LastPass review: A leading password manager with a changing value proposition
Heavy is the head that wears the crown.
Rae HodgeFormer senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Editor's note, Jan. 12, 2023: In December 2022, LastPass revealed that the breach it originally disclosed in August had eventually led to an unauthorized party gaining access to unencrypted user data and customer vaults containing even more data. This breach significantly undermines LastPass's effectiveness as a privacy tool and consumer trust in the product. In light of the severity of this latest breach and given LastPass's lengthy history of security issues, we have decided to remove LastPass from our list of recommended password managers at this time. If you're a LastPass subscriber, take a look at CNET's advice on what to do in the wake of the breach. If you're looking for an alternative, take a look at our list of the best password managers. Below, you'll find our earlier LastPass review as it was written prior to the latest incident, in 2021. We will be conducting a thorough re-review of the password manager in the near future.
"'Don't put all your eggs in one basket' is all wrong. I tell you 'put all your eggs in one basket, and then watch that basket.'" -- Andrew Carnegie, 1885
When it comes to privacy tools, Andrew Carnegie is usually dead wrong. In the case of password managers, however, Carnegie is usually more dead than wrong. So much of our online privacy and security rely on guarding the single digital basket -- a well-chosen password manager -- into which we've entrusted every login key. To wit, I've been using LastPass so long I don't know when I started using LastPass. But now -- with new restrictions on LastPass' once-legendary free service and the discovery of the web-trackers in the software -- I'm finally making the switch.
True to millennial peerage, though, I didn't stick around because I'm brand-loyal. I've test-driven other password managers, and with a growing stack of encryption lit at my office-away-from-office, I'm itching to get further under their hoods. LastPass, until recently, outlasted them all. While I'm personally moving over to Bitwarden -- which remains free across multiple devices and has a strong open-source foundation -- I'm still steering plenty of less-techie folks to LastPass, thanks to its overall ease of use.
While LastPass' extensive free tier gave it a wide margin of victory over its competition against competitors like 1Password, restricting its free service to a single device has closed the gap quickly. Its technical security is generally on par with other premium password managers, but it's still got the advantage of a friendly, intuitive user interface -- the most important factor, I'd argue, in establishing long-term privacy by habit.
You should generally avoid using any privacy product that stuffs web trackers into your browser, or otherwise make sure any of your personal tracker-blocking tools are enabled on your browser and across your device. But even with LastPass' latest restrictions on its free service, it's still a worthwhile product.
At $36 a year, the Premium version of LastPass is a solid deal, sweetened by the inclusion of YubiKey and 1GB of encrypted storage. A $48 annual subscription will get you the Families plan -- that's six individual accounts, shared folders and a dashboard that goes beyond your own security analytics and lets you manage the family accounts.
Cheaper options are out there -- Bitwarden's first-tier premium version starts at $10 -- but LastPass is on a par with most of its peers in price. Competitors Keeper and 1Password, for instance, cost $30 and $36 respectively for their first-tier premium subscription.
Loaded with easy-to-use features
If you're new to password managers, here's how it works: You sign up for an account and create a master password. You then use that master password to log into your password manager instead of entering your login information for every different site.
Overall security is also bolstered by LastPass' username and password generator -- making it easier to create stronger passwords every time, rather than being tempted to re-use others. This feature is at its best when combined with LastPass' automatic prompts: Not only does LastPass detect data entry fields and invite you to save a new password in your Vault (instead of directly into your browser, something you should never do), but it encourages you to generate a unique one with a single click.
LastPass' multifactor authentication, a practice we recommend for any apps with sensitive data, is also great for bolstering secure logins. If you're willing to purchase the premium version, LastPass will also cross-reference your information against databases of logins known to be compromised via its Dark Web Monitoring option, alerting you if your email address has been flagged. You'll also get a dashboard full of graphics illustrating your overall security. For instance, a visual gauge analyzes your collection of passwords and displays the percent that are considered too weak.
The smooth functionality of LastPass' browser extensions can't be overstated. They've gotten along with nearly every other extension I've used. The same can be said of its mobile apps. Even as app store permission schemas have changed over the years, I've never run into major conflicts between LastPass and other apps. That amiability extends to platforms, too. I've yet to find an operating system or device on which I can't use LastPass. I've recommended it to journalists, lawyers, activists, family -- you name it -- not just because of its compatibility, but because I've found it exceedingly intuitive and user friendly in its setup.
I can create folders for groups of sites -- carefully partitioned areas are designed to hold your credentials and banking information -- and I can import and export blocks of passwords. Granted, exporting any list of passwords via plain text can be risky. Premium users can even share folders and items, grab some secure note-taking space on the cloud, and set up an emergency contact to access their accounts if they can't.
