LastPass is a password manager with a great reputation. The service was first launched in 2008 by a developer called Marvasol, Inc. In 2015, it was acquired by LogMeIn. LogMeIn is based in Boston, USA, which is never considered a particularly good place for a privacy service to be based due to the presence of the NSA, warrants, and gag orders.
However, LastPass does provide a completely zero knowledge service, which means that in theory, it should never have any customer data to pass to the authorities - even if it is asked to do so using a warrant. On the other hand, LastPass is closed source so there are some security and privacy considerations when it comes to selecting LastPass as your password manager.
Despite all of this, in March of 2019 LastPass was awarded the Best Product in Identity Management award during the 7th annual Cyber Defense Mag InfoSec Awards. This is a testament to the product which is always rated highly by reviewers. So, is all the hype merited, and is LastPass really the last password manager you'll ever need?
When it comes to remembering your passwords, there is really no better way to do it than with a password manager. In order to keep all your accounts secure, it is important for all your passwords to be both complex and unique. Using the same password over and over again opens you up to the threat of hacking - services like LastPass are designed to help.
With LastPass you can set a single master password, behind which all your other passwords reside. And, LastPass is designed to make your life easy by auto-filling your passwords into online forms on the fly.
LastPass is a freemium product, which means that it can be used for free with all its most important settings and features. However, it does have some in-app purchases to extend those features which may become necessary depending on your particular needs. For free, a single user gets access to unlimited password storage, password access on all devices, dual-factor authentication, a secure one-to-one sharing feature, secure notes, a password generator, and a tool for checking the security of passwords.
Users who pay $3 per month for the premium subscription get all the above plus: sharing to multiple users, emergency access, advanced multi-factor options, priority tech support, LastPass for applications, and 1GB encrypted file storage. Those features can be used by just one user.
Upgrading to a Family account that costs $4 per month will increase the number of permitted users to six. And, each user gets their own master password for accessing their own personal vault. In addition, those users get access to group and share items in folders and a manager dashboard for exerting administrative controls.
Getting a free or paid account with LastPass is extremely easy, and it is even possible to get a trial of the paid versions - for testing those added features for 30-days. In this review, we decided to try the premium option for 30-days to take all those features for a test run.
The nice thing about the trial is that you do not need to provide your card details. And, after the initial 30-day period, your account will revert to a free account if you decide not to pay for the extra features that come with Premium.
Having provided a master password and email address, users are prompted to download a browser extension - which will enable LastPass to autofill passwords and save passwords to the password vault. We installed the Chrome extension because this is the browser that we use for testing. However, extensions are available for Firefox, Opera, Edge, and Safari.
LastPass users also have the option to download a standalone desktop or mobile version of the software, which will allow them to use LastPass to fill passwords in their applications as well as online.
Having logged into the extension, users are prompted to save their first password. This is a nice feature which serves as a walkthrough on how to use the password manager. We clicked on Facebook, which led to the Facebook home page being opened with an explanation that all you need to do it log in as usual and your password will automatically be saved to the vault.
This is the easiest way to add passwords to the vault. However, we wanted to test adding passwords manually to understand the process - so we left the automation behind and went directly to the browser-based client.
Logging into the browser-based client launches another automated walkthrough designed to guide you through where everything is. If you are familiar with password managers, this will probably not be necessary and you do get the option to skip it. However, for beginners, this is a valuable resource that eliminates the awkward learning curve that is sometimes experienced when getting used to a new platform.
We started by adding a folder for keeping our social media passwords in. To do so simply click on the add folder button just above the add item icon in the bottom right of the client (It appears when you put your mouse over the icon).
With the folder created, we went ahead and added the password for our Twitter account manually.
As you can see it is possible to save several datasets including payment details, address information, bank account details, or secure notes. We clicked on password.
Adding the password is easy thanks to the form, however, we were sad that the password generator was not integrated into this part of the process - as it is with some other password managers. The advanced options allow you to choose whether you want the password to autofill and whether you should be re-prompted for autofill every time for security purposes. We opted for this as it is a good feature.
With the password added we headed over to the website to check that it would auto-fill and were happy to find that it worked with no issues.
While for most users adding a password by hand is not going to be necessary, it is nice to get a sense of how the folders work, and we were generally impressed. However, the autosave password is still by far the best way to save your passwords with minimal effort. So, in reality, you can simply visit the websites and services you use like you normally do, and LastPass will do all the hard work for you.
Importing and Exporting passwords
Next, we decided to test the import feature. To do so click on More Options in the bottom left of the client, followed by Advanced. Here you will find the Import and Export features.
Clicking on Import opens a special import tool, which allows you to select from a huge range of import options. We decided to opt for importing via a regular CSV file. However, you can directly import from most popular third-party password managers.
The import screen will guide you through the process depending on what you select. We were instructed to open our CSV file entries in notepad so that we could copy and paste them into an import field. Admittedly, this is slightly harder work than with other password managers, but it is hardly a deal-breaker either.
With the CSV entries opened in Windows NotePad, all that remained was for us to copy and paste the data into the form. All in all, the process took us just a few minutes.
Next, we took a look at the export feature, which is a useful tool you will need if you ever decide to leave LastPass for a different (perhaps open-source!) password manager. The export feature takes you to a plain text document that contains all of your individual password fields. Users are not given the option to export in various formats, which is a bit of a disappointment. However, you will be able to get the job done.
