LastPass Review

LastPass is a functional password manager with a slightly old-school interface, but a major 2022 security breach and poor disclosure handling make this industry stalwart one to avoid.

Introduction

LastPass is one of the most popular password manager options, and previously ranked very highly in our Best Password Manager list.

However, a security breach in August 2022 has put its security credentials under scrutiny, especially its actions and behaviour in the months following the breach.

As a result, it’s difficult to recommend LastPass right now, and it will take a lot of effort from the company to restore confidence in its security.

Pricing

A LastPass Premium account costs £31.20 per year, while a Families subscription gets you six accounts, plus admin tools that can help you reset any family member’s lost master password for £40.80 a year.

LastPass was once famous for its very capable free tier, but its features have been gradually pared away in an effort to prompt free users to start coughing up subscription fees.

Free users can still store an unlimited number of passwords, and access them from theoretically unlimited number of devices, but all of those devices have to be of the same type. This means that free account holders have to choose between accessing LastPass via browser extensions on a computer, or via one of its mobile apps on a smartphone or tablet.

On a free account, you’re also limited to only one-to-one (rather than one-to-many) password sharing, can’t set an emergency access contact, or use Yubikey tokens or fingerprint and smartcard readers as 2FA methods. However, free users now do get access to LastPass’s security dashboard with its password security assessment service, as well as dark web breach monitoring, which alerts you if your email address appears in any known breaches. Passwordless vault login using LastPass Authenticator is available for free, as well as paying subscribers.

Paying users also get 1GB of encrypted attachment or secure file storage and access to individual support, but the key incentive to subscribe is definitely having access to your passwords on your phone, as well as in your web browser – or vice versa if you’re a mobile-first user.

Security

• Suffered a security breach in August 2022
• LatPass’ communication has been evasive and vague
• Published a list of future remediations and improvements

LastPass was the first password manager to gain mass appeal, but this has made it a ripe target for breach and exploitation efforts.

This resulted in an August 2022 breach in which a hacker accessed the company’s development environment, followed by a November incident in which data from the first breach was used to obtain an unencrypted customer database and mostly-encrypted password vaults. While LastPass promptly announced the breaches, it either massively underestimated or significantly downplayed the extent of the data loss in its public communications.

Usernames, passwords and secure notes in this data set were encrypted, but Lastpass doesn’t encrypt some data in the vault, notably URLs. The encrypted fields are secured with 256-bit AES encryption, using a key derived from each user’s master password, and LastPass doesn’t even have the keys to lose, as it operates on an industry-standard zero-knowledge basis.

However, having the vault data available, even encrypted, means that a bad actor can take their time attempting to crack passwords using brute force. That remains a virtually impossible task if the data was encrypted with a strong, long passphrase, but if a weak master password was used, or if the master password was reused and had already been exposed in another breach, a customer’s entire vault could potentially be compromised.

Further announcements followed in December 2022, and January, February and March 2023, but the language used in these official communications was consistently evasive and vague. Getting hacked is more or less an inevitable consequence of running an online service.

What’s really telling is how a company handles that, from preventative security to minimise the impact on customers to honestly and openly communicating a breach and its potential consequences. Lastpass has failed to impress on any of these fronts.

To its credit, LastPass has published a relatively clear list of ongoing and future remediations and improvements to its security, and has taken steps such as increasing the number of encryption iterations applied to master passwords of older, existing accounts to effectively create a new, more secure encryption key. Updates since March have been thin on the ground, though.

The company has advised customers to change their master passwords – and you definitely should if you’ve not done so since August 2022. However, if you’re an existing LastPass user, I recommend switching to an alternative password manager – Bitwarden and 1Password are strong choices, while KeePass databases are great if you’d rather take full responsibility for your own data security.

Features

• Superb for password sharing
• Wide range of recovery options
• Lacks a desktop app

Sharing remains LastPass’s strongest features. If you’ve only got a free account you can share each password with at least one other LastPass user. Paying subscribers can share multiple passwords with as many other paying or free LastPass users as they like.

