • Suffered a security breach in August 2022
  • LatPass’ communication has been evasive and vague
  • Published a list of future remediations and improvements

LastPass was the first password manager to gain mass appeal, but this has made it a ripe target for breach and exploitation efforts.

This resulted in an August 2022 breach in which a hacker accessed the company’s development environment, followed by a November incident in which data from the first breach was used to obtain an unencrypted customer database and mostly-encrypted password vaults. While LastPass promptly announced the breaches, it either massively underestimated or significantly downplayed the extent of the data loss in its public communications.

Usernames, passwords and secure notes in this data set were encrypted, but Lastpass doesn’t encrypt some data in the vault, notably URLs. The encrypted fields are secured with 256-bit AES encryption, using a key derived from each user’s master password, and LastPass doesn’t even have the keys to lose, as it operates on an industry-standard zero-knowledge basis.

However, having the vault data available, even encrypted, means that a bad actor can take their time attempting to crack passwords using brute force. That remains a virtually impossible task if the data was encrypted with a strong, long passphrase, but if a weak master password was used, or if the master password was reused and had already been exposed in another breach, a customer’s entire vault could potentially be compromised.

Further announcements followed in December 2022, and January, February and March 2023, but the language used in these official communications was consistently evasive and vague. Getting hacked is more or less an inevitable consequence of running an online service.

What’s really telling is how a company handles that, from preventative security to minimise the impact on customers to honestly and openly communicating a breach and its potential consequences. Lastpass has failed to impress on any of these fronts.

To its credit, LastPass has published a relatively clear list of ongoing and future remediations and improvements to its security, and has taken steps such as increasing the number of encryption iterations applied to master passwords of older, existing accounts to effectively create a new, more secure encryption key. Updates since March have been thin on the ground, though.

The company has advised customers to change their master passwords – and you definitely should if you’ve not done so since August 2022. However, if you’re an existing LastPass user, I recommend switching to an alternative password manager – Bitwarden and 1Password are strong choices, while KeePass databases are great if you’d rather take full responsibility for your own data security.


  • Superb for password sharing
  • Wide range of recovery options
  • Lacks a desktop app

Sharing remains LastPass’s strongest features. If you’ve only got a free account you can share each password with at least one other LastPass user. Paying subscribers can share multiple passwords with as many other paying or free LastPass users as they like.

Although LastPass operates on a zero knowledge basis, which means that only you know your master password, the service has an unusually wide range of recovery options in case you forget it. A one-time recovery password is automatically created by every LastPass app or extension, making each installation a potential recovery route, even if it’s no longer logged in. This works in tandem with LastPass’s SMS account recovery pathway.

Other options include mobile account recovery, user-generated One-Time Passwords, and master password reversion to the previous password within 30 days of a password change, with the caveat that all new vault entries since the change will be deleted.

LastPass doesn’t have a proper desktop app at a time when most of its rivals have embraced cross-platform, standalone clients to make it easier to fill and store passwords in places other than the browser. There’s a poorly rated Windows Store app, but this isn’t even advertised on LastPass’s own website. The lack of a standalone application is a relatively minor inconvenience – all you have to do is open your web vault in your browser and copy passwords from there. Nevertheless, it falls short of the smooth experience of using dedicated apps such as those provided by Bitwarden or KeePass.

As well as storing passwords and payment cards, LastPass can also automatically store and fill a range of other information, including your bank details and addresses, as well as providing somewhere to store details or identity documents, software licences and addresses.

LastPass web vault
Image Credit (Trusted Reviews)

The Vault interface hides some of these data types when you’re creating an entry, hiding useful content behind extra pull-downs. Similarly hidden is the ability to create separate “identities”, which can be used to replicate 1Password’s famous Travel mode, as only passwords associated with your currently selected identity will be available in your active vault and therefore subject to inspection by security officials. The feature also allows you to keep home and work passwords well separated from each other.

Its default security behaviour is clearly aimed at users who value convenience over security or only use a personal, secure desktop device that no-one else has access to. Once logged in, the LastPass browser has no default logout period set for either inactivity or browser restart, while the LastPass Vault’s default log-out period is two weeks. Similarly, LastPass only recently changed the default length of its generated passwords from 12 to a more secure 16 characters.

Some of these choices are frustratingly insecure, but at least you can change it via LastPass’s highly configurable range of logout options in both the Vault and the browser extension. There are some very handy options, including requiring a master password on attempt to access specific identities in the Vault, or on a range of other behaviour, including in-browser autofilling. If you use 2FA, specific devices can be set to trusted, requiring multifactor re-authentication only every 30 days.

LastPass is, however, very twitchy about logins on a new device or from a new location, by default requiring an email to be acknowledged before they’re allowed – VPN users might find this irritating, but it’s nice to get a warning, at least.

LastPass supports passwordless logins including biometric unlock on both browsers and mobile devices and a master password unlock via prompt from the LastPass mobile app.

Although the company’s enterprise subscriptions have offered an integrated TOTP authenticator in the password manager itself (as opposed to a separate LastPass Authenticator app) since 2020, this still hasn’t yet rolled out to personal users.

Latest deals

Should you buy it?

If you’re an existing user: For web users, LastPass’s convenience is legendary. While its default settings could be more secure, they certainly make for a frictionless user experience, and its wide range of password reset options also stand out from the crowd.

If you’re looking for a new password manager: LastPass offers a fantastic range of security options, but most of these are buried in menu options, rather than enabled by default or made clearly visible, so they’re easy to miss.

Final Thoughts

Before I can return to recommending its password manager, LastPass must demonstrate a commitment to improved security and, in particular, to swift and accurate communication with its users.

Stronger default security settings on the apps and plugins would also be welcome. A proper desktop app and some updates to the vault interface wouldn’t hurt, either, but are hardly a priority under the circumstances.

In the meantime, I recommend checking out alternatives such as Bitwarden and 1Password instead. Check out our Best Password Manager guide for even more options.

Trusted Score
rating-star rating-star rating-star rating-star rating-star

Sign up for the Trusted Reviews Newsletter

How we test

We test each password manager ourselves on a variety of computer and mobile operating systems. We carry out comparative feature analysis against industry standards and rival products, and test security and convenience settings such as default logout behaviour and offline access.

We used for at least a week.

Tested all of the available features.


Can your LastPass be hacked?

LastPass has previously been hacked and it’s possible that it could happen again. However, LastPass claims there is no reason to believe that hackers will be able to access customer data.

Is LastPass free or paid?

LastPass offers both a free and paid-for tier.

What is a zero-knowledge password?

Password managers and some other online services use zero-knowledge architecture, which means that they never know or store your master password. All encryption and decryption of secure data using it is carried out on your PC.

Why trust our journalism?

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.