LastPass is one of the most popular and well-known password managers around – but does it live up to it’s name? In this LastPass review we’re going to put it under the microscope to answer that question.
Additionally, we’re going to examine the history and security of LastPass, to include previous security breaches that sent alarm through the user base.
Can LastPass still be trusted with your private data? Is it one of the best password managers – or has it been eclipsed by competitors?
Keep reading this LastPass review to find out.
- Passwords encrypted locally
- Automatic sync between all devices
- Built-in walkthroughs for new users
- Data encrypted in transit and at rest
- Single and multi-user accounts
- 1 GB encrypted file storage (paid accounts)
- Supports 2FA
- Complies with GDPR
- Third-party audit of internal processes conducted
- Difficult to contact support personnel
- Poor quality responses even for priority support
- Large recent price increase for premium plan
- Based in, and data stored in, United States
- Collects and shares some user data
- Can be compelled to disclose user data
LastPass features summary
Here’s a quick summary of the full set of LastPass features, some of which are only available on paid versions of the product:
- Supported platforms include macOS, Android, iOS, and major browsers
- Data encrypted in transit and at rest
- Secure Password Generator
- Secure Password Sharing
- Reports & Analysis
- Form Filling
- 2FA and Multi-factor Authentication Support
- Password Import/Export
- AES-256 and PBKDF2 Encryption
- Encrypted File Storage
- Synchronizes across all your devices and browsers
- Emergency Access
- LastPass Authenticator
- LastPass for Applications
LastPass core features (available for free users)
Here are the core features of LastPass, the ones that you have access to in the free versions of the product. You have the ability to:
- Store passwords, secure notes, addresses, credit card info, bank accounts
- Securely sync passwords between all your devices
- Save & fill passwords
- Secure password generator
- Secure notes
- Two-factor authentication
- Security challenge
- One-to-one sharing of data
- LastPass authenticator
Note: I’ll cover the other versions of LastPass and their additional features a bit later in this review. But first, let’s talk about some background information that will help you decide if you should read further.
Company information (Who owns LastPass?)
LastPass has been storing passwords for the world since August 2008. In October 2015, LastPass was acquired by LogMeIn, Inc.
LogMeIn is a public company, based in the United States, and listed on the NASDAQ stock exchange, with annual revenue of over $1 billion. If you are concerned about trusting your data to a small company with not much revenue and just a few employees, that won’t be a concern here.
Then, in December 2019, LogMeIn officially announced that it was being acquired by US private equity firms. From their press release:
LogMeIn, Inc., a leading provider of cloud-based connectivity, today announced that it has entered into a definitive agreement (or the “Agreement”) to be acquired in a transaction led by affiliates of Francisco Partners, a leading technology-focused global private equity firm, and including Evergreen Coast Capital Corporation (“Evergreen”), the private equity affiliate of Elliott Management Corporation (“Elliott”), for $86.05 per share in cash. The all-cash transaction values LogMeIn at an aggregate equity valuation of approximately $4.3 billion.
Is it good that LogMeIn has been acquired by US venture capital firms? Time will tell, but this matches up with the trend we’ve been seeing of privacy services selling out to various entities:
- Private Internet Access was acquired by Kape Technologies
- Startpage accepted a large investment from System1 (an ad tech company)
But this is not surprising, given the increasing concerns over data protection, identity theft and fraud, and other alarming cybersecurity statistics. People are spending more money on these services, hence the growth – but back to the LastPass review.
LastPass Terms of Service
Since LastPass was purchased by LogMeIn, the applicable Terms of Service (TOS) is the LogMeIn document. It is general in that it covers all the many services they offer. It is also pretty dense legalese. Here’s what I got out of it (but I’m not a lawyer).
The Terms of Service seem pretty standard. There is one point that some people may be leery of. The company states that,
If necessary and in accordance with applicable law, we will cooperate with local, state, federal and international government authorities with respect to the Services.
