Verdict
LastPass is a operational password manager with a more or less old - schooltime interface , but a major 2022 security department break and poor disclosure handling make this industry stalwart one to avoid .
Pros
Cons
Key Features
Introduction
LastPass is one of the most pop watchword manager choice , and previously place very highly in our Best Password Manager leaning .
However , a security measures falling out in August 2022 has put its security department credentials under scrutiny , specially its legal action and behaviour in the months following the rupture .
As a result , it ’s difficult to recommend LastPass right now , and it will take a lot of effort from the troupe to restore confidence in its security system .
Pricing
A LastPass Premium chronicle costs £ 31.20 per year , while a Families subscription gets you six business relationship , plus admin tool that can facilitate you readjust any family member ’s lose master password for £ 40.80 a yr .
LastPass was once far-famed for its very open free tier , but its feature article have been step by step peel away in an endeavor to prompt complimentary users to originate cough up subscription fee .
Free users can still store an unlimited number of passwords , and access them from theoretically unlimited number of gimmick , but all of those gimmick have to be of the same type . This means that devoid account bearer have to choose between accessing LastPass via web web browser extension on a computer , or via one of its wandering apps on a smartphone or tab .
On a free score , you ’re also confine to only one - to - one ( rather than one - to - many ) parole sharing , ca n’t ready an emergency access contact lens , or use Yubikey tokens or fingerprint and smartcard lector as 2FA method acting . However , free users now do get accession to LastPass ’s security measures dashboard with its parole security measure assessment service , as well as dark web breach monitoring , which alerts you if your electronic mail name and address appear in any know breach . Passwordless vault login using LastPass Authenticator is available for loose , as well as pay ratifier .
Paying user also get 1 GB of encrypted attachment or secure file storehouse and access to individual support , but the key incentive to support is definitely have access code to your passwords on your telephone set , as well as in your web browser app – or frailty versa if you ’re a roving - first drug user .
Security
LastPass was the first parole manager to gain mass appeal , but this has made it a ripe target for breach and victimisation efforts .
This resulted in an August 2022 breach in which a hacker enter the fellowship ’s development environment , followed by a November incident in which data from the first breach was used to prevail an unencrypted customer database and mostly - write in code password vault . While LastPass promptly foretell the breaches , it either massively underestimated or significantly minimise the extent of the information personnel casualty in its public communications .
Usernames , countersign and secure notes in this data point exercise set were cypher , but Lastpass does n’t encipher some data point in the vault , notably URLs . The inscribe fields are fasten with 256 - bit AES encryption , using a Florida key derive from each user ’s master password , and LastPass does n’t even have the key to lose , as it operates on an industry - standard zero - knowledge groundwork .
However , having the hurdle data available , even encrypted , means that a bad worker can take their time attempting to crack up passwords using brute force out . That remain a virtually inconceivable task if the data was code with a secure , long passphrase , but if a fallible master password was used , or if the master key password was reused and had already been exposed in another break , a client ’s full bank vault could potentially be compromised .
Further announcements followed in December 2022 , and January , February and March 2023 , but the language used in theseofficial communicationswas systematically evasive and vague . Getting whoop is more or less an inevitable result of melt an on-line service .
What ’s really telling is how a company do by that , from preventative surety to understate the impact on customers to aboveboard and openly communicate a rift and its potential consequences . Lastpass has go bad to shanghai on any of these figurehead .
To its credit , LastPass has write a relatively clearlistof on-going and future remediation and improvements to its security measures , and has look at steps such as increasing the number of encoding iterations utilize to master password of older , existing accounts to effectively create a young , more secure encoding key . Updates since March have been thin on the ground , though .
The company has advised client to commute their master passwords – and you definitely should if you ’ve not done so since August 2022 . However , if you ’re an survive LastPass user , I recommend switch to an alternative password manager – Bitwardenand1Passwordare unattackable choices , whileKeePassdatabases are great if you ’d rather take full responsibility for your own information security .
Features
Although LastPass operates on a zero cognition basis , which means that only you know your master password , the service has an unusually wide reach of recuperation options in casing you forget it . A one - fourth dimension convalescence word is automatically create by every LastPass app or extension , making each installation a potential recovery route , even if it ’s no longer logged in . This works in tandem with LastPass ’s SMS story recovery pathway .
