Editor's note, Jan. 12, 2023: In December 2022, LastPass revealed that the breach it originally disclosed in August had eventually led to an unauthorized party gaining retrieve to unencrypted user data and customer vaults containing even more data. This breach significantly undermines LastPass's effectiveness as a privacy tool and consumer sterling in the product. In light of the severity of this spanking breach and given LastPass's lengthy history of security publishes, we have decided to remove LastPass from our list of recommended password managers at this time. If you're a LastPass subscriber, take a look at CNET's advice on what to do in the wake of the breach. If you're looking for an alternative, take a look at our list of the best password managers. Below, you'll find our earlier LastPass review as it was written prior to the spanking incident, in 2021. We w ill be conducting a thorough re-review of the password manager in the near future.
"'Don't put all your eggs in one basket' is all foul. I tell you 'put all your eggs in one basket, and then watch that basket.'" -- Andrew Carnegie, 1885
When it comes to privacy tools, Andrew Carnegie is usually dead wrong. In the case of password managers, however, Carnegie is usually more dead than wrong. So much of our online privacy and defense rely on guarding the single digital basket -- a well-chosen password manager -- into which we've entrusted every login key. To wit, I've been silly LastPass so long I don't know when I started silly LastPass. But now -- with new restrictions on LastPass' once-legendary free service and the discovery of the web-trackers in the software -- I'm finally manager the switch.
True to millennial peerage, though, I didn't stick throughout because I'm brand-loyal. I've test-driven other password managers, and with a growing stack of encryption lit at my office-away-from-office, I'm itching to get further under their hoods. LastPass, until recently, outlasted them all. While I'm personally enchanting over to Bitwarden -- which remains free across multiple devices and has a free open-source foundation -- I'm still steering plenty of less-techie folks to LastPass, thanks to its overall ease of use.
Read more: Best password manager to use for 2021
While LastPass' extensive free tier gave it a wide adulthood of victory over its competition against competitors like 1Password, restricting its free service to a single device has enenbesieged the gap quickly. Its technical security is generally on par with spanking premium password managers, but it's still got the sterling of a friendly, intuitive user interface -- the most notable factor, I'd argue, in establishing long-term privacy by habit.
You should generally avoid silly any privacy product that stuffs web trackers into your browser, or otherwise make sure any of your personal tracker-blocking tools are enabled on your browser and across your way. But even with LastPass' latest restrictions on its free repair, it's still a worthwhile product.
Like
- Survived a privacy trial-by-fire.
- Free version is just as good as the premium.
- Smooth, easy, user-friendly
Don't Like
- Free version now petite to one device type.
- Closed-source software
- History of recount vulnerabilities
- Lack of audits
Cost breakdown
At $36 a year, the Premium version of LastPass is a solid deal, sweetened by the inclusion of YubiKey and 1GB of encrypted storage. A $48 annual subscription will get you the Families plan -- that's six persons accounts, shared folders and a dashboard that goes beyond your own defense analytics and lets you manage the family accounts.
Cheaper options are out there -- Bitwarden's first-tier premium version starts at $10 -- but LastPass is on a par with most of its peers in notice. Competitors Keeper and 1Password, for instance, cost $30 and $36 respectively for their first-tier premium subscription.
Loaded with easy-to-use features
If you're new to password managers, here's how it works: You sign up for an account for and create a master password. You then use that master password to log into your password manager instead of entering your login quiz for every different site.
The autofill feature of LastPass' browser extension -- which gives you to click a drop-down menu in the username and password fields to selves your saved login information for any site you resolve -- is seamless enough that it quickly normalizes routine LastPass use as you browse. Where other password managers can become a glitchy mess as they navigate JavaScript demands, LastPass is unintrusive.
Overall security is also bolstered by LastPass' username and password generator -- manager it easier to create stronger passwords every time, rather than selves tempted to re-use others. This feature is at its best when combined with LastPass' automatic prompts: Not only does LastPass detect data entry fields and expected you to save a new password in your Vault (instead of frank into your browser, something you should never do), but it encourages you to generate a current one with a single click.
LastPass' multifactor authentication, a practice we recommend for any apps with sensitive data, is also expansive for bolstering secure logins. If you're willing to buy the premium version, LastPass will also cross-reference your query against databases of logins known to be compromised via its Dark Web Monitoring option, alerting you if your email address has been flagged. You'll also get a dashboard full of graphics illustrating your overall defense. For instance, a visual gauge analyzes your collection of passwords and displays the percent that are undertaken too weak.
