LastPass

LastPass, a well-known name in password management, spent the last couple of years dealing with reputational fallout after someone swiped its customers' information. Since that time, LastPass has separated from its parent company GoTo, going fully independent with a new management team. After testing the apps, we're happy with some new additions, such as free dark web monitoring and a helpful tutorial system. That said, a significant problem persists two years after the initial incident: LastPass still stores unencrypted data in customer vaults, which is a security concern that negatively affects our rating. Editors' Choice winner Bitwarden remains our recommendation for free, open-source password management. NordPass is also an Editors' Choice winner thanks to its affordable yet full-featured premium personal and business plans.

How Much Does LastPass Cost?

LastPass offers three different plans for consumers: Free, Premium, and Family. The Free edition is limited to one account on a single device and includes standard password manager capabilities such as a password strength report, limited support for multi-factor authentication, and dark web monitoring for up to ten email addresses. LastPass' free tier limits credential sharing to one-on-one, storage is limited to 50MB, and it doesn't include emergency access features. Password managers such as Bitwarden and Proton Pass offer free apps that sync passwords between multiple devices and don't limit the number of passwords you can save.

LastPass Premium costs $36 per year. In addition to all the free version’s features, you gain password sharing, advanced multi-factor options (such as YubiKey support), password inheritance features, priority tech support, and 1GB of encrypted file storage.

The top tier for non-corporate accounts is LastPass Family, which costs $48 per year. LastPass Family subscribers get six LastPass Premium licenses, unlimited shared folders, and access to the LastPass family dashboard.

Getting Started With LastPass

(Credit: LastPass/PCMag)

LastPass is available as Android and iOS apps, plus extensions for Chrome, Edge, Firefox, Opera, and Safari. It also offers universal installer apps for Linux, macOS, and Windows, which automatically install extensions for all of your device's browsers.

To sign up for LastPass, visit the website, enter an email address, and create a strong master password. Only you know your master password, so if you forget it, LastPass cannot help you access your vault. Passwordless logins are available too, and we'll tell you how to set up that feature later.

(Credit: LastPass/PCMag)

Once you've set up your vault, it's time to tick off a list of achievements, which is LastPass' version of a tutorial for new users. If you finish all of the achievements during your free trial period, you can get a discount on your yearly subscription. It's a clever way to get users to engage with the app right away.

While working through the achievements, you'll need to import the passwords stored in your browser or another password manager. LastPass does a fine job of walking you through that process. LastPass can import from several competing products, including 1Password, Bitwarden, Dashlane, KeePass, Keeper, and RoboForm. If your old password manager is missing from the list, you can upload your credentials as a CSV. LastPass can also import passwords stored in Chrome, Edge, Firefox, Internet Explorer, Opera, and Safari browsers.

Data Privacy With LastPass

Before we review and test a password manager, we send a list of questions to the password management company inquiring about its privacy and security practices. We want consumers to have plenty of information about the companies handling their data. We've included LastPass' responses to our questions below.

Has your company ever had a security breach?

Yes.

If so, when? Please provide dates.

2015, 2022

What was exposed in the breach?

Before being acquired by LogMeIn, Inc. (now known as GoTo), LastPass experienced an incident in 2015 where a hard drive was stolen from one of their data centers. This drive did not include users’ vaults, but did include unencrypted data/metadata related to their accounts.

In 2022, LastPass disclosed that a threat actor had gained access to a cloud storage environment used for backups and exfiltrated both encrypted and unencrypted customer data/metadata. Since then, LastPass has completed its separation from GoTo and is now operating as an independent company with a new management team, entirely new modernized cloud-based infrastructure, systems and tools as well as a fully dedicated Trust and Security team. In connection with this separation, LastPass has completed a number of steps to further modernize and harden our infrastructure.

What unencrypted information does the password manager store in user vaults?

Encryption and decryption are ONLY performed on the end-user’s device. LastPass does not have access to or store the master password which derives the encryption key used to encrypt/decrypt customer data. This is aligned to our Zero Knowledge principles.