Although LastPass operates on a zero knowledge basis, which means that only you know your master password, the service has an unusually wide range of recovery options in case you forget it. A one-time recovery password is automatically created by every LastPass app or extension, making each installation a potential recovery route, even if it’s no longer logged in. This works in tandem with LastPass’s SMS account recovery pathway.

Other options include mobile account recovery, user-generated One-Time Passwords, and master password reversion to the previous password within 30 days of a password change, with the caveat that all new vault entries since the change will be deleted.

LastPass doesn’t have a proper desktop app at a time when most of its rivals have embraced cross-platform, standalone clients to make it easier to fill and store passwords in places other than the browser. There’s a poorly rated Windows Store app, but this isn’t even advertised on LastPass’s own website. The lack of a standalone application is a relatively minor inconvenience – all you have to do is open your web vault in your browser and copy passwords from there. Nevertheless, it falls short of the smooth experience of using dedicated apps such as those provided by Bitwarden or KeePass.

As well as storing passwords and payment cards, LastPass can also automatically store and fill a range of other information, including your bank details and addresses, as well as providing somewhere to store details or identity documents, software licences and addresses.

The Vault interface hides some of these data types when you’re creating an entry, hiding useful content behind extra pull-downs. Similarly hidden is the ability to create separate “identities”, which can be used to replicate 1Password’s famous Travel mode, as only passwords associated with your currently selected identity will be available in your active vault and therefore subject to inspection by security officials. The feature also allows you to keep home and work passwords well separated from each other.

Its default security behaviour is clearly aimed at users who value convenience over security or only use a personal, secure desktop device that no-one else has access to. Once logged in, the LastPass browser has no default logout period set for either inactivity or browser restart, while the LastPass Vault’s default log-out period is two weeks. Similarly, LastPass only recently changed the default length of its generated passwords from 12 to a more secure 16 characters.

Some of these choices are frustratingly insecure, but at least you can change it via LastPass’s highly configurable range of logout options in both the Vault and the browser extension. There are some very handy options, including requiring a master password on attempt to access specific identities in the Vault, or on a range of other behaviour, including in-browser autofilling. If you use 2FA, specific devices can be set to trusted, requiring multifactor re-authentication only every 30 days.

LastPass is, however, very twitchy about logins on a new device or from a new location, by default requiring an email to be acknowledged before they’re allowed – VPN users might find this irritating, but it’s nice to get a warning, at least.

LastPass supports passwordless logins including biometric unlock on both browsers and mobile devices and a master password unlock via prompt from the LastPass mobile app.

Although the company’s enterprise subscriptions have offered an integrated TOTP authenticator in the password manager itself (as opposed to a separate LastPass Authenticator app) since 2020, this still hasn’t yet rolled out to personal users.

Latest deals

Final Thoughts

Before I can return to recommending its password manager, LastPass must demonstrate a commitment to improved security and, in particular, to swift and accurate communication with its users.

Stronger default security settings on the apps and plugins would also be welcome. A proper desktop app and some updates to the vault interface wouldn’t hurt, either, but are hardly a priority under the circumstances.

In the meantime, I recommend checking out alternatives such as Bitwarden and 1Password instead. Check out our Best Password Manager guide for even more options.

Trusted Score

Sign up for the Trusted Reviews Newsletter

News, competitions and exclusive offers direct to your inbox.

Sign up Terms and conditions

You might like…

AMD Radeon RX 7800 XT Review

Zak Storey 24 hours ago

Keychron Q5 Pro Review

Reece Bithrey 4 days ago

Asus Vivobook Pro 15 OLED Review

Alun Taylor 6 days ago

Keychron K3 Max Review

Josh Brown 1 week ago

Nacon Full HD Webcam Review

Reece Bithrey 2 weeks ago

Logitech G435 Review

Max Freeman-Mills 2 weeks ago