A notes feature is available for users who want to store away information in the cloud. This is not essential to the task of password management but it is a useful resource which allows people to set reminders for themselves. While the form does have an attachments button, we couldn’t get it to work.
Premium and family users have the option to give a person access to their account in the event of an emergency. This ensures that access to accounts can be established if there is a need to.
Sharing via folders
Anybody who wants to share folders of passwords can do so thanks to the sharing center. Users can set up individual folders that grant access to other users so that passwords can be shared among coworkers, for example. This feature is only available on the Family subscription plan, or on the business/enterprise versions.
All in all the range of features that are available for free is impressive. The password manager is easy to get used to and the walkthroughs certainly make it approachable for beginners. Paying for the service is not expensive if you do require some extra features. However, for most people, it seems likely that the free service will suffice. This is great because it means the firm has not massively restricted the free version - as is the case with many other services.
Privacy and security
LastPass is a US-based company, which means that it could theoretically be served a warrant and gag order that forces it to hand over any data it holds about consumers. However, because LastPass provides client-side end-to-end-encryption - it should never have any sensitive password data to pass to the authorities - even if it is served a warrant.
On the other hand, this password manager is closed source - which some people may feel is problematic. Closed source code cannot be audited independently for backdoors or vulnerabilities, which means you do have to trust the firm to provide the level of service it claims. While we have no reason not to trust LastPass - there are open source password managers such as Bitdefender on the market that provide the same level of service as LastPass in a completely transparent way. This may be preferable depending on your personal threat model.
To speak of the encryption itself. LastPass creates a locally generated key from the master password that is never uploaded or shared to LastPass servers. This key is created using strong AES 256 CBC encryption with PBKDF2 SHA-256 and salted hashes. This level of encryption is secure, and because the user retains full control over their keys there is never any concern that LastPass employees might be able to access your passwords.
Dual Factor authentication, and location checking security, make it even more difficult for hackers to gain entry to an account. Users are asked to confirm via a link in their email every time they log in to their passwords in a new location. This is a great feature, but we do still recommend setting up 2FA as well.
For users who want to, it is possible to set a Master Password hint, this will serve to help the user remember their password if they forget it. However, it is vital that the hint does not make the password too obvious, because if it does it could put your account at risk of being compromised. We suggest that you stick to using a complex password that you store somewhere extremely safe so that it can not be forgotten. Remember that if you do forget your password, you will not be able to access your passwords.
Next, we checked LastPass’ implementation of TLS/SSL using Qualys SSL Labs to ensure that your data is secure while in transit. Qualys’ analysis revealed that the service scores an A+, which means that SSL is implemented correctly with HSTS and your data is secure when it passes from your browser to its servers. This adds an extra layer of protection for your data on top of the end-to-end-encryption it already provides.
This is not unique to LastPass, and it is an extremely targeted attack, which is unlikely to affect you. However, it is possible, and anybody who wants to avoid it is better off sticking to using the standalone desktop clients and browser extensions.
One thing we did notice is that the level of tracking on its website is a little disappointing (for a privacy-based service). Some tracking is nearly always to be expected with any consumer-facing product. However, while most password managers stick to minimal tracking PrivacyBadger warned us of 21 potential trackers on the LastPass website, which is a lot.
- Secure password vault
- Access on all devices
- Apps for all platforms
- Browser extensions
- One-to-one sharing
- Password generator
- Autofill passwords
- Autosave passwords on the fly
- Sync passwords
- Secure notes
- Security challenge
- Multi-factor authentication
- LastPass Authenticator
- One-to-many sharing
- Emergency access
- Advanced multi-factor options
- Priority tech support
- LastPass for applications
- 1 GB encrypted file storage
Although LastPass appears to have live chat support on its website, this service is actually a bot. And even though it can point you to useful information - it is limited in that it doesn’t always understand what you are asking. We wanted the optional “reminder” field in the sign-up form explaining, but the AI was unable to comprehend what we wanted to know. In fact, we asked it a number of questions that it failed to understand.
Despite this slight drawback, the LastPass website is packed with a lot of useful information. A user manual is available that has lots of walkthroughs and guides for getting the service up and running. A troubleshooting forum is available where LastPass users can ask and answer questions to help each other out. A deep-dive style blog provides excellent articles about digital privacy topics and LastPass features and developments.
One slight problem we found, is that it is hard to find a way to contact the firm directly. The footer of the website does not have the customary contact us section, and searching through the support section does not immediately give you the opportunity to contact support. However, if you do head over to the user manual and browse through some answers to questions eventually, you will be served the contact form at the bottom of a response.
Aa Premium users are given access to advanced support, however, on the free trial of the premium subscription we failed to see the difference which means that you may need to actually pay to get better support. All in all, support is pretty good, but we have definitely experienced better. On the other hand, the service is so well explained that it seems unlikely that users will actually need help that often.
When it comes to getting a free password manager that works on an unlimited basis, LastPass is pretty hard to beat. A free account can be used to store all your passwords and you can use it across all your devices.
The fact that it provides end-to-end encryption means that you retain full control over the keys to your passwords, which is essentially the only way to ensure that they are completely safe. Dual factor authentication and location security features make LastPass even more secure.
The fact that LastPass is closed source may put some people off. If this is a deal-breaker for you, then you will need to stick to an open-source password manager such as Bitdefender.
For most people, however, this password manager is going to get the job done - and while it isn’t as quite as outstanding as many reviewers seem to suggest, it certainly is a fantastic option for those who don’t want to pay for a password manager with client-side encryption. Well worth a test run using the free version.