CDC director endorses Pfizer booster for frontline workers iPhone 13 is on sale: Best deals China: All cryptocurrency transactions illegal Elon Musk and Grimes 'semi-separated' PS5 restock tracker Google Doodle honors Christopher Reeve
CNET editors pick the products and services we write about. When you buy through our links, we may get a commission.

LastPass review: A leading password manager with a changing value proposition

Heavy is the head that wears the crown.

lastpass
LastPass

"'Don't put all your eggs in one basket' is all wrong. I tell you 'put all your eggs in one basket, and then watch that basket.'" -- Andrew Carnegie, 1885

When it comes to privacy tools, Andrew Carnegie is usually dead wrong. In the case of password managers, however, Carnegie is usually more dead than wrong. So much of our online privacy and security rely on guarding the single digital basket -- a well-chosen password manager -- into which we've entrusted every login key. To wit, I've been using LastPass so long I don't know when I started using LastPass. But now -- with new restrictions on LastPass' once-legendary free service and the discovery of the web-trackers in the software -- I'm finally making the switch. 

True to millennial peerage, though, I didn't stick around because I'm brand-loyal. I've test-driven other password managers, and with a growing stack of encryption lit at my office-away-from-office, I'm itching to get further under their hoods. LastPass, until recently, outlasted them all. While I'm personally moving over to Bitwarden -- which remains free across multiple devices and has a strong open-source foundation -- I'm still steering plenty of less-techie folks to LastPass, thanks to its overall ease of use.

Read more: Best password manager to use for 2020

While LastPass' extensive free tier gave it a wide margin of victory over its competition against competitors like 1Password, restricting its free service to a single device has closed the gap quickly. Its technical security is generally on par with other premium password managers, but it's still got the advantage of a friendly, intuitive user interface -- the most important factor, I'd argue, in establishing long-term privacy by habit. 

You should generally avoid using any privacy product that stuffs web trackers into your browser, or otherwise make sure any of your personal tracker-blocking tools are enabled on your browser and across your device. But even with LastPass' latest restrictions on its free service, it's still a worthwhile product. 

LastPass

Like

  • Survived a privacy trial-by-fire.
  • Free version is just as good as the premium.
  • Smooth, easy, user-friendly

Don't Like

  • Free version now limited to one device type.
  • Closed-source software
  • History of repeat vulnerabilities
  • Lack of audits

Cost breakdown

At $36 a year, the Premium version of LastPass is a solid deal, sweetened by the inclusion of YubiKey and 1GB of encrypted storage. A $48 annual subscription will get you the Families plan -- that's six individual accounts, shared folders and a dashboard that goes beyond your own security analytics and lets you manage the family accounts. 

Cheaper options are out there -- Bitwarden's first-tier premium version starts at $10 -- but LastPass is on a par with most of its peers in price. Competitors Keeper and 1Password, for instance, cost $30 and $36 respectively for their first-tier premium subscription. 

Loaded with easy-to-use features

If you're new to password managers, here's how it works: You sign up for an account and create a master password. You then use that master password to log into your password manager instead of entering your login information for every different site. 

The autofill feature of LastPass' browser extension -- which allows you to click a drop-down menu in the username and password fields to populate your saved login information for any site you choose -- is seamless enough that it quickly normalizes routine LastPass use as you browse. Where other password managers can become a glitchy mess as they navigate JavaScript demands, LastPass is unintrusive.

Overall security is also bolstered by LastPass' username and password generator -- making it easier to create stronger passwords every time, rather than being tempted to re-use others. This feature is at its best when combined with LastPass' automatic prompts: Not only does LastPass detect data entry fields and invite you to save a new password in your Vault (instead of directly into your browser, something you should never do), but it encourages you to generate a unique one with a single click. 

LastPass' multifactor authentication, a practice we recommend for any apps with sensitive data, is also great for bolstering secure logins. If you're willing to purchase the premium version, LastPass will also cross-reference your information against databases of logins known to be compromised via its Dark Web Monitoring option, alerting you if your email address has been flagged. You'll also get a dashboard full of graphics illustrating your overall security. For instance, a visual gauge analyzes your collection of passwords and displays the percent that are considered too weak.