Since the company is based in the United States, which is a Five Eyes surveillance country, this means that your data may be accessible to various US agencies, in accordance with US laws. Since your data is encrypted and LogMeIn doesn’t have the ability to decrypt it, there isn’t much they can hand over.
This isn’t anything out of the ordinary, however, as it also affects secure email services. For example, ProtonMail was also forced to comply with lawful data requests, but because emails are stored encrypted at rest, there’s not much that can be gained anyway.
That said, since the LastPass code is not open source, unlike Bitwarden, for example. Therefore you need to take the company’s word for it that they can’t read your data and there’s nothing fishing going on with backdoors or exploits.
- Your device type
- Operating System and version
- The device UDID (Unique Device IDentifier)
- The IP Address you connect from
- Location information
- Language settings
- Other diagnostic data
They use this data to run their services, and may share it with third parties or as required by law. If this data gathering is of concern, I suggest you visit our Privacy Tools page to learn how to better secure your data. Additionally, our guides on secure browsers and the best VPN services are also useful in this regard.
LastPass and other LogMeIn services have been subjected to a type of third-party audit. The LastPass audit was conducted in 2018 by Tevora Business Solutions.
This audit, titled, “SOC 3® – Reporting on Controls at a Service Organization,” was designed to examine whether the company’s internal controls meet specified Trust Service Principles as defined by the AICPA (American Institute of Certified Public Accountants). The report is meant to show that the security, availability, processing integrity, confidentiality, and privacy controls at LogMeIn meet those principles. The results of the audit were that in the opinion of the auditors, the controls within LogMeIn’s Identity and Access Management System were,
…effective throughout the period September 1, 2017 to August 31, 2018, to provide reasonable assurance that LogMeIn IAM’s service commitments and system requirements were achieved based on the applicable trust services criteria is fairly stated, in all material respects.
This is good information, in that it tells us that a third-party auditor feels that LogMeIn has good internal procedures. However, it is important to realize that this is a very different type of audit than the type conducted for products like Bitwarden.
The Bitwarden audit, conducted by security firm Cure53, involved white box penetration testing, source code auditing, and a cryptographic analysis of Bitwarden’s code and security against attacks. This type of security audit is really the gold standard, as Cure53 has also audited VPN services, such as ExpressVPN.
Ideally, a company would conduct regular audits against both internal and external threats. Realistically, however, any audit is better than nothing, although it would be better to see the bar raised in this area.
LastPass offers a full range of apps (clients) and extensions for you to use. These include apps and extensions for:
- Desktop apps for Windows, Mac OS, and Linux
- Mobile apps for Android and iOS (iPhones and iPads)
- Browser extensions for Chrome, Firefox, Safari, Internet Explorer, Opera, Microsoft Edge, and Chromium browsers (including Brave)
You can see all of the different apps and extensions for LastPass here.
LastPass hands-on testing and review
For this LastPass review, I am concentrating on the Free (Personal) plan. This plan should be sufficient for most people. We’ll look at installing and using the LastPass extension on the Brave browser.
Installing the LastPass extension and creating an account
You install LastPass like any typical browser extension, through the web store. Once you have the LastPass extension installed, clicking it opens a window like the one below so you can create an account.
Click the Create an account link at the bottom of the window and LastPass will guide you through the signup process. You’ll need to enter a valid email address to complete the account creation process. LastPass will send a confirmation message to that address, and once you reply to that you will be ready to go.
Adding login credentials to LastPass
One of the nice features of LastPass is the walkthroughs that it provides for new users. You’ll encounter one right after you get LastPass set up. It offers to help you store your first set of login credentials, and also allows you to login through a third-party account. It just takes a moment, and by the time you are done, you’ll be ready to enter passwords yourself.
With the LastPass extension installed and active, simply log into sites normally. If the site credentials are not already stored in LastPass, it will pop up a box similar to the one below, allowing you to add the site’s credentials to the vault with one click.
What if you are switching from a different password manager, and aren’t excited about the idea of manually reentering all the passwords you have stored in another product?
