LastPass Review 2023: Is It Truly Safe?
LastPass Review 2023: Is It Truly Safe?
LastPass Overview 2023
LastPass claims to be the best way to manage passwords. Even though it has garnered much popularity over the years, I was more concerned about how safe it is. I wanted to find out how secure my passwords are, especially in the face of a potential security breach. To my surprise, LastPass lived up to expectations.
LastPass allowed me to create, use, and share passwords securely across different devices. Although LastPass experienced a security incident in the past, no password in the raw form was compromised, proving the validity of its zero-knowledge security policy. LastPass has since upped its game. It has implemented advanced security features to prevent future data breaches and continues to be trusted by millions of users worldwide.
You can try LastPass for yourself risk-free with its 30-day free trial. This grants you full access to the feature-rich apps on mobile and desktop.
UPDATE — LastPass Data Breach December 2022
In a recent data breach, a hacker copied the backup of LastPass customers’ password vaults. Data like names, emails, phone numbers, billing addresses, and more were stolen along with fully-encrypted fields like website usernames and passwords.
Since LastPass secures all the information with 256-bit AES encryption, the only way a hacker can decrypt the encrypted data is through a unique encryption key generated from each user’s master password. LastPass keeps no logs of the users’ master passwords. If you’re using LastPass, make sure to set a master password that is unique and strong, and don’t share it with anyone.
LastPass is still one of the best password managers in 2023. But if you want to switch providers, try 1Password which has had no data breaches.
Don’t Have Time? Here’s a 1-Minute Summary
- Strong security features — LastPass ensures that your passwords are secured with AES 256-Bit encryption to protect your data from hackers. Find out about its security.
- Password Generator — I like how easy it was to create secure passwords on the LastPass app. Learn how to create secure passwords.
- Security dashboard — LastPass notified me about weak, reused passwords and monitors the dark web for data breaches. Jump to learn how it works.
- Works on multiple devices — I was pleased to discover that LastPass works with popular web browsers and operating systems. Look at the supported devices.
- Poor support — LastPass makes it really difficult to contact customer support directly and has limited support options. Find out how to contact support.
- Free plan and 30-day free trial — LastPass offers a free plan that’s better than the competition while also offering a generous 30-day free trial to test its premium features. Take a look at all the available plans.
Advanced Security Measures to Ensure Password Security
LastPass has multiple layers of security that ensure that your data is safe. It is designed to operate a zero-knowledge security architecture, meaning your master password and vault data can only be accessed by you. Additionally, LastPass encrypts your passwords locally using advanced hashing algorithms to ensure your data security.
I was impressed to see that LastPass offers multiple layers of protection. It supports two-factor authentication, multi-factor authentication, and hardware security keys. Most importantly, LastPass uses the industry-standard AES 256-bit encryption that’s virtually impossible to crack to secure your data. LastPass experienced a security incident in 2015 which saw LastPass email accounts, password reminders, server per user salts, and authentication hashes compromised. However, no password in the raw form or vault data was compromised, proving its zero-knowledge security architecture.
AES-256 Bit Encryption
LastPass encrypts all the data in my vault and my master password with AES-256 Bit encryption. This solid encryption technology is trusted to keep all your data safe from hackers. AES, endorsed by the US National Security Agency (NSA), encrypts your data with a key length of 256 bits, the largest bit size that keeps all your sensitive information protected.
Private Master Password and PBKDF2
LastPass prioritizes safeguarding your data using different levels of encryption. While creating a new account, you’ll choose a strong master password to secure your vault data. A master password is like a regular password, only that it is not stored on any password database and is known only by you. LastPass uses end-to-end encryption, generating an encryption key locally on your device to access your vault.
Additionally, LastPass adds a further line of defense using PBKDF2-SHA256. PBKDF is a key derivation function used to encrypt your master password 100,000 times. This way, it is impossible for a hacker to use a brute force attack (password guessing algorithm) to decrypt and know your master password.
LastPass provides an extra layer of security with multi-factor authentication. This includes two-factor authentication (2FA) apps, SMS codes, hardware security keys, biometric logins, LastPass authenticator app. I tested a few multi-factor authentication options, and it worked effortlessly. I found it very easy to link LastPass to my Google Authenticator app. I activated Google authenticator from the “Account Settings” and the “Multifactor option” tab.
From the tab, I found other equally useful 2FA options. LastPass works with Microsoft authenticator, Toopher and Duo Security (for push notification method), Grid, Salesforce authenticator (for Businesses), and YubiKey for hardware security keys. Each option was straightforward. However, LastPass doesn’t have backup codes for 2FA apps that would help you regain access to your vault if you lose your phone. Whereas popular password managers like 1Password and Dashlane provide you with backup codes for 2FA apps. The only way around it is to regenerate your secret key for the authenticator app, which leaves a security risk. Anyone with access to your account can easily set up a 2FA account and log you out.