Smooth functionality

The smooth functionality of LastPass' browser extensions can't be overstated. They've gotten along with nearly every other extension I've used. The same can be said of its mobile apps. Even as app store permission schemas have changed over the years, I've never run into major conflicts between LastPass and other apps. That amiability extends to platforms, too. I've yet to find an operating system or device on which I can't use LastPass. I've recommended it to journalists, lawyers, activists, family -- you name it -- not just because of its compatibility, but because I've found it exceedingly intuitive and user friendly in its setup. 

I can create folders for groups of sites -- carefully partitioned areas are designed to hold your credentials and banking information -- and I can import and export blocks of passwords. Granted, exporting any list of passwords via plain text can be risky. Premium users can even share folders and items, grab some secure note-taking space on the cloud, and set up an emergency contact to access their accounts if they can't. 

Usability and design are about more than how smart a program looks, though. The hardest security flaw to fix is the human one. While security bugs often follow attempts to make software more convenient, it's better to make a privacy tool behaviorally appealing, even if it is slightly less secure. A password manager that's user friendly is one that gets used, and it's infinitely better to have people using slightly flawed security than none at all. 

lastpass-free-desktop-phone-watch

The free version of LastPass is as capable as the paid version of many other password managers, but now it has some limitations.

LastPass

Come back with a warrant

Back in 2015, LastPass was the darling of password managers and LogMeIn was a freshly hated company for having announced they'd now be charging for their remote desktop software. So when LogMeIn announced plans to buy LastPass for $110 million that year, the internet sounded a death knell. LastPass didn't die, though. And, unlike LogMeIn, it didn't suddenly stop offering its freeware. Fast-forward to August 2020 when the ink dried on the $4.3 billion purchase of LogMeIn by private equity firm Francisco Partners and Evergreen Coast Capital, the affiliate of vulture megahedge Elliott Management. 

While LastPass still touts a growing user base in the millions, the former fan base was finally proven right in February: Just like LogMeIn, LastPass' free service got slashed. As of March 16, you're only able to use LastPass' free service on one device. If you're currently using the free service, you'll have to choose one of the two categories, desktop or mobile. But you'll also get three chances to switch between them, so you can figure out which is most useful.

And, yes, LastPass is a US-based company and your data is therefore stored in a Five Eyes jurisdiction -- a mass surveillance and intelligence-sharing ring between countries including the US, UK, Australia and Canada. And yes, both the LastPass and LogMeIn terms of service openly say they will comply with requests from government agencies for access to your information. Unlike with virtual private networks, however, a Five Eyes jurisdiction on a password manager isn't an immediate deal-breaker for me.

With managers like LastPass, your information gets encrypted client-side -- meaning locally, on your computer. The biggest threat to your privacy, then, isn't necessarily that your password manager will be served with a subpoena and a gag order. In theory, there'd be nothing for that company to hand over to authorities anyway.

Case in point: LogMeIn told Forbes in 2019 that LastPass gets fewer than 10 such requests a year. For a privacy company that hit a 25 million-user milestone in September 2020, that's a ridiculously small number of requests. A more important criteria is what a company does with those requests. 

When LastPass got slapped with a legal order from the US Drug Enforcement Administration in 2019, demanding it hand over information on a user such as their passwords and home address, the company basically shrugged. It couldn't give the feds what its own encryption kept it from having.

As I've said of VPNs, surviving a privacy trial by subpoena fire is one of the surest ways a privacy tool can earn my trust. And while being forced to hand over documents to government entities is a liability for any privacy-oriented company, a company that hands over a cache of unreadable data while its parent company loudly decries federal anti-encryption policies is one that gets the nod from me.