LastPass customer vault data is encrypted using AES-256 on a per-user basis (meaning every user’s encryption keys are unique.) Encrypted fields within the vault include usernames, passwords, website names, notes, payment cards, addresses, bank accounts, item and folder names, secure notes, etc.

Up until June 2024, URL-related fields within the vault were not encrypted. As of June 2024, all newly created and any customer modified URLs stored within the primary URL field have been encrypted in all customer vaults, and beginning in August 2024, LastPass initiated the process to encrypt the remainder of the existing primary URL fields within existing customer vaults.

There are 6 other remaining URL-related fields which are either pre-populated by LastPass or empty upon initial use and potentially added by customers. These remaining 6 fields have architectural dependencies that will take longer to remediate, and encrypting these fields will require additional product refactoring and/or sunsetting of certain older features/functionality and will continue into 2025 given required end of life (EoL) notification practices.

What is the company's policy regarding master passwords?

A master password must:

Be a minimum of 12 characters long (ideally longer).

Include a complex mix of letters (upper and lower case), special characters, and numbers.

Meet the strength requirement indicated by a ‘full/green’ status of the ‘strength meter at maximum’ requirement (provided by LastPass and based on the zxcvbn library).

What is the company's policy regarding user data collection and data sales?

At LastPass, we always strive to limit the types and categories of data that is collected from, and processed on behalf of, our users to include only data which is necessary to achieve the purpose(s) for which it was collected - in other words, we have measures and policies in place designed to ensure that we only collect and process data that we believe is necessary to provide our users with a world-class service. LastPass does not “sell” end user data to third parties as that term is traditionally understood.

How does your company protect user data?

The LastPass security and privacy-focused culture is built into every aspect of our teams, processes, strategy, and product. It's an element of our culture we take seriously, conducting annual employee training, regular third-party security audits, ongoing compliance tests, and offering a bug bounty program, all with our experienced security team at the helm.

LastPass holds third-party security and privacy certifications including ISO 27001, ISO 27701, SOC2 Type II, SOC3, BSI C5, and TRUSTe. Completing and maintaining these standards is just one way we demonstrate our commitment to data security, safeguarding of information, and service availability.

LastPass does not have access to any customer’s unencrypted master password or vault data; nor does LastPass ever sell or share customer data. Our product offers features, settings, and options that allow users and account administrators to configure LastPass to meet their specific security needs and practices.

We regularly communicate with customers regarding key product updates, new best practices to implement, and any security-related incidents. Additionally, LastPass actively seeks community participation in assessing and improving the product through our responsible disclosure and bug bounty programs, alerting us to potential issues and allowing us to proactively address them. We also provide on-demand monitoring and compliance reporting through the LastPass Compliance Center powered by Drata.

How does your company respond to requests for user information from governments and law enforcement?

LastPass will not disclose customer information to governments and/or law enforcement unless presented with a valid warrant, subpoena, court order, or equivalent legal process. Additionally, LastPass reserves the right to attempt to narrow requests that it deems excessively broad, request further clarification if the nature of the investigation is ambiguous, or contest the request for other reasons.

Further, due to our zero-knowledge security principles, we do not possess the master password needed to be able to decrypt any encrypted customer vault data, so any requests for such are not possible.

You can read about LastPass' plan to encrypt all user vault data. Storing unencrypted user vault data on a server in the cloud is a concerning security flaw, and it negatively affects our review score, but we are encouraged by the company's commitment to addressing the problem.

LastPass’ other answers are in line with the company's privacy policy. Browse the privacy policies for all apps to learn more about how companies collect, sell, or store your data. Decide how comfortable you are with data collection and act accordingly.

Authentication Options and Security Features

(Credit: LastPass/PCMag)

To set up multi-factor authentication for your LastPass account, head to Account Settings > Multi-factor Options tab in the Web Vault. The available ways to authenticate depend on your subscription tier. Premium members can use hardware keys (such as a YubiKey) or biometric options as a second authentication option. Free subscribers can only use an authenticator app such as Google Authenticator or the LastPass Authenticator app.

Setting up an authenticator app requires snapping a QR code using the app of your choice. Each time you log in, you'll need to supply a time-based one-time password (TOTP) generated by the app (essentially a six-digit code that typically changes every 30 seconds) in addition to your master password. LastPass also includes a OTP generator in the mobile and web vaults.