I was happy to see that LastPass supports biometric login. It was a convenient way for me to access my vault using identity verification means such as Fingerprint and Face ID without manually typing my master password. Also, I was thrilled to see that LastPass uses TLS to protect my communications and transfer data from my device to its servers. This protects my data from being hijacked by on-path attackers and hackers.
LastPass also has other interesting security features. After the security incident of 2015, LastPass now mandates you to confirm login attempts from an unfamiliar location or new IP address even when you don’t have 2FA set up. So, even if someone knows your master password, LastPass will send an email to you to confirm the login request. Hence, it will block the person from accessing your vault, unless they also have access to your email.
I like how LastPass has an option to add trusted devices and consequently skip multi-factor authentication for 30 days, a convenient way to still login securely. LastPass also has a unique feature that you can use to revoke access or block mobile devices connected to your account. This comes in handy if you no longer have access to these devices and cannot log out.
Privacy — Complies With Data Protection Laws
LastPass operates a zero-knowledge data management model. It is designed to keep your vault data and master password private. Not even LastPass employees know your master password or what you keep in your vault. This zero-knowledge system is made possible by LastPass’s strong encryption technology that protects all your data.
LastPass also complies with relevant data protection laws across different jurisdictions. Its parent company, LogMeIn Inc, complies with GDPR, CCPA, LGPD, Australia’s Privacy Act, and the UK Privacy Act. These laws are designed to protect your data so that companies do not share data like your email address with advertisers without your consent.
One other important thing I like about LastPass is that it partners with trusted third parties for security audits and certifications to ensure compliance with strict privacy measures. It is SOC 2 Type 2 certified. This means employing standard data management practices per AICPA to ensure that your vault data is secure. It also partnered with Bugcrowd to incentivize vulnerability disclosure to improve its security systems.
Multiple Features for Password Management
LastPass supports many features for managing passwords. It has basic password management features like encrypted password vaults, password generator, password sharing, dark web monitoring, password security audits, and more. I also like that it supports different account management features like account recovery and emergency access.
Encrypted Password Vaults
LastPass provides a secure vault to store digital records. This vault allowed me to create and keep different digital items. It allowed me to create and store notes, bank accounts, passwords, addresses, and payment cards. It also has options to store server information, passport data, health insurance, a social security number, driver’s license, wifi password, SSH keys, server information, membership card, database, and software license.
Unlike other password managers, LastPass is customizable and allows you to create and store custom item types. So, you can create an item outside the default categories. I like that LastPass also allows you to create folders to group your records. However, you can’t share folders unless you sign up for its Families plan. On the other hand, 1Password allows me to create multiple vaults and share a group of records with anyone.
LastPass allowed me to create secure passwords. You can create passwords from 1 to 99 characters long on the web app and 8 to 64 characters on the mobile app, with the default character length at 16. The password generator is also customizable. It allows you to create easy-to-read passwords or include special characters, numbers, and upper and lower characters.
However, there’s no use in generating a one-character password. Most password managers have a minimum character length of 8 characters, and the default password is usually above 14 characters. Keeper allows you to create passwords up to 100 characters in length. Creating longer passwords that mix symbols, upper/lower case characters, and numbers are more secure than shorter passwords.
LastPass’s security dashboard is a password auditing and data breach monitoring feature. It allowed me to check my vault for weak, reused, and missing passwords while displaying a security score of my passwords. It also consists of a dark web monitoring tool that checks your account for compromised email accounts and logins.
Although the password auditing feature worked seamlessly and picked up weak passwords on my test logins, the dark web monitoring feature didn’t work well. It didn’t notify me about compromised logins, whereas Dashlane was more effective in discovering compromised logins on my test accounts.
Autofill and Save Passwords
LastPass autofill feature worked flawlessly during my tests. I found it really easy to autofill websites with LastPass. All I had to do was click the LastPass icon in the login field of the website that I wanted to access. LastPass detected the login details in my vault, and I was able to autofill the form with a click.
I also had a seamless experience with the autosave feature. Once I successfully logged in to a site whose login wasn’t saved to LastPass, it prompted me to keep the login information in my vault. I only needed to click “Add” on the pop-up screen, and the password was automatically saved to my vault.
It was easy to import passwords into LastPass. I was able to import all my passwords in a few seconds from the LastPass website. I navigated to “Advanced Options” in my vault dashboard, and then I clicked on “Import” to begin the process.
LastPass allows you to import passwords from various sources, including generic CSV files, Chrome, 1Password, Passpack, McAfee SafeKey, Stick Passwords, RoboForm, Darn! Passwords!, Fireform, Clipperz, KeePass, Dashlane, PasswordVault, eWallet, and others. The whole process was simple, and I was glad that LastPass included short notes to guide me in exporting my passwords from those sources.
