LastPass has long been a popular password manager – but it has recently suffered (another) serious security breach that exposed user data. This LastPass review highlights the Pros and Cons, and also shows you some great alternatives.
LastPass is simple to use, stuffed with superb features, competitively priced, and certainly worth checking out. It’s also one of the most popular password managers out there, but does it still stand out among similarly-priced competitors? This is one of the questions we’ll be answering in this in-depth LastPass review.
With military-grade encryption, a “zero-knowledge” policy, two-factor authentication (2FA), mobile biometric login, and regular third-party audits, LastPass seems to stand strong on security. However, the infamous 2015 data breach and more recent security incidents are likely to raise a few red flags.
So, to help you stay on the safe side, we’re also going to dive deep into the history and security of LastPass while scrutinizing the previous data breaches that set alarm bells ringing among the users.
Note: In the wake of the latest LastPass data breach with hackers gaining access to vault data, many people just want to find a good, secure alternative. We are no longer recommending LastPass and instead would recommend you checking out our list of the best password managers here.
Website | Lastpass.com |
Platforms | Windows, macOS, Android, iOS |
Browser extensions | Chrome, Firefox, Opera, Safari, and Edge |
Free version | Yes |
Encryption | AES 256-bit |
Support | |
Price | From $3.00/mo. |
To find out how LastPass stands on security, privacy, features, user-friendliness, quality-price-ratio, and much more – keep reading our LastPass review.
Let’s get started with the main pros and cons of making LastPass your password manager of choice.
+ Pros
- 1GB encrypted file storage (with paid plans only)
- 2FA support
- 14-day trial with business and 30-day trial with family packages
- Automatic sync across all your devices
- Built-in, step-by-step guide for new users
- Cross-platform support
- Data is encrypted in transit and at rest
- GDPR compliance
- Individual and multi-user accounts
- Stores and encrypts passwords locally
- There’s a free plan (without no cross-device capabilities though)
- Third-party audits of internal processes conducted
– Cons
- Contacting customer support could be easier
- Collects user data and can be compelled to share some of it
- Slow customer support
- Premium plans are pretty pricey
- The company is based and stores data in the USA
- The free plan is rather limited
LastPass features summary
Here’s a summary of LastPass features, some of which are limited to paid editions of the product:
- 1GB encrypted file storage
- 2FA and MFA support
- Data encrypted in transit and at rest
- Emergency Access
- Reports & Analysis
- Encryption with AES-256 and PBKDF2
- Form filling management
- LastPass Authenticator
- LastPass for Windows desktop apps
- Password import/export
- Reports and analysis
- Secure Password Generator
- Secure Password Sharing
- Synchronizes across all your devices and browsers
- Supported platforms include Windows, Linux, macOS, Android, iOS, and all major browsers
LastPass core features (available for free users)
If you’re planning to make use of LastPass’s free plan, you’ll have access to a somewhat limited set of features. Nevertheless, you’ll still have the ability to:
- Access your vault with LastPass Authenticator
- Automatically sync passwords across all your devices
- Store passwords, secure notes, addresses, credit card info, and bank accounts
- Save and fill passwords
- Security Challenge tool
- Securely share your data with those you trust
- Secure your account with 2FA
- Seek customer support from self-service options
- Utilize a strong password generator
- Use a secure password vault
- Login without password
Note: We’ll cover the other versions of LastPass and their additional features a bit later in this review. But first, let’s go through some background information that will help you decide if you should read further.
Company information (about LastPass?)
Launched in August 2008 in Boston (Massachusetts, the USA), LastPass has been providing password identity management solutions ever since.
In October 2015, the company was acquired by GoTo (formerly LogMeIn Inc.), one of the leading software as a service (SaaS) companies in the world.
Founded almost two decades ago in Budapest (Hungary), GoTo is now a private company with headquarters in the USA. It was previously listed on the NASDAQ stock exchange with annual revenue of over $1 billion.