Other options include mobile invoice recuperation , drug user - beget One - Time Passwords , and master password lapsing to the previous watchword within 30 days of a password change , with the caveat that all young vault entries since the alteration will be deleted .
LastPass does n’t have a right background app at a time when most of its rivals have embraced crabby - platform , standalone node to make it easier to fill and store passwords in places other than the web web browser . There ’s a poorly rated Windows Store app , but this is n’t even advertised on LastPass ’s own website . The lack of a standalone coating is a comparatively small-scale inconvenience – all you have to do is open your web burial vault in your browser app and imitate passwords from there . Nevertheless , it fall short of the smooth experience of using consecrate apps such as those cater byBitwardenor KeePass .
As well as storing passwords and defrayment circuit board , LastPass can also automatically salt away and occupy a range of other information , including your bank details and destination , as well as ply somewhere to store item or indistinguishability documents , software licence and addresses .
The Vault interface hides some of these data case when you ’re make an entry , hide useful capacity behind extra pull - down . Similarly concealed is the power to make separate “ identities ” , which can be used to replicate1Password ’s notable Travel mode , as only passwords associated with your currently selected identity will be available in your dynamic vault and therefore subject to inspection by security measures official . The feature film also allows you to keep home and work passwords well separated from each other .
Its default certificate behaviour is clearly propose at users who treasure public convenience over protection or only utilise a personal , safe desktop machine that no - one else has memory access to . Once logged in , the LastPass web internet browser has no default logout catamenia set for either inactivity or internet browser restart , while the LastPass Vault ’s nonpayment log - out period is two weeks . likewise , LastPass only recently changed the default length of its generate passwords from 12 to a more secure 16 character reference .
Some of these choice are frustratingly unsafe , but at least you could change it via LastPass ’s extremely configurable range of logout option in both the Vault and the web browser extension . There are some very ready to hand options , including ask a master key parole on effort to access specific identities in the Vault , or on a range of other conduct , including in - internet browser autofilling . If you use 2FA , specific devices can be go down to trusted , requiring multifactor re - hallmark only every 30 day .
LastPass is , however , very twitchy about logins on a new twist or from a novel location , by default option need an email to be acknowledged before they ’re allowed – VPNusers might get hold this irritating , but it ’s nice to get a warning , at least .
LastPass supports passwordless logins including biometric unlock on both browsers and roving devices and a master parole unlock via prompting from the LastPass fluid app .
Although the company ’s enterprise subscription have offered an integrated TOTP authenticator in the word manager itself ( as react to a separate LastPass Authenticator app ) since 2020 , this still has n’t yet revolve out to personal users .
Latest deals
Should you buy it?
an existing user : For World Wide Web users , LastPass ’s convenience is fabled . While its default scope could be more secure , they sure enough make for a frictionless user experience , and its wide range of password reset option also stand out from the crowd .
LastPass offers a terrific range of security measures options , but most of these are lay to rest in menu choice , rather than enable by nonpayment or made understandably seeable , so they ’re easy to leave out .
Final Thoughts
Before I can return to recommend its parole manager , LastPass must demonstrate a commitment to improved security measure and , in particular , to fleet and accurate communication with its user .
strong nonremittal protection setting on the apps and plugins would also be welcome . A proper desktop app and some updates to the vault interface would n’t hurt , either , but are barely a anteriority under the circumstances .
In the meanwhile , I recommend checking out alternative such asBitwardenand1Passwordinstead . see out ourBest Password Managerguide for even more option .
Trusted Score
How we test
We prove each password manager ourselves on a variety of computer and nomadic operating system . We carry out relative feature analysis against diligence standards and rival products , and test security and widget scene such as nonpayment logout demeanor and offline admittance .
FAQs
LastPass has antecedently been hacked and it ’s possible that it could happen again . However , LastPass claims there is no reason to believe that hacker will be capable to access customer data .
LastPass offers both a liberal and pay - for tier up .
watchword handler and some other online services use zero - knowledge computer architecture , which means that they never know or store your captain watchword . All encryption and decipherment of impregnable datum using it is carried out on your personal computer .