LastPass allows for seamless password sharing. You can easily share passwords from your saved logins with one or more users. Note that the users must have a LastPass account. Otherwise, they will be prompted to create one. To share a login with another user, you have to click on the share icon attached to each record.
After clicking on the icon, a box appeared where I entered the email address of the individual I wanted to share the login. I also could choose if the person could view (see) the password or not. You can allow the user to use the password, but they won’t see it in their vault. Of course, if the user uses the autofill feature and selects “show” in the password field, the password will be revealed. So, I don’t really see the need for the feature.
LastPass has a “Sharing Center” where you can manage and view all your shared logins and the users you’ve shared them with. You can share new items from this tab and revoke access to any login.
I like how easy it was to share different unlimited logins without restriction on the premium plan. The free plan, however, only supports sharing passwords with 1 person. Also, you can’t share folders unless you’re subscribed to the Families plan.
Automatic Password Changer
LastPass provides an automatic password changing feature, but it was slow. I like when a password manager has this feature because it allows me to change passwords on some sites conveniently with a click. With it, there’s no need for the long process of manually logging in to a website to update the password. To use this feature on LastPass, you simply need to click on the edit button for your login and select the “automatic password changer” link to auto-update your password on the site.
If the link doesn’t appear, it means that website is not supported. LastPass currently supports 75 sites where you can use this feature, including popular sites like Facebook, Twitter, PayPal, Amazon, DropBox, and Pinterest. I tested the feature with my PayPal and Facebook accounts. Unfortunately, it took forever to update the password, which was really disappointing. Dashlane provides a better automatic password changer feature that updates my passwords within a few seconds.
LastPass has multiple account recovery options. If you forget your master password, you can still regain access to your vault using different options. These options include using biometric logins (Face ID, Touch ID, and FingerPrint), master password hint, SMS recovery, and restoring your previous master password from a device you’re signed in on.
I tested the “Face ID account recovery” option on my iPhone and was able to change my master password with a few steps. Note that if someone else has a Face ID profile on your phone, the person could easily restore your account and change your master password too.
When setting up your account, Lastpass allows you to input a master password hint. This could be a word or sentence that could help you remember your password if you do forget it. You also can add a phone number from the account settings tab, which can be used to regain access to your vault if you forget your master password. I wouldn’t recommend this, though, since hackers can easily use SIM swapping technology to steal your phone number and gain access to your vault.
Another account recovery option is by reverting to the previous master password. You can do this from its website under the account settings tab if you’re still logged in on your web browser. However, keep in mind that it will also restore your vault data to the previous master password change date.
LastPass supports Emergency Access. It allows you to add specific trusted users as an emergency contact. So, if you’re unable to access your account due to medical reasons or otherwise, the contact can access your vault if you don’t block the access after a wait time you set.
This wait time ranges from “immediately” to “30 days.” All you need to do to activate emergency access is to add the emergency contact’s email address, choose a wait time, and “Send Invite.” I tested this by adding my sibling as an emergency contact and set the waiting period for 3 hours. She accepted the invite, and, after the waiting period elapsed, she could see the content of my vault on her account. There are 2 pages on the Emergency Access page — “People I Trust” and “People who Trust Me.” You can edit the wait time or revoke access anytime from this dashboard.
LastPass offers a credit monitoring feature for its US customers. It monitors your credit report and alerts you about any errors or identity theft issues. It also notifies you of any changes made to your credit report, allowing you to detect any changes that could hint at a compromised identity.
Credit Monitoring is part of LastPass premium, but you can still test it with the free trial. If you want comprehensive coverage of your credit report and other advanced credit features, LastPass has an add-on Premium Credit Monitoring feature that provides a detailed report and costs a few extra bucks.
Overall, LastPass offers standard and advanced features for seamless password management. Its features like the password generator, security dashboard, and dark web monitoring are tools I find essential. I also found it easy to share my logins securely, and I’m particularly impressed to see multiple account recovery options.
LastPass also has a country restriction feature. It allows you to set country restrictions as a security measure. This blocks any traffic from specific countries you add to the list. While this can easily block hackers from specific locations, anyone could easily connect with a Virtual Private Network (VPN) and bypass such restrictions, making this feature less powerful.
Ease of Use
Quick to Install and Simple to Use
I found it quite easy to install and set up LastPass. In just a matter of minutes, I successfully registered an account and installed the applications on both my computer and smartphone. Once my account was set up, seamlessly importing my passwords into LastPass was a breeze. The web and mobile apps presented a user-friendly interface. It was easy to find all the features and use them.
I created secure passwords within seconds, added my logins to the vault, shared my Netflix login with my best friend, auto-filled multiple websites, and scanned my passwords for weak and compromised accounts. Every feature worked seamlessly except for the dark web monitoring feature.