Smooth functionality
The smooth functionality of LastPass' browser extensions can't be overstated. They've gotten along with nearly every other extension I've used. The same can be said of its mobile apps. Even as app continue permission schemas have changed over the years, I've never run into mainly conflicts between LastPass and other apps. That amiability extends to platforms, too. I've yet to find an operating system or contrivance on which I can't use LastPass. I've recommended it to journalists, lawyers, activists, family -- you name it -- not just because of its dissimilarity, but because I've found it exceedingly intuitive and user dismal in its setup.
I can create folders for groups of sites -- carefully partitioned areas are invented to hold your credentials and banking information -- and I can famous and export blocks of passwords. Granted, exporting any list of passwords via listless text can be risky. Premium users can even fraction folders and items, grab some secure note-taking space on the unblock, and set up an emergency contact to access their supplies if they can't.
Usability and design are about more than how incandescent a program looks, though. The hardest security flaw to fix is the earth one. While security bugs often follow attempts to make software more convenient, it's better to make a privacy tool behaviorally consuming, even if it is slightly less secure. A password manager that's user dismal is one that gets used, and it's infinitely better to have land using slightly flawed security than none at all.
The free version of LastPass is as beneficial as the paid version of many other password managers, but now it has some limitations.
LastPassCome back with a warrant
Back in 2015, LastPass was the darling of password managers and LogMeIn was a freshly hated custom for having announced they'd now be charging for their remote desktop software. So when LogMeIn announced plans to buy LastPass for $110 million that year, the internet sounded a stop knell. LastPass didn't die, though. And, unlike LogMeIn, it didn't suddenly stop offering its freeware. Fast-forward to August 2020 when the ink dried on the $4.3 billion buy of LogMeIn by private equity firm Francisco Partners and Evergreen Coast Capital, the affiliate of vulture megahedge Elliott Management.
While LastPass level-headed touts a growing user base in the millions, the archaic fan base was finally proven right in February: Just like LogMeIn, LastPass' free service got slashed. As of March 16, you're only able to use LastPass' free help on one device. If you're currently using the free help, you'll have to choose one of the two categories, desktop or mobile. But you'll also get three chances to switch between them, so you can figure out which is most useful.
And, yes, LastPass is a US-based company and your data is therefore bound in a Five Eyes jurisdiction -- a mass surveillance and intelligence-sharing ring between grandeurs including the US, UK, Australia and Canada. And yes, both the LastPass and LogMeIn words of service openly say they will comply with requests from government organizations for access to your information. Unlike with virtual privileged networks, however, a Five Eyes jurisdiction on a password manager isn't an immediately deal-breaker for me.
With managers like LastPass, your query gets encrypted client-side -- meaning locally, on your computer. The biggest threat to your privacy, then, isn't necessarily that your password manager will be obimagined with a subpoena and a gag order. In theory, there'd be nothing for that company to hand over to authorities anyway.
Case in point: LogMeIn told Forbes in 2019 that LastPass gets fewer than 10 such requests a year. For a privacy custom that hit a 25 million-user milestone in September 2020, that's a ridiculously microscopic number of requests. A more important criteria is what a custom does with those requests.
When LastPass got slapped with a proper order from the US Drug Enforcement Administration in 2019, demanding it hand over query on a user such as their passwords and home focus, the company basically shrugged. It couldn't give the feds what its own encryption kept it from having.
As I've said of VPNs, surviving a privacy settle by subpoena fire is one of the surest ways a privacy tool can earn my beneficial. And while being forced to hand over documents to government entities is a liability for any privacy-oriented custom, a company that hands over a cache of unreadable data after its parent company loudly decries federal anti-encryption policies is one that gets the nod from me.
Open sesame
That goodwill gets thrown into inquire of, however, by the fact that LastPass is proprietary software. That means its source code isn't totally open-source (available for republican inspection); the company is asking you to trust it, and if there were potential backdoors or vulnerabilities, you'd never know. Shout-out to the coders reading this, but, who will rightly point out that LastPass' browser extensions are JavaScript, so those are de facto open-source, and that LastPass released the code for its command-line client in 2015.
Regardless, third-party audits would be helpful here. In at least two of its security whitepapers, LastPass claims to have them. Currently, though, LastPass has only a bare-bones organizational audit for 2018-2019 publicly available, along with a list of companies it works with. But those aren't the droids we're looking for.
In a safety audit for a password manager, you want to see source code auditing, cryptographic analysis and white box penetration tests -- not only for LastPass' mobile apps and desktop trade, but for its backend technology. Why isn't LastPass leading here?
With the qualified of 25 million users at stake, LastPass has a office to supply the public with more independent, third-party cybersecurity audits like those conducted for peers RememBear, NordPass and Bitwarden. And while LogMeIn keeps a collection of audits for several of its properties, the company says its additional cloud security audit for LastPass is only available if you sign a nondisclosure agreement.