Enabling authentication with LastPass isn't quite as smooth as it could be. First, you'll need to choose your authentication method, then you have to tap the Edit button, then choose "YES" to enable the authentication method. Other password managers, such as 1Password, offer streamlined, one-step MFA enrollment.

Going Passwordless With LastPass

(Credit: LastPass/PCMag)

From the Account Settings menu, you can enable passwordless logins for your LastPass account. First, LastPass asks for your phone number to verify your logins via SMS. We chose not to hand over a phone number for this product test, and instead, we used a YubiKey 5C NFC to save our login token. Signing up this device with LastPass involved another multi-step process, as shown in the image above. In the end, we were able to login by tapping the hardware security key instead of entering the accounts' master password.

Security Dashboard

(Credit: LastPass/PCMag)

LastPass' Security Dashboard helps you change reused or weak passwords stored in your vault. Click the Security Dashboard menu item to get started. On the main screen, you see a security score LastPass calculates based on the strength of your passwords and whether you have multi-factor authentication enabled. Click on the View button to see a list of all the passwords in your vault. LastPass rates the strength of each password then identifies any potential risks (old, reused, or weak) and adds a Change Password button for any offending items.

After generating a new password and saving it in your vault, click Continue to Site to enter the new credential on the related website. We like that a warning appears on the dashboard to explain how to change the password on the associated login's website, and reminds you to change the password in two places.

Data Breach Monitoring

While LogMeOnce offers data breach monitoring as a paid add on, and NordPass limits data breach monitoring to paid subscribers, LastPass offers data breach monitoring at all levels of service. Free users can monitor up to 10 email addresses, while paid subscribers can monitor 200 email addresses.

Hands On With LastPass

We tested LastPass' functionality using the iOS app and the LastPass browser extension for Google Chrome.

Credential Capture and Replay

(Credit: LastPass/PCMag)

Replaying passwords stored in the LastPass vault worked as expected. We ran into a snag when capturing new passwords using LastPass' Chrome browser extension. When creating a new account, a pop-up window should offer to save your credentials before logging you in. While testing LastPass while using Google Chrome, the pop-up was sometimes late, or when it appeared, it saved an incorrect username or password. We ended up manually saving generated passwords as entries in the vault. If the above scenario happens to you, find the generated password by opening the browser extension's password history and pasting the password into your vault entry.

Password Generator

(Credit: LastPass/PCMag)

Speaking of password generation, we found that the password generator's rules for the web vault differ from the browser extension and iOS app. All of the generators create 16-character long credentials by default, but the browser extension and iOS app include random characters, which the web app does not. We recommend that password manager users create long and strong passwords that consist of at least 20 characters. The password history also differs between the browser extension and the web vault, so if you're looking for an old password, you need to check two places, which is not ideal.

Password Sharing

(Credit: LastPass/PCMag)

Free LastPass users can only set up one-to-one sharing, but Premium and Family subscribers can share one item with several other users. Those who pay for a Family account can share an unlimited number of folders. To share a password, click the sharing icon, and enter the recipient's email address. Recipients who already use LastPass will receive a notification that a new share has arrived; others will get an email explaining how to create an account and accept the share. The recipient can use the shared item to log in. The person sharing the password can manage the recipient's access to the credential via the Sharing Center in the web vault. You can manage whether the recipient can view the password while they have access to it and also relinquish access to credentials others have shared with you or cut off others with whom you've shared passwords.

Form Filling and Storage Options

(Credit: LastPass/PCMag)

You can store multiple Addresses, Payment Cards, and Bank Accounts in LastPass, each with various personal and contact information. RoboForm lets you create multiple instances of any form-fill field, while Dashlane stores the various components of personal data (phone numbers, emails, and so on) separately.

We were able to use LastPass to fill in web form data on a few websites, and we were impressed by the warning that appears when you opt to fill in forms using data from your LastPass vault. LastPass reminds you that you are sharing sensitive data with a third party, which may be enough to make you stop, reflect, and consider whether you are being phished or otherwise scammed.