Fortunately, LastPass can import data from many other password managers. However, the process can be a bit complicated. If you are considering switching to LastPass from another password manager, you can visit this page and see what’s involved for your particular case.
Working with your passwords
Once you add some login credentials, your LastPass vault will look something like this:
When you hover the mouse over one of these items, LastPass displays your options for that item. This makes for a clean and attractive view of your vault’s contents.
While LastPass is primarily used for passwords, it can handle far more than just login credentials. It supports these data types:
- Payment cards
- Bank accounts
- Wi-Fi passwords
The vault entry for each type is structured to have fields for all the relevant data. For example, here is what the “Add bank account” form looks like:
Now let’s see how to modify data you’ve stored in the vault.
Editing your data
LastPass stores an encrypted copy of the vault on each of your devices, in addition to the copy that is stored on their servers. This allows you to view your vault whether you are online or not. However, when you are not online, you can only view the local copy of the vault; you cannot edit it.
If you want to edit the data in your vault (and are online), you can simply click Open My Vault in the LastPass extension. This opens your vault in a new tab of your browser.
LastPass password manager in action
LastPass tries to make using your stored passwords easy. Once you get to the login page of a site that LastPass knows, it inserts itself into the relevant fields, like this:
Clicking that icon causes LastPass to display a box with the credentials it has for this page. Click to tell LastPass to enter that data into the fields it knows has data for.
Do you see the little number in the bottom-right corner of the LastPass icon? That indicates the number of entries LastPass has for this page. If a number greater than one appears here, LastPass will display a list of all the relevant logins that you can choose from.
Generate secure passwords with LastPass
Once you have a password manager to remember things for you, you can use long, complex passwords for everything. LastPass includes a secure password generator that can create those long complex passwords for you. To use it, click the extension, then select the Generate Secure Password option.
The password generator looks like this:
It is set to create strong passwords by default, although I would suggest you change the password length to at least 16 characters for a more security.
Increasing LastPass security
Speaking of increasing the security of your data, there are two other options available in the Free version of LastPass.
The first is Multi-factor authentication. LastPass supports a range of different hardware and software-based authenticators. You can find all the options on this page.
The other tool LastPass offers is their Security Challenge. This is an automatic analysis of the data in your vault. It does things like check to see if any of the email addresses in the vault are associated with a website that may have been hacked. It also detects and helps you update:
- Weak passwords
- Reused passwords
- Old passwords
This is definitely a useful tool that you can reach through the Account Options submenu in the browser extension.
Sharing passwords and other data
LastPass allows you to securely share data with other people. The Free version supports sharing with one other person. The LastPass Sharing Center is where you can manage shared items. You can find out how it works here.
Additional LastPass features
We’ve been concentrating on the core features (the ones included in the free version) of LastPass so far. But depending on your situation, you may find that you need one or more of the features that are only available in paid versions.
To help you decide if you need more than the basics, I’ve compiled short descriptions of the most interesting features below.
Emergency access exists to give another user complete access to your LastPass data, if something should happen to you.
LastPass for applications
LastPass for Applications (LastApp) is a Windows desktop app that has access to your LastPass Vault. It can enter your passwords into desktop apps for you.
1 GB of encrypted file storage
This increases the available vault space for secure notes from 50 MB to 1 GB.
Family manager dashboard
The LastPass Families plan allows you to have up to six users for one account. The Family Manager Dashboard is the control center for this.
LastPass Teams allows you to manage up to 50 users with one account. This includes team policies and simple reporting.
Password management for the entire enterprise, from onboarding to automated reporting, administrative controls, and more. The complete breakdown is here.
The LastPass Customer Support pages have lots of information that lets you resolve many problems without contacting the Support team. This is good since it is fairly hard to contact a live support person. The chat system is a bot that isn’t great at answering questions, and unless you have a plan with Priority Support, you will need to wade your way through some possible solutions before the site will offer you the chance to email a technician.