Usability and design are about more than how smart a program looks, though. The hardest security flaw to fix is the human one. While security bugs often follow attempts to make software more convenient, it's better to make a privacy tool behaviorally appealing, even if it is slightly less secure. A password manager that's user friendly is one that gets used, and it's infinitely better to have people using slightly flawed security than none at all.
Come back with a warrant
Back in 2015, LastPass was the darling of password managers and LogMeIn was a freshly hated company for having announced they'd now be charging for their remote desktop software. So when LogMeIn announced plans to buy LastPass for $110 million that year, the internet sounded a death knell. LastPass didn't die, though. And, unlike LogMeIn, it didn't suddenly stop offering its freeware. Fast-forward to August 2020 when the ink dried on the $4.3 billion purchase of LogMeIn by private equity firm Francisco Partners and Evergreen Coast Capital, the affiliate of vulture megahedge Elliott Management.
While LastPass still touts a growing user base in the millions, the former fan base was finally proven right in February: Just like LogMeIn, LastPass' free service got slashed. As of March 16, you're only able to use LastPass' free service on one device. If you're currently using the free service, you'll have to choose one of the two categories, desktop or mobile. But you'll also get three chances to switch between them, so you can figure out which is most useful.
And, yes, LastPass is a US-based company and your data is therefore stored in a Five Eyes jurisdiction -- a mass surveillance and intelligence-sharing ring between countries including the US, UK, Australia and Canada. And yes, both the LastPass and LogMeIn terms of service openly say they will comply with requests from government agencies for access to your information. Unlike with virtual private networks, however, a Five Eyes jurisdiction on a password manager isn't an immediate deal-breaker for me.
With managers like LastPass, your information gets encrypted client-side -- meaning locally, on your computer. The biggest threat to your privacy, then, isn't necessarily that your password manager will be served with a subpoena and a gag order. In theory, there'd be nothing for that company to hand over to authorities anyway.
Case in point: LogMeIn told Forbes in 2019 that LastPass gets fewer than 10 such requests a year. For a privacy company that hit a 25 million-user milestone in September 2020, that's a ridiculously small number of requests. A more important criteria is what a company does with those requests.
When LastPass got slapped with a legal order from the US Drug Enforcement Administration in 2019, demanding it hand over information on a user such as their passwords and home address, the company basically shrugged. It couldn't give the feds what its own encryption kept it from having.
As I've said of VPNs, surviving a privacy trial by subpoena fire is one of the surest ways a privacy tool can earn my trust. And while being forced to hand over documents to government entities is a liability for any privacy-oriented company, a company that hands over a cache of unreadable data while its parent company loudly decries federal anti-encryption policies is one that gets the nod from me.
Watch this: In a world of bad passwords, a security key could be your new best friend
In a security audit for a password manager, you want to see source code auditing, cryptographic analysis and white box penetration tests -- not only for LastPass' mobile apps and desktop client, but for its backend technology. Why isn't LastPass leading here?
With the trust of 25 million users at stake, LastPass has a responsibility to supply the public with more independent, third-party cybersecurity audits like those conducted for peers RememBear, NordPass and Bitwarden. And while LogMeIn keeps a collection of audits for several of its properties, the company says its additional cloud security audit for LastPass is only available if you sign a nondisclosure agreement.
To make sure I wasn't missing anything, I asked LastPass for the goods.
"Security is fundamental to what we do and we strive for transparency with our users. We agree that having these security audits and penetration tests are important when evaluating our service, but due to the sensitive nature of these reports, we cannot make them available without a nondisclosure agreement," a company spokesperson told me in an email.
I declined the offer.
Under the hood: Data collection and encryption
The source code is private and the audits are missing, but we know LastPass collects some of your data. That includes basic contact information and billing addresses, as you'd expect, but it also includes your unique device identifier number, your operating system, the IP address you connect from, your location information and what apps you're using LastPass to store passwords for. LogMeIn has repeatedly said it doesn't collect user browsing history.
Most concerning, however, was the recent unearthing of LastPass' use of web trackers, which came into the spotlight after a security researcher recommended switching away from the password manager based on the findings of a well-known privacy advocacy app. The Exodus Privacy app, developed by the Guardian Project to document the number of trackers and permissions other apps use, discovered seven web trackers in the Android version of LastPass.
The web trackers on LastPass include those from Google Analytics, AppsFlyer and Mixpanel. While LastPass' password encryption normally protects your passwords from being viewed by any tracker or site, these trackers let third-party companies collect a startlingly complete record of the sites you visit. Meanwhile, competitor 1Password was found by the same researchers to have zero web trackers. Bitwarden was found to have two items classified as web trackers, but they function as an optional crash-reporting tool and don't track actual web activity. Regardless, Bitwarden offers a version without them.