Secure notes are a way to store data in your LastPass account that doesn’t fit into any other categories, such as text notes and file attachments. Premium LastPass subscribers get 1GB of online storage, free users are limited to just 50MB.

Emergency Access Options

(Credit: LastPass/PCMag)

The Emergency Access feature lets you define one or more contacts who can access your passwords in the event of your untimely demise. This feature is not available to free users.

Emergency Access in LastPass works similarly to Dashlane’s and Keeper’s equivalent features. You enter your recipient's email address and define a waiting period. Recipients must install LastPass and accept your connection request. Now, if something happens to you, the recipient simply requests access to your account.

Here's where the waiting period comes in. Suppose your trusted recipient decides to jump the gun and get your passwords before you've kicked the bucket. The initial request for access triggers a notification, and you can deny the access request at any time during the waiting period. In a real emergency, your recipient automatically gets access after that time elapses.

Clicking Emergency Access lets you view two pages, People I Trust (your password heirs) and People Who Trust Me (those who've made you their emergency access contact). You can delete anyone from the list or change the waiting period on the People I Trust page. You can bow out of the emergency access role on the People Who Trust Me page.

LastPass Mobile App Experience

(Credit: LastPass/PCMag)

Android and iOS editions have all of LastPass’ features, including a password generator, emergency access, security dashboard, and sharing center sections. On iOS devices, you'll need to follow LastPass' directions within the app to replace Apple's Passwords app and the devices' keychain capabilities. The setup was easy in testing. There's another "achievements" tutorial included with the mobile app, but you can dismiss it or silence it with one tap. Overall, we didn't have any problems capturing new passwords or replaying old ones using the LastPass app for iOS.

Business Options

LastPass makes it easy for administrators to see who is following password policies on the job and who is not. For example, the administrative dashboard shows the company’s enrollment rate with the password manager, user activity, and average password security score.

(Credit: LastPass/PCMag)

LastPass for Business has two service tiers. Teams is $48 annually, per user, and Business costs $84 each year, per user.

Each employee has access to a vault where they keep their work-related credentials. From the Users page, the administrator can see all the employees invited to use the password manager, when employees last used the software, whether employees enabled multi-factor authentication (MFA) for their account, password security scores, and other options.

Admins can add applications such as SSO, MFA, and password-less apps from the Applications section of the Admin console. The app also has federation integrations with ADFS, Azure AD, Google Workspace, and Okta, meaning employees access LastPass using their existing corporate credentials in their current workspaces. Eliminating the need to remember another password could make a password manager more attractive to employees.

LastPass Business also includes a free Families account for every employee to encourage vigilant password practices at home. The LastPass Families data is separate from the Business data. LastPass has a zero-knowledge security model, so only the users know their passwords. If an employee leaves the company, their Families account unlinks from the Business account. The former employee can buy a Families plan or let the account become a Free account.

Customer Support Options

Free account holders can troubleshoot their tech issues via the LastPass self-service website. From there, you can fill out a form to be contacted by a support agent. LastPass recently added a chatbot to the support website, too. Business, Family and Premium personal account customers can request phone support from a LastPass support agent.

(Credit: LastPass/PCMag)

Is Deleting Your LastPass Account Easy?

(Credit: LastPass/PCMag)

Deleting the account we created to test LastPass apps was uncomplicated. In a web browser, we navigated to the Account page and opted to delete the account. After clicking through a few popups asking if we really wanted to delete the account and associated vaults, we were able to delete the account.

Verdict: LastPass Is a Work in Progress

LastPass is incredibly easy to use, offers dark web monitoring for all customers, and there's a free version so you can evaluate the apps before paying the (pretty affordable) subscription fee. That said, some of the specters of the security concerns revealed in 2022 still linger as LastPass continues to store unencrypted user data in vaults. We appreciate that the company is working on solving that issue, but we also think that security is a big selling point for password managers, and we must take that into account when making recommendations. As such, Bitwarden is our Editors' Choice winner for easy-to-adopt, free, and open-source password management. NordPass is another Editors' Choice for its intuitive apps and reasonable pricing.