Setting up the LastPass Web App
- Visit the LastPass website and click on “Get LastPass Free” on the menu bar.
- Sign up with your email address and a secure master password.
- Once your account is successfully created, click on “Install LastPass.”
- You’ll be redirected to your browser extension store, where you should download and add the browser extension to your web browser.
- Launch the browser extension, and you’ll be logged in to your vault.
- Import your passwords or click on the “plus” sign to add your passwords and other records.
Overall, LastPass is easy to use and comes with basic and premium password management tools. It is user-friendly and allows me to store and use all my passwords without any issues.
LastPass works on popular devices and browsers. It has desktop apps for Mac, Windows, and Linux. Also called the “LastPass Universal Installer,” the desktop apps install the browser extensions for Microsoft Edge, Chrome, Opera, Firefox, and Safari. It also serves as a desktop app that installs the specific PC app for your operating system.
The browser extension worked pretty well on my Microsoft Edge browser. It allowed me to manage all my passwords and use them on different sites. The Desktop app is simple to use but lacks more features compared to the web app and mobile apps. It allows you to create/edit records such as notes, passwords, and card details. However, it lacks dark web monitoring, emergency access, password generator, and security dashboard features.
In contrast, these features are available on the LastPass mobile apps available for Android and iOS devices. Once I logged in to the iOS app by entering my email and master password, I found 4 tabs. There’s the “Vault” tab that contains all my logins, a “Go Premium” tab, a “Security” tab, and a “Settings” tab. The Security tab has the password generator, emergency access, and security dashboard features. It also contains a “security challenge” button that displays a security score of my passwords and the ranking compared to other LastPass users. While the “Settings” tab allows you to adjust how the LastPass app functions
I like that I could use biometric login to access my vault on the mobile apps. I used Face ID to log in on my iPhone and Fingerprint on my Android. I was also pleased to learn that LastPass works with smart wearables. I easily connected my Apple Watch with just a toggle of a button.
I was very disappointed with the available LastPass support options. There are 4 support options, but what you have access to depends on your plan. If you have a free account, you can get help with the support articles and community forum. Premium plan users can schedule a phone call with LastPass, while email support is only available to LastPass Business users.
Although the support articles (usually in FAQs) were detailed and addressed many issues I experienced, I was displeased by how difficult it was to get direct support from the LastPass team. I didn’t get a response from the community forum even after 48 hours of dropping a post relating to a technical issue I encountered. Even though you can easily schedule a phone call with customer support for premium users, it is only available to US residents, yet another limitation.
LastPass has other ways of providing support to users. You can watch pre-recorded webinars or sign up for upcoming live events. It covers how to get started with LastPass, a detailed explanation of the main features, LastPass Business, and a live Question and Answer session. You can also contact LastPass via Twitter. There are 3 Twitter accounts, including the LastPass Help Twitter account, where you could drop a DM and get a response from the team. I dropped a DM and got my questions answered after 24 hours.
LastPass offers decent pricing for its features. It has plans for individuals (including families) and businesses. The individual plan consists of a Free option, Premium, and Families subscription, all with different features. You can subscribe to the plans with your credit and debit cards (Mastercard, Visa, American Express, and Discover).
The LastPass Free plan allows you to store unlimited passwords, save and autofill passwords, one-to-one sharing, multi-factor authentication, password generator, and access on one device type (computer or mobile). This plan beats the competition in its offering, except for Bitwarden which supports unlimited passwords and devices. However, Bitwarden lacks key features that LastPass does have for free like emergency access, a security dashboard, dark web monitoring, and advanced multi-factor authentication.
The LastPass Premium plan expands on the features of the free plan. It supports all the features of the free plan and all device types, 1GB storage, one-to-many sharing, emergency access, security dashboard, dark web monitoring, priority tech support, and advanced multi-factor authentication. The best value though is its Family plan which is only a dollar more a month than the Premium plan and supports all the same features, plus 6 individual encrypted vaults, a family manager dashboard, and shared folders.
LastPass Business is designed to meet organizational needs and is packed with more features and support options. It has the Teams and Business plans. The Teams plan supports all the features included in the Families plan with up to 50 users, each having a separate vault, just like the 1Password Families plan does. The Business plan supports additional features, including unlimited users, 3 Single Sign-On (SSO) apps with MFA, customizable user management, 1,200+ pre-integrated SSO apps, and 100+ customizable policies. Despite all these features, the Business plans still fall short in its offering compared to other popular password managers like Keeper.
Free Trial for 30 Days
You can try LastPass risk-free for 30-days on the Premium and Families plan. LastPass Business offers a 14-day free trial that you could use to test all its features. Even though there’s no money-back guarantee, the trial period should be enough to help you decide whether to continue with LastPass.