Now playing: Watch this: In a world of bad passwords, a security key could be...
4:11

Open sesame

That goodwill gets thrown into question, however, by the fact that LastPass is proprietary software. That means its source code isn't totally open-source (available for public inspection); the company is asking you to trust it, and if there were potential backdoors or vulnerabilities, you'd never know. Shout-out to the coders reading this, however, who will rightly point out that LastPass' browser extensions are JavaScript, so those are de facto open-source, and that LastPass released the code for its command-line client in 2015. 

Regardless, third-party audits would be helpful here. In at least two of its security whitepapers, LastPass claims to have them. Currently, though, LastPass has only a bare-bones organizational audit for 2018-2019 publicly available, along with a list of companies it works with. But those aren't the droids we're looking for.

In a security audit for a password manager, you want to see source code auditing, cryptographic analysis and white box penetration tests -- not only for LastPass' mobile apps and desktop client, but for its backend technology. Why isn't LastPass leading here?

With the trust of 25 million users at stake, LastPass has a responsibility to supply the public with more independent, third-party cybersecurity audits like those conducted for peers RememBearNordPass and Bitwarden. And while LogMeIn keeps a collection of audits for several of its properties, the company says its additional cloud security audit for LastPass is only available if you sign a nondisclosure agreement. 

To make sure I wasn't missing anything, I asked LastPass for the goods. 

"Security is fundamental to what we do and we strive for transparency with our users. We agree that having these security audits and penetration tests are important when evaluating our service, but due to the sensitive nature of these reports, we cannot make them available without a nondisclosure agreement," a company spokesperson told me in an email. 

I declined the offer. 

Under the hood: Data collection and encryption

apple-iphone-lock-cybersecurity-0465
Angela Lang/CNET

The source code is private and the audits are missing, but we know LastPass collects some of your data. That includes basic contact information and billing addresses, as you'd expect, but it also includes your unique device identifier number, your operating system, the IP address you connect from, your location information and what apps you're using LastPass to store passwords for. LogMeIn has repeatedly said it doesn't collect user browsing history.

Most concerning, however, was the recent unearthing of LastPass' use of web trackers, which came into the spotlight after a security researcher recommended switching away from the password manager based on the findings of a well-known privacy advocacy app. The Exodus Privacy app, developed by the Guardian Project to document the number of trackers and permissions other apps use, discovered seven web trackers in the Android version of LastPass.

The web trackers on LastPass include those from Google Analytics, AppsFlyer and Mixpanel. While LastPass' password encryption normally protects your passwords from being viewed by any tracker or site, these trackers let third-party companies collect a startlingly complete record of the sites you visit. Meanwhile, competitor 1Password was found by the same researchers to have zero web trackers. Bitwarden was found to have two items classified as web trackers, but they function as an optional crash-reporting tool and don't track actual web activity. Regardless, Bitwarden offers a version without them. 

While jurisdiction concerns may not be a deal-breaker for my own choice of password manager, a suite of web trackers in a privacy app definitely is. Web trackers may be a du jour revenue model among free software and the data they collect -- some might argue -- is anonymized sufficiently. But it's not that hard to unmask real people in anonymous data. More importantly, it's insulting to pay for a premium privacy service, only to have that privacy service tail me during internet browsing.

On the security front, though, LastPass is generally solid. Of all the types of attacks a password manager has to ward off, it generally needs to be strongest against brute force attacks -- those aimed at cracking passwords by breaking encryption. 

LastPass encrypts your information with AES-256 -- that's the baseline standard for encryption that you should expect from any privacy product. It also employs something called PBKDF2 -- it's how your master password gets turned into a key to unlock that encryption. 

Sure, if you're the type of person at whom the US government would target its full capacity for quantum computing and an absurd amount of manhours (e.g., Edward Snowden) then LastPass may not be your best bet. 

But the rest of us -- barring some bizarre, inside-job exploit of LastPass' One Time Password account recovery feature -- can feel fairly confident that we aren't worth someone enduring the 100,100 PBKDF2 iterations required to get close to our passwords.

Now playing: Watch this: Are passwords dead? Let's talk about the future of authentication
7:40

The rap sheet

The mark of a good privacy tool isn't a clean rap sheet. It's how the company responds to incidents and vulnerabilities. Are they transparent and timely in telling the public? How bad were users hit? Do they respond quickly with repairs and incorporate what they've learned into long-term improvements? 

In LastPass' case, the company has created an environment that encourages bug-hunters and security researchers. Despite its lengthy list of discovered vulnerabilities, it's so far only had two significant user data breaches (only one of which was malicious and resulted in actual user data loss). It generally responds quickly to vulnerabilities and rolls out updates along with its tidy log of release notes. Still, it's had more issues than many of its competitors, and their trail stretches all the way back to 2011. 

The 2015 breach saw the most publicity and is the only breach noted on LastPass' official site. The same year, though, Asana Security Head Sean Cassidy discovered a phishing vulnerability created by a CSRF bug, and a research paper emerged detailing another CSRF bug and how LastPass's Safari bookmarklet option was found vulnerable if users were tricked into clicking certain parts of an attacker's site. 

The hits kept coming in 2016: Two vulnerabilities were found. One was discovered by security researcher Mathias Karlsson, and the other by Google Project Zero bug assassin Tavis Ormandy, the latter prompting LastPass to urge users to update their browsers. 

Ormandy wasn't done with LastPass, though. In 2017, he found another browser extension leak, which LastPass fixed. His work foreshadowed that of University of York researchers in 2019 who found a vulnerability that would allow malicious copycat apps to exploit LastPass' autofill feature. By 2019, Ormandy was coming back for another helping, discovering a third browser extension vulnerability -- which LastPass again resolved -- that would expose login credentials you entered on a previously visited site.

Heavy is the head

Without seeing the audits, it's hard to pinpoint exactly why LastPass has accumulated such a long list of found bugs compared to its competitors. That length could speak to the popularity and ongoing evolution of a complex piece of software, or be held as evidence of slipshod development and recurring problems. 

When I reached out to the company about it, LastPass pointed out it welcomes bug-hunters and rightly cautioned users against choosing any vendor that hasn't publicly disclosed a bug or incident. 

"LastPass is the leading password manager, for both consumers and businesses -- there is no other password manager on the market that is more widely used. As such we're more likely to catch the attention of security researchers," a company spokesperson said in an email. 

"LastPass can offer a stronger, more secure product in part because of the important work the research community does. We continue to incentivize their contributions through our third-party bug bounty program," the spokesperson added. "We are confident LastPass is stronger for the attention."

apple-iphone-key-0405
Angela Lang/CNET

They've right about being stronger for it. Every time Ormandy came at it, steel sharpened steel and overall security was hardened. And they've got a point about popularity. If I were a bug-hunting security researcher with ambition and ethics (or I just needed a couple hundred bucks), my impulse would be to go after popular privacy tools with proprietary software in jurisdictions under domestic mass surveillance. LastPass would, by all metrics, make for excellent target practice.

These points would be stronger, though, if there weren't a signal in the noise here. A closer analysis of the rap sheet reveals that this is no scatter plot of random bugs, but a map of LastPass' battles against a some of the same Achilles' heels afflicting nearly all password managers: When any password manager uses a browser extension to autofill your username and password fields, it opens up a wide vector for all kinds of risks. 

Those risks were magnified in LastPass' case by a URL visibility issue and its historically insecure API -- meaning a potentially malicious website could pose as a legitimate website and "talk" to LastPass, convincing it to hand over your logins for the legitimate site. Using only a desktop client would mitigate most of that risk. But password managers only work when people use them regularly -- and no one uses desktop clients as frequently as mobile apps and browser extensions. 

We all need to see those audits. If the public can more clearly measure the arc and trajectory of LastPass' long-term strategy to secure its API against the historical hazards of JavaScript browser extensions, then the security of every password manager on the market would benefit from its developers' work fixing the notorious autofill problem. What's more, the privacy and security of every person on the internet can be made demonstrably safer. That's what a leader would do. 

Besides, wouldn't LastPass be stronger for the attention?