I’ve not had any problems with LastPass Support. However, the majority of comments about the company on sites like ConsumerAffairs.com complain about the difficulty of finding a way to contact Support, along with slow and/or not-very-useful responses even for people with Premium Support.
LastPass security (Still trustworthy after multiple hacks?)
While LastPass encrypts your data on your device using AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes, they have still been hacked.
In June 2015, LastPass admitted that hackers were able to steal account email addresses, password reminders, server per user salts, and authentication hashes. The company found no evidence that vault data (including form fill profiles, secure notes, site usernames, and passwords) were taken. The company took immediate steps to improve their security.
According to this HackRead story, LastPass was also hacked at least twice more in 2016. In both cases, the attackers were white hat hackers who reported the issues to LastPass.
In 2017, Darknet.org.uk reported that the LastPass Firefox and Chrome extensions had both been made to leak all your LastPass passphrases simply by browsing a malicious website. Reportedly, the problem could also allow a malicious site to run commands on the user’s computer. Once again, the LastPass engineers went to work to fix the problems.
While seeing hacks and leaks isn’t pleasant, there are a few ways to look at this.
- The Critical Approach. Go after LastPass for the number of problems that have turned up and perhaps move to a different password manager.
- The Philosophical Approach. With so many users, and so much notoriety, it is likely that LastPass is attacked more than other password managers. At the same time, there are probably more white hat hackers and other “good guys” looking for problems with LastPass than there are for less popular products.
- The Optimistic Approach. You could also see this as a positive. Realistically, any moderately complex piece of software has bugs and vulnerabilities. People are finding and fixing the problems in LastPass. Over time, that makes the product safer and more secure (at least in theory).
I’ll leave it up to you to decide how you want to respond to the number of hacks and leaks that have been discovered in LastPass code.
This 2017 post on Hackernoon.com suggests that some of your private data may be exposed by LastPass. The author showed that the URLs of the sites you store in LastPass are not encrypted. If they were, there would be no way for LastPass be able to display the logos of the sites in the LastPass Vault.
Instead of encrypting the URLs like the rest of the data, LastPass simply stores them as hexadecimal strings that can easily be decoded. Even worse, sometimes URLs contain sensitive information.
For example, there are ways to embed login credentials in a URL. In scenarios like this, you could be sending private information to LastPass in an unencrypted form – but most websites should NOT be doing this.
This is potentially a big privacy problem, but only under the right circumstances. It appears that the only way someone can exploit this problem is if they have access to your vault data. That would mean either hacking into your computer, or getting access to your data on the LogMeIn servers.
And as we saw earlier, the third-party auditor says that LogMeIn has systems in place to prevent unauthorized access to your data. So once again it comes down to whether you feel this situation is an unacceptable risk in your particular circumstances.
LastPass prices and subscription plans
What LastPass will cost you depends on your needs. For most users, the Free plan should be all that you need. However, as you can see in the image below, the Premium and Families plans offer additional benefits for paid users.
While some password managers focus on individual users or small groups, LastPass has a comprehensive tier of Business plans, with the features to fit many types of organizations.
If you are a single user, or manage a small team, you should investigate Bitwarden. They offer a free plan, as well as organizational accounts that could meet your needs. Their code is open source and has been audited by a respected security firm. And I’ve not seen any reports of them being hacked or leaking data.
If you need a password manager for a corporate environment, you may want to check out 1Password or perhaps Dashlane. They both offer a full range of business features and strong security policies.
LastPass review conclusion
So is LastPass a good fit for you?
This depends on various factors and your own needs. The free plan makes a lot of sense if you just want help remembering your passwords. If you are looking to manage passwords for a family, a team, or an entire enterprise, LastPass has plans that can do the job for you.
However, if you are more focused on security and privacy, you may want to consider a different solution, such as Bitwarden. Depending on your threat model, the previous security issues and closed source code base may leave you considering other options.
See our main guide on password managers for additional alternatives.
Other password managers reviews you may want to check out: