LastPass fast factsOur rating: 3.4 stars out of 5.
|
In 2022, LastPass experienced two major data breaches that resulted in customer data being stolen. This data consisted of encrypted fields such as website usernames and passwords, secure notes and form-filled data, and unencrypted data such as website URLs.
While LastPass offers a decent password manager experience with its slew of two-factor authentication options and consistent password capture and replay, its recent security incidents prevent us from recommending their service.
Is LastPass safe?
Because of the most recent data breaches, I wouldn’t say LastPass is safe to use. In 2022, LastPass experienced two major data breaches that led to both LastPass customer and company data being stolen. The first incident, which occurred in August 2022, involved a software engineer’s corporate laptop being compromised.
According to LastPass, the incident allowed a bad actor “to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets.” The company reiterated that “[n]o customer data or vault data was taken during this incident.”
SEE: How to Run a Cybersecurity Risk Assessment in 5 Steps (TechRepublic Premium)
Unfortunately, LastPass disclosed a second breach on November 22, 2022, wherein the data gained in the August 2022 breach was utilized to access LastPass customer data. In particular, the threat actor gained “unauthorized access to cloud backups” that included “system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.” This customer data consisted of encrypted fields such as website usernames and passwords, secure notes, and form-filled data and unencrypted data such as website URLs.
LastPass has said that the encrypted data remains secure with 256-bit AES encryption so long as the user’s master password makes use of their password best practices, such as having a 12-character minimum and not reusing the master password on other sites. In January 2024, LastPass announced that the company will enforce a requirement for all customers to use a master password with at least 12 characters. In the past, a 12-character master password was the default setting, but customers still had the ability to choose a master password with fewer characters. It is the company’s hope that efforts such as these will “create stronger and more resilient encryption keys for accessing and encrypting [customer] LastPass vault data.”
In May 2024, LastPass announced it would separate from previous parent company GoTo and will now operate as an independent company under LMI Parent, L.P. The company also said it will invest in the establishment of a dedicated threat intelligence team, “designed to protect the broader LastPass community by proactively monitoring for, analyzing, and helping to mitigate potential threats.”
SEE: LastPass Free vs Premium: Which Plan Is Right for You? (TechRepublic)
While LastPass continues to implement security changes in an effort to rebuild public trust, I believe the risk simply isn’t worth taking given the company’s tumultuous history of breaches. Aside from the 2022 breaches, LastPass has had security incidents since 2011. There’s even been a report linking the stolen LastPass accounts from November 2022 to a string of cryptocurrency heists.
You might be better off using more secure password managers, such as Dashlane or Keeper, as both companies have yet to report data breaches.
Is LastPass free?
LastPass has a free version, albeit with limited features. It offers an unlimited number of password storage and comes with one account. Compared to a premium LastPass subscription, the free tier will only allow for one device type. This means that you’ll only be able to use LastPass Free on either a computer or a mobile device.
Other limitations include not having LastPass’ One-to-Many password sharing feature, no emergency access capabilities, and the lack of advanced multi-factor authentication options such as YubiKey and fingerprint authentication.
SEE: How to Use LastPass Password Manager (TechRepublic)
If you’re looking for a free version to use long-term, I recommend trying out Bitwarden’s free version. It offers the same unlimited number of password storage as LastPass but also allows access to vaults on an unlimited number of user devices, compared to LastPass’ one-device type limit.
For those curious to learn more about password managers, how they work, and how they could benefit you, check out our Password Managers 101 video feature.
LastPass pricing
Like most password managers, LastPass categorizes its pricing into Single Users & Families and Business customers. Let’s take a look at the first group or plans.
Plan | Free | Premium | Families |
---|---|---|---|
Price | Free | $3 per month | $4.00 per month |
No. of accounts | 1 | 1 | 6 |
No. of device types | 1 (either computer or phone) | Unlimited | Unlimited |
Notable features |
|
|
|
LastPass’ Premium and Families plans are on par with most of its competition. Its $3 per month Premium plan falls in the middle of similar subscriptions from Dashlane ($4.99 per month) and RoboForm ($1.99 per month).
The story is the same for its Families plan, priced at $4.00 per month, covering six accounts. As of August 2024, it sits in a similar price range with Dashlane’s Friends and Families plan for $7.99 per month that accommodates 10 users.
SEE: The 6 Best LastPass Alternatives for 2024 (TechRepublic)
If you’re specifically interested in a family plan, Bitwarden’s Families plan at $3.33 per month for six users is currently the best deal. It covers the same maximum of six users at a more affordable price. It also has a good security reputation as an open-source password manager. To learn more, read our full Bitwarden review.
LastPass’ Business plans consist of LastPass Teams and Business.
Plan | Teams | Business |
---|---|---|
Price | $4.00 per user per month | $7.00 per user per month |
Number of users | 50 users or less | Unlimited |
Notable features |
|
|
LastPass’ Teams plan, at $4.00 per user per month, is on the pricier end. If we compare it to 1Password’s Teams Starter Pack, you can cover 10 users for $19.95. The same number of users through LastPass Teams would amount to $40 — a big jump in price. Bitwarden’s Teams Starter plan is similar, priced at $20 for up to 10 users.
LastPass Teams allows up to 50 users, which may be beneficial to smaller teams with more than 10 members. However, it’s important to reiterate that you won’t get the same level of security with LastPass compared to other password managers.
SEE: Keeper vs LastPass (2024): Which Password Manager Is Better for Your Business? (TechRepublic)
LastPass Business is in the middle range in terms of comparable plans to the competition. LastPass Business, at $7 per user per month, is in between Bitwarden’s Enterprise plan for $6 per user and Dashlane’s $8 per user.
LastPass offers a free 30-day trial for its Premium and Families plan and a 14-day trial for its Teams and Business subscription. If you really want to try LastPass, going for one of these trials is your best option in terms of pricing.
Key features of LastPass
Aside from password generation, autofill, and multifactor authentication, LastPass includes a few interesting features that make it stand out from the competition.
One-time passwords
LastPass allows you to create a set of temporary, one-time passwords (OTPs) whenever you want to access your vault from a public computer and don’t want to enter your master password.
OTPs can be useful for people who frequently travel and don’t bring their own computer or device all the time. These allow users to access their vaults remotely without having to worry about keyloggers or malware stealing their master passwords whenever they use public WiFi.
Country restriction
Another travel-friendly feature is LastPass’ Country Restriction toggle. This allows users to only allow logins from selected countries, adding a layer of security whenever you’re traveling or in another country.
This is a convenient set-and-forget feature that travelers can utilize to protect their passwords from being illegally accessed by malicious third-parties whenever they’re abroad.
Take note that these country restrictions can be bypassed if you use a virtual private network (VPN), as VPNs can make it appear that you’re in another country or location other than your own.
Security dashboard
LastPass also includes a password health feature called Security Dashboard. It gives you a Security score that analyzes user security, checks if you have any at-risk passwords, and allows you to manage trusted devices.
It also features a dark web monitor that checks whether a particular email address you have is compromised or is involved in a data breach at another company or service.
I personally like how LastPass bundles both its security score and dark web monitoring into one page, giving users easy access to the two complementary tools in one place.
LastPass authentication and security options
LastPass comes with an impressive number of multifactor authentication options. For free users, there’s LastPass MFA, Google Authenticator, Microsoft Authenticator, Toopher, Duo Security, and Grid.
Meanwhile, Premium users can set up a YubiKey USB as their second factor, as well as fingerprint or smart card authentication. LastPass Business users also get access to Salesforce authentication.
In terms of security options, LastPass allows you to set trusted devices that let you skip MFA. While I personally don’t recommend this because of the risk of exposure, it may be convenient to turn this on if you’re only accessing your vault from one machine or location. LastPass also keeps a record of the mobile devices with access to your LastPass account and your location history.
LastPass interface and performance
I used LastPass’ web vault for most of my testing, and I found the interface to be fairly intuitive. Everything from my vault to more advanced options or settings like emergency access and MFA were placed where I expected them to be.
Design-wise, I think LastPass’ interface looks a bit dated compared to the competition. Dashlane and Keeper, for example, have more graphical designs compared to LastPass’ very plain interface. I also found navigating through the LastPass interface to be a bit clunky, with some settings taking a bit longer to load compared to the competition.
For performance, however, I encountered zero issues with LastPass’ password capture and replay capabilities. Its autofill feature was also reliable, filling in username and password fields without any hiccups.
I also really liked how the LastPass vault lets you launch the particular app associated with a given login.
With this, one can theoretically use LastPass as a sort of command center where you can launch and sign into your most-used apps and services easily.
Overall, while I wish LastPass had a more updated design, it provided an easy-to-understand user experience.
LastPass mobile app
The experience on the LastPass mobile app is more or less the same as its web application.
I used LastPass’ Android counterpart on my Google Pixel 6 for this review, and it inherits the same intuitive user interface of its web app.
By default, LastPass mobile blacks out screenshots within the app — an underrated security feature that prevents bad actors from stealing data from your mobile vault. Fingerprint login on the app also worked well, and I really liked the security features included in the app, such as an automatic lock when the app is idle and account recovery via biometrics.
It inherits the same older-looking design of the web app, but this means you aren’t missing much if you only plan to use the mobile app over the web version.
LastPass pros
- Multiple authentication options.
- Intuitive user interface.
- Useful one-time password feature.
- Country restriction functionality.
LastPass cons
- Has been involved in two major data breaches.
- History of smaller security incidents since 2011.
- Dated interface design.
- Clunky web app experience.
LastPass alternatives
Given LastPass’ recent security incidents, I’ve listed three alternative password managers that have not been involved in breaches and will provide more security for your data.
Our rating | Keeper | Bitwarden | 1Password |
---|---|---|---|
Starting price (consumer plan) | 4.4 out of 5 | 4.3 out of 5 | 4.3 out of 5 |
Starting price | $2.92 per month | $0.83 per month | $2.99 per month |
(business plan) | $2 per user per month; max of 10 users | $4 per month per user; unlimited users | $2 per month per user; max of 10 users |
Standout features | Shared team folders and subfolders; military and medical discounts | Open source; regular and publicly available third-party audits | Well-designed interface; unique travel mode functionality |
Keeper
For larger businesses, Keeper is a great pick as it offers customized bundles and curated pricing for enterprise customers. It also has a Business Starter subscription for teams of 10 people and a Business plan tailored towards small-to-medium-sized businesses.
Bitwarden
If security is a top priority, Bitwarden is one of the best. It is open source, which means that its source code can be reviewed, analyzed, and audited by the public. It also runs on a zero-knowledge architecture and implements end-to-end encryption for its password storage.
1Password
For an all-around experience, 1Password is a safe bet. It comes with an intuitive and modern-looking user interface that’s coupled with high-end encryption for your data. It also offers a unique Travel Mode feature that can benefit users who regularly go abroad for business trips.
Is LastPass worth it?
No, LastPass’ recent data breaches prevent us from considering it a worthy password manager. This is unfortunate, as LastPass offers a decent password management experience with its extensive MFA options and reliable password capture and replay.
However, these features don’t mean a thing if LastPass can’t reliably keep your sensitive information secure and out of bad actors’ hands. At this moment, LastPass fails to hit this mark.
In terms of features, options such as Bitwarden and 1Password can provide the same password management experience without any history of data breaches or hacking.
Review methodology
My review of LastPass involved a detailed assessment of its security features, price, and real-world performance. I had hands-on experience with LastPass through a 30-day trial of its Premium plan.
To test LastPass, I used its web vault application and browser extension on my Windows laptop and its mobile app on my Google Pixel 6.
I rated LastPass on everything from its password management features to its pricing based on an internal algorithm to get a rating of 3.4 out of 5 stars. The scoring was based both on LastPass on its own and in relation to other password managers in the market.