So, if you are concerned about trusting your data to a small company with not much revenue and just a couple of employees, that shouldn’t be a concern with GoTo.
Then, in December 2019, then-names-LogMeIn officially announced that it was being acquired by US private equity firms. This is an excerpt from their press release:
“LogMeIn, Inc., a leading provider of cloud-based connectivity, today announced that it has entered into a definitive agreement (or the “Agreement”) to be acquired in a transaction led by affiliates of Francisco Partners, a leading technology-focused global private equity firm, and including Evergreen Coast Capital Corporation (“Evergreen”), the private equity affiliate of Elliott Management Corporation (“Elliott”), for $86.05 per share in cash. The all-cash transaction values LogMeIn at an aggregate equity valuation of approximately $4.3 billion.”
This deal was closed in August 2020 and only time will tell if is it good that LogMeIn has been acquired by US venture capital firms. Nevertheless, this matches up with the trend we’ve been seeing of privacy services selling out to various entities:
- Private Internet Access was acquired by Kape Technologies
- Startpage accepted a large investment from System1 (an ad-tech company)
- ExpressVPN Acquired by Kape
In a further development, on December 14, 2021, GoTo announced that LastPass would be made into a separate cloud security company and invest even more into its flagship product – yes, it’s the password manager we’ve been talking about.
None of this is surprising as concerns about data protection have been on the rise, as well as identity theft and fraud, and other alarming cybersecurity statistics. People are spending more money on these services, hence the growth.
However, let’s go back to the LastPass review.
LastPass Terms of Service
Since LastPass was purchased by GoTo, the applicable Terms of Service (TOS) is the GoTo document. It is general in that it covers all the many services they offer. It is also pretty dense legalese. Here’s what we got out of it (but we’re no lawyers).
The TOS seems pretty standard. There is one point that some people may be leery of. The company states that:
“If necessary and in accordance with applicable law, we will cooperate with local, state, federal and international government authorities with respect to the Services.”
Since the company is based in the USA, which is a Five Eyes surveillance country, this means that your data may be accessible to various US agencies, in accordance with US laws. Since your data is encrypted and LogMeIn doesn’t have the ability to decrypt it, there isn’t much they can hand over.
This isn’t anything out of the ordinary, however, as it also affects secure email services. For instance, in our ProtonMail review, we discussed how this company was forced to comply with lawful data requests from a Swiss court.
That said, LastPass is not open-source software, unlike Bitwarden, for example. Therefore, you need to take the company’s word for it that they can’t read your sensitive data and there’s nothing shady going on with backdoors or exploits.
LastPass Privacy Policy
The LastPass (GoTo) Privacy Policy is separated into three corresponding sections: „GoTo U.S. Privacy Policy“, “GoTo International Privacy Policy“, and “Supplemental California Consumer Privacy Act Disclosures“, where the last one acts as an addition to the “GoTo U.S. Privacy Policy“.
Among other things, it states that the company collects various types of personal information from its users and goes into detail about this data collection, usage, and sharing – if the lack of data privacy is one of your pet peeves, you should surely check this section.
Some of the data collected by GoTo could include:
- The type of your device
- The operating system (OS) and its version
- A unique device identifier (UDID)
- The internet protocol (IP) address you connect from
- Your location information
- Your language settings
- Other diagnostic data collected by the software
They use this data to run their services and may share it with third parties or as required by law. If this data gathering is of concern, we suggest you visit our Privacy Tools page to learn how to better secure your data. Additionally, our guides on secure browsers and the best VPN services are also useful in this case.
LastPass audit
It’s no secret that LastPass and other GoTo products and services have been subjected to several types of third-party audits – on the contrary, the company has been boastfully listing them among its top features.
The series of LastPass audits were conducted between September 2020 and August 2021 by Tevora Business Solutions.
This audit, titled, “SOC 3® – Reporting on System and Organization Controls” was designed to determine whether the company’s internal controls meet specified Trust Service Principles (TSP) as defined by the American Institute of Certified Public Accountants (AICPA).
The report is meant to show that the security, availability, processing integrity, confidentiality, and privacy controls at LogMeIn meet those principles. The results of the audit were that in the opinion of the auditors, the controls within LogMeIn’s Identity and Access Management System were:
“…were effective throughout the period September 1, 2020, to August 31, 2021, to provide reasonable assurance that LogMeIn’s service commitments and system requirements were achieved based on the trust services criteria relevant to security, availability, and confidentiality…”
This is important information, as it tells us that a third-party auditor feels that LogMeIn (now GoTo) has good internal procedures. However, it is important to realize that this is a very different type of audit than the type conducted for products like Bitwarden.
The Bitwarden audit, conducted by security firm Cure53, involved white box penetration testing, source code auditing, and a cryptographic analysis of Bitwarden’s code and security against attacks. This type of security audit is the gold standard, as Cure53 has also audited VPN services, such as ExpressVPN.
Ideally, a company should conduct regular audits against both internal and external threats. Realistically, however, any audit is better than nothing, although it would be good to see the bar raised in this area.
LastPass apps
LastPass offers a wide variety of apps (clients) and browser extensions for you to use. These include apps and extensions for:
- Desktop apps for Windows, Mac OS, and Linux
- Mobile apps for Android and iOS (iPhones and iPads)
- Browser extensions for Chrome, Firefox, Safari, Internet Explorer, Opera, Microsoft Edge, and Chromium browsers (including Brave)
To see all of the different apps and extensions for LastPass, click right here.
Putting LastPass free plan to the test
As the subheading suggests, we’ll try out LastPass’s free plan for the purpose of this review – it should meet most people’s needs. So, let’s start by looking at the installation process and utilizing the LastPass extension on the Brave browser.
Installing the LastPass extension and setting up an account
You can install LastPass like any other browser extension, through the web store. Once you have the LastPass extension installed, clicking it opens a window, like the one below, and start creating your account.
Click the “Create an account” link at the bottom of the window and LastPass will guide you through the signup process. To complete the account creation process, you’ll be asked to enter a valid email address.
LastPass will send a confirmation message to that address and as soon you verify it – you’re ready to go.
Adding login credentials to LastPass
One of the finest features of LastPass is the step-by-step walkthrough aimed at new users.
You’ll encounter it right after you get LastPass set up. It’ll offer to help you store your first set of login credentials, and also allows you to log in through a third-party account.
It takes just a moment, and by the time you are done, you’ll be ready to enter passwords yourself.
With the LastPass extension installed and active, you can log into sites normally. If the site credentials are not already stored in LastPass, a box similar to the one below will pop up and allow you to add the site’s credentials to the vault with just one click.
And what if you are switching from a different password manager, and aren’t excited about the idea of manually reentering all the passwords you have stored in another product?
Fortunately, LastPass can import data from many other password managers. However, the process can be a bit complicated. So, if you are considering switching to LastPass from another password manager, you can visit this page and see what’s involved in your particular case.
Working with your passwords
Once you add some login credentials, your LastPass vault should look something like this:
When you hover the mouse over one of these items, LastPass will display your options for that item. This makes for a clean and simple-to-understand view of your vault’s contents.
While LastPass is primarily used for passwords, it can handle far more than just login credentials. It also supports these types of data:
- Passwords
- Personal notes
- Addresses
- Payment cards
- Bank accounts
- Wi-Fi passwords
The entry into the vault for each type is structured to have fields for all the relevant data. For instance, here is what the “Add bank account” form looks like.
Now, let’s see how to modify the data you’ve stored in the vault.
Editing personal data
LastPass stores an encrypted copy of the vault on each of your devices, in addition to the copy that is stored on their servers. This allows you to view your vault whether you’re online or not. However, when you’re offline, you can only view the local copy of the vault – you can’t edit it.
If you want to edit the data in your vault (and are online), you can simply click “Open My Vault” in the LastPass extension. This will open your vault in a new tab of your browser.
LastPass password manager in action
LastPass tries to make using your stored passwords as simple as it gets. Once you get to the login page of a site that LastPass knows, it will insert itself into the relevant fields, just like this::
Clicking the awkwardly circled icon in the image above will make LastPass display a box with the credentials it has for the page involved. Tap on the icon to tell LastPass to enter that data into the fields it knows it has data for.
Can you see the tiny number in the bottom-right corner of the LastPass icon? It indicates the number of entries LastPass has for this page. If a number greater than one appears here, LastPass will display a list of all the relevant logins so you can choose from them.
Generate strong passwords with LastPass
With a secure password manager to remember things for you, you can start creating those long, complex, impossible-to-remember passwords everyone’s been talking about.
LastPass comes with a superb password generator that can come up with those hard-to-crack passwords for everything you want. To utilize it, click on the extension and select the “Generate Secure Password” option.
The password generator should look like this:
While it will create strong passwords by default, we suggest you change the password length to 16 characters at least – for more security of course.
Strengthening the LastPass security
Speaking about strengthening the security of your sensitive data, there are two other options available in the free edition of LastPass.
The first is multi-factor authentication (or MFA for short). LastPass supports wide a range of different hardware and software-based authenticators, and you u can find all the options on this page.
The other tool LastPass offers is called Security Challenge and it’s an automatic analysis of the data in your vault. It does things like check to see if any of the email addresses in the vault are associated with a website that may have been hacked. It also detects and helps you update:
- Weak passwords
- Reused passwords
- Old passwords
All in all, it’s a useful tool and you can reach it through the “Account Options” submenu in the browser extension.
Sharing passwords with others (and other data)
LastPass allows you to securely share data with the people you trust. However, the free edition supports sharing with one other person only. The LastPass “Sharing Center” is the place where you can manage all your shared items and here you can find out how it works.
Additional LastPass features
We’ve been fixated on the core features (the ones included in the free version) of LastPass so far. But depending on your circumstance, you may find that you need one or more of the features that are available in paid versions only.
So, to help you decide whether you need more than the basics, we’ve come up with a summary of the most interesting additional features below.
Emergency access
Emergency access exists to give another user complete access to your LastPass data if something should happen to you.
LastPass for applications
LastPass for Applications (LastApp) is a Windows desktop app that has access to your LastPass Vault. It can enter your passwords into desktop apps for you.
1 GB of encrypted file storage
This increases the available vault space for secure notes from 50 MB to 1 GB.
Family manager dashboard
The LastPass Families plan allows you to have up to six users for one account. The Family Manager Dashboard is the control center for this.
Team features
LastPass Teams allows you to manage up to 50 users with one account. This includes team policies and simple reporting.
Enterprise features
Password management for the entire enterprise, from onboarding to automated reporting, administrative controls, and more. You can check the complete breakdown here.
LastPass support
The LastPass Customer Support pages offer plenty of information that lets you resolve most problems without contacting the Support team. This is good news since it is relatively hard to contact anyone on the live support team anyway.
The chat system is a bot that isn’t great at answering questions, and unless you have a plan with Priority Support, you will need to wade your way through some possible solutions before the site will offer you the chance to email a technician.
While we haven’t had any issues with the support team, the majority of comments about the company on sites like ConsumerAffairs.com complain about the difficulty of finding a way to contact customer support, along with slow and/or not-very-useful responses – even users with the premium support have lodged complaints.
LastPass security (Still trustworthy after several hacks?)
Although LastPass encrypts your data on your device using 256-bit AES encryption with PBKDF2 SHA-256 and salted hashes, it still managed to get hacked.