While jurisdiction concerns may not be a deal-breaker for my own choice of password manager, a suite of web trackers in a privacy app definitely is. Web trackers may be a du jour revenue model among free software and the data they collect -- some might argue -- is anonymized sufficiently. But it's not that hard to unmask real people in anonymous data. More importantly, it's insulting to pay for a premium privacy service, only to have that privacy service tail me during internet browsing.
On the security front, though, LastPass is generally solid. Of all the types of attacks a password manager has to ward off, it generally needs to be strongest against brute force attacks -- those aimed at cracking passwords by breaking encryption.
LastPass encrypts your information with AES-256 -- that's the baseline standard for encryption that you should expect from any privacy product. It also employs something called PBKDF2 -- it's how your master password gets turned into a key to unlock that encryption.
Sure, if you're the type of person at whom the US government would target its full capacity for quantum computing and an absurd amount of manhours (e.g., Edward Snowden) then LastPass may not be your best bet.
But the rest of us -- barring some bizarre, inside-job exploit of LastPass' One Time Password account recovery feature -- can feel fairly confident that we aren't worth someone enduring the 100,100 PBKDF2 iterations required to get close to our passwords.
Watch this: Are passwords dead? Let's talk about the future of authentication
The rap sheet
The mark of a good privacy tool isn't a clean rap sheet. It's how the company responds to incidents and vulnerabilities. Are they transparent and timely in telling the public? How bad were users hit? Do they respond quickly with repairs and incorporate what they've learned into long-term improvements?
In LastPass' case, the company has created an environment that encourages bug-hunters and security researchers. Despite its lengthy list of discovered vulnerabilities, it's so far only had two significant user data breaches (only one of which was malicious and resulted in actual user data loss). It generally responds quickly to vulnerabilities and rolls out updates along with its tidy log of release notes. Still, it's had more issues than many of its competitors, and their trail stretches all the way back to 2011.
The 2015 breach saw the most publicity and is the only breach noted on LastPass' official site. The same year, though, Asana Security Head Sean Cassidy discovered a phishing vulnerability created by a CSRF bug, and a research paper emerged detailing another CSRF bug and how LastPass's Safari bookmarklet option was found vulnerable if users were tricked into clicking certain parts of an attacker's site.
The hits kept coming in 2016: Two vulnerabilities were found. One was discovered by security researcher Mathias Karlsson, and the other by Google Project Zero bug assassin Tavis Ormandy, the latter prompting LastPass to urge users to update their browsers.
Ormandy wasn't done with LastPass, though. In 2017, he found another browser extension leak, which LastPass fixed. His work foreshadowed that of University of York researchers in 2019 who found a vulnerability that would allow malicious copycat apps to exploit LastPass' autofill feature. By 2019, Ormandy was coming back for another helping, discovering a third browser extension vulnerability -- which LastPass again resolved -- that would expose login credentials you entered on a previously visited site.
Heavy is the head
Without seeing the audits, it's hard to pinpoint exactly why LastPass has accumulated such a long list of found bugs compared to its competitors. That length could speak to the popularity and ongoing evolution of a complex piece of software, or be held as evidence of slipshod development and recurring problems.
When I reached out to the company about it, LastPass pointed out it welcomes bug-hunters and rightly cautioned users against choosing any vendor that hasn't publicly disclosed a bug or incident.
"LastPass is the leading password manager, for both consumers and businesses -- there is no other password manager on the market that is more widely used. As such we're more likely to catch the attention of security researchers," a company spokesperson said in an email.
"LastPass can offer a stronger, more secure product in part because of the important work the research community does. We continue to incentivize their contributions through our third-party bug bounty program," the spokesperson added. "We are confident LastPass is stronger for the attention."
They've right about being stronger for it. Every time Ormandy came at it, steel sharpened steel and overall security was hardened. And they've got a point about popularity. If I were a bug-hunting security researcher with ambition and ethics (or I just needed a couple hundred bucks), my impulse would be to go after popular privacy tools with proprietary software in jurisdictions under domestic mass surveillance. LastPass would, by all metrics, make for excellent target practice.
These points would be stronger, though, if there weren't a signal in the noise here. A closer analysis of the rap sheet reveals that this is no scatter plot of random bugs, but a map of LastPass' battles against a some of the same Achilles' heels afflicting nearly all password managers: When any password manager uses a browser extension to autofill your username and password fields, it opens up a wide vector for all kinds of risks.
Those risks were magnified in LastPass' case by a URL visibility issue and its historically insecure API -- meaning a potentially malicious website could pose as a legitimate website and "talk" to LastPass, convincing it to hand over your logins for the legitimate site. Using only a desktop client would mitigate most of that risk. But password managers only work when people use them regularly -- and no one uses desktop clients as frequently as mobile apps and browser extensions.
Besides, wouldn't LastPass be stronger for the attention?