In June 2015, LastPass admitted that hackers were able to steal account email addresses, password reminders, server per-user salts, and authentication hashes. The company found no evidence that vault data (including form-fill profiles, secure notes, site usernames, and passwords) were taken. The company took immediate steps to improve its security after this.
According to this HackRead story, LastPass was also hacked at least twice in 2016. In both cases, the attackers were white hat hackers who reported the issues to LastPass.
In 2017, Darknet.org.uk reported that the LastPass Firefox and Chrome extensions had both been made to leak all your LastPass passphrases simply by browsing a malicious website. Reportedly, the problem could also allow a malicious site to run commands on the user’s computer. Once again, the LastPass engineers took action to solve this problem.
In August 2022, cybercriminals managed to hack their way into the company’s systems for four days before they were found and removed. According to LastPass’s most recent security notice (which was delayed for two weeks), some of its source code and technical information were taken, but the culprit couldn’t access customer data or encrypted password vaults, which is of some comfort.
Much like many times before, LastPass’s security team took critical steps to enhance their existing source code and deploy enhanced security controls, extra endpoint security included.
While seeing hacks and leaks is never pleasant, there are a few ways to look at this.
- The Critical Approach. Go after LastPass for the number of problems that have turned up and perhaps move to a different password manager.
- The Philosophical Approach. With so many users and so much notoriety, LastPass is likely attacked more than other password managers. At the same time, there are probably more white hat hackers and other “good guys” looking for problems with LastPass than there are for less popular products.
- The Optimistic Approach. You could also see this as a positive. Realistically, any moderately complex piece of software has bugs and vulnerabilities. People are finding and fixing the problems in LastPass. Over time, that makes the product safer and more secure (at least in theory).
Now, we’ll leave it up to you to decide how you want to respond to the number of hacks and leaks that have been discovered in the LastPass code.
LastPass privacy
As we discussed when looking through their Privacy Policy, LastPass does collect some personal information and may share it with partners and law enforcement. They collect more information than I would like, but at least the data you store in the vault is safe – or is it?
This 2017 post on Hackernoon.com suggests that some of your private data may be exposed by LastPass. The author showed that the URLs of the sites you store in LastPass are not encrypted. If they were, there would be no way for LastPass to be able to display the logos of the sites in the LastPass Vault.
Instead of encrypting the URLs like the rest of the data, LastPass simply stores them as hexadecimal strings that can easily be decoded. Even worse, sometimes URLs contain sensitive information.
For example, there are ways to embed login credentials in a URL. In scenarios like this, you could be sending private information to LastPass in an unencrypted form – but most websites should NOT be doing this.
This is potentially a big privacy problem, but only under the right circumstances. It appears that the only way someone can exploit this problem is if they have access to your vault data. That would mean either hacking into your computer or getting access to your data on the LogMeIn servers.
And as we saw earlier, the third-party auditor says that LogMeIn has systems in place to prevent unauthorized access to your data. So once again it comes down to whether you feel this situation is an unacceptable risk in your particular circumstances.
LastPass prices and subscription plans
What LastPass will cost you depends on your needs. For most users, the Free plan should suffice. However, as you can see in the image below, the Premium and Families plans offer some sweet additional benefits for paid users.
While some password managers focus on individual users and small groups, LastPass also has a comprehensive tier of business-focused plans, with features to fit many types of organizations.
LastPass alternatives
If you are a single user or manage a small team, you should investigate Bitwarden. They offer a free plan, as well as organizational accounts that could meet your needs. Their code is open source and has been audited by a respected security firm. And I’ve not seen any reports of them being hacked or leaking data.
If you need a password manager for a corporate environment, you may want to check out 1Password or perhaps Dashlane. They both offer a full range of business features and strong security policies.
LastPass review conclusion
So, is LastPass worth checking out?
If you’re searching for a simple, beginner-friendly solution that will keep you from forgetting your passwords then the answer is “yes”. If you need a family-friendly password manager or something that will fit your business team or even an entire enterprise – it’s still a strong “yes”.
On the other hand, if you feel strongly about security and privacy, you might want to consider some other solutions (such as Bitwarden) first. While LastPass is still one of the most user-friendly and feature-rich password managers around, any breaking news about data breaches might make you lose sleep – although your sensitive data is probably safe and sound.
To find additional alternatives to LastPass and learn a bit about password managers in general, check out our main guide.
Here are other password manager reviews you may want to check out as well:
- Bitwarden Review
- KeePass Review
- NordPass Review
- Dashlane Review
- 1Password Review
- Best Password Managers
Yes, it was hacked multiple times before with the latest cyber attack striking LastPass a couple of days ago. Fortunately, no user data was compromised due to the attack. However, back in 2015, LastPass suffered its most severe security breach which compromised users’ email addresses, authentication hashes, password reminders, and other personal information.
Despite the infamous 2015 data breach, LastPass is still considered one of the most secure password managers around – plus, it’s simple to use. It utilizes military-grade 256-bit AES encryption with PBKDF2 SHA-256 and salted hashes to make sure all passwords are stored safely.
Whether you’re making use of a 14-day or a 30-day free trial of LastPass plans, after it comes to an end your account will simply be converted to its standard free version. This means you won’t be able to use any premium features anymore. Nevertheless, you won’t lose any of your data.
This LastPass review was last updated on January 21, 2024.
Christopher
No and absolutely ditch it
Frank
does having the LastPass 2FA enabled make me secure enough today to continue using them? Or should i ditch it?
SiliconAddict
This article needs to be updated. Lastpass has reported that data vaults have been downloaded, and that admission took months….There is no way a company with appropriate safeguards in place for monitoring and auditing should have taken that long. So either….they didn’t know for months. Or they sat on it because of the PR fallout that would have happened.
In addition they have acknowledged that several fields in a entry are NOT encrypted including URL’s and notes (Not secure notes.). This leaves users in a very venerable situation where they may store passwords reset question + backup codes in the notes assuming that those fields are secure. In addition this claim that it will take hundreds of thousands of years to crack is misleading and outright wrong.
No one should be using this company at this point. Yes. Security breaches will happen. Its inevitable. But companies that don’t plan for that to begin with are the the ones you should be staying away from.
Alex Lekander
This reviews has been updated to reflect the security breaches and our recommendation to consider other password manager alternatives.
Humble Mountain 🗻
Lastpass was the first password manager I used. It was good but did not work well with Firefox. That is to say, its Firefox add-on was problematic. Then I moved to Bitwarden. Further I moved to paid password manager Sticky Password. Both Bitwarden and Sticky Password were good. I use Android and Windows PC and Firefox browser. Finally I moved to Dashlane Premium as I liked it’s great UI and UX and features. Still I am a Dashlane user and don’t see any reason to move to anything else. Dashlane has robust security, great usability and a number of useful features and a good support.
A password manager is extremely important to me. I also use ESET as antivirus on Windows and Avast on Android, Adguard and NextDNS as Adblocker, where Adguard does cosmetic filtering and NextDNS blocks domains including malicious and fraudulent ones, I use Nord, Surfshark and Atlas VPNs as my main VPNs, Firefox as my browser, Windows and Android as OS (HP and Samsung), and GlassWire Network Monitor on both the platforms.
BoBeX
Hi J.M. I think I have I have seen you posting more recently and note your privacy competency. This is just for other, newer readers… The obvious flaw here is that this method means the passwords are not encrypted and would be potentially vulnerable. The other problem is that this set up usually means that a user is probably copying and pasting their passwords. In some cases the clipboard (holding the password in plain text) is available for websites to view (though I believe this is less a problem now than it used to be.) And I agree, password managers are potentially intrusive, hence the recommendation above to consider open source / audited options.
G.L. all,