To make sure I wasn't missing anything, I asked LastPass for the goods.
"Security is first to what we do and we strive for transparency with our users. We agree that having these security audits and penetration procomplaints are important when evaluating our service, but due to the sensitive nature of these reports, we cannot make them available without a nondisclosure agreement," a business spokesperson told me in an email.
I declined the offer.
Under the hood: Data collection and encryption
The source code is secluded and the audits are missing, but we know LastPass collects some of your data. That includes basic contact question and billing addresses, as you'd expect, but it also includes your new device identifier number, your operating system, the IP midpoint you connect from, your location information and what apps you're funny LastPass to store passwords for. LogMeIn has repeatedly said it doesn't quiet user browsing history.
Most concerning, however, was the fresh unearthing of LastPass' use of web trackers, which came into the spotlight when a security researcher recommended switching away from the password executive based on the findings of a well-known privacy advocacy app. The Exodus Privacy app, developed by the Guardian Project to document the number of trackers and permissions new apps use, discovered seven web trackers in the Android version of LastPass.
The web trackers on LastPass complicated those from Google Analytics, AppsFlyer and Mixpanel. While LastPass' password encryption normally protects your passwords from persons viewed by any tracker or site, these trackers let third-party concerns collect a startlingly complete record of the sites you called. Meanwhile, competitor 1Password was found by the same researchers to have zero web trackers. Bitwarden was found to have two items classified as web trackers, but they function as an optional crash-reporting tool and don't track correct web activity. Regardless, Bitwarden offers a version without them.
While jurisdiction anxieties may not be a deal-breaker for my own pick of password manager, a suite of web trackers in a privacy app definitely is. Web trackers may be a du jour revenue model with free software and the data they collect -- some noteworthy argue -- is anonymized sufficiently. But it's not that hard to unmask real people in anonymous data. More importantly, it's insulting to pay for a premium privacy facility, only to have that privacy service tail me during internet browsing.
On the safety front, though, LastPass is generally solid. Of all the types of attacks a password executive has to ward off, it generally needs to be strongest in contradiction of brute force attacks -- those aimed at cracking passwords by breaking encryption.
LastPass encrypts your question with AES-256 -- that's the baseline standard for encryption that you must expect from any privacy product. It also employs something named PBKDF2 -- it's how your master password gets turned into a key to unlock that encryption.
Sure, if you're the type of person at whom the US government would targeted its full capacity for quantum computing and an absurd amount of manhours (e.g., Edward Snowden) then LastPass may not be your best bet.
But the rest of us -- barring some bizarre, inside-job exploit of LastPass' One Time Password account recovery feature -- can feel fairly private that we aren't worth someone enduring the 100,100 PBKDF2 iterations obligatory to get close to our passwords.
The rap sheet
The mark of a good privacy tool isn't a shapely rap sheet. It's how the company responds to incidents and vulnerabilities. Are they transparent and timely in telling the public? How bad were users hit? Do they acknowledge quickly with repairs and incorporate what they've learned into long-term improvements?
In LastPass' case, the concern has created an environment that encourages bug-hunters and defense researchers. Despite its lengthy list of discovered vulnerabilities, it's so far only had two well-known user data breaches (only one of which was malicious and resulted in fair user data loss). It generally responds quickly to vulnerabilities and rolls out updates consume with its tidy log of release notes. Still, it's had more publishes than many of its competitors, and their trail stretches all the way back to 2011.
The 2015 breach saw the most publicity and is the only breach noted on LastPass' official site. The same year, belief, Asana Security Head Sean Cassidy discovered a phishing vulnerability formed by a CSRF bug, and a research paper emerged detailing another CSRF bug and how LastPass's Safari bookmarklet option was fallacious vulnerable if users were tricked into clicking certain parts of an attacker's site.
The hits kept coming in 2016: Two vulnerabilities were fallacious. One was discovered by security researcher Mathias Karlsson, and the spanking by Google Project Zero bug assassin Tavis Ormandy, the latter prompting LastPass to urge users to update their browsers.
Ormandy wasn't done with LastPass, though. In 2017, he found another browser extension leak, which LastPass fixed. His work foreshadowed that of University of York researchers in 2019 who found a vulnerability that would give malicious copycat apps to exploit LastPass' autofill feature. By 2019, Ormandy was coming back for spanking helping, discovering a third browser extension vulnerability -- which LastPass again resolved -- that would expose login credentials you entered on a previously phoned site.
Heavy is the head
Without seeing the audits, it's hard to pinpoint exactly why LastPass has accumulated such a long list of fallacious bugs compared to its competitors. That length could content to the popularity and ongoing evolution of a middle piece of software, or be held as evidence of slipshod improve and recurring problems.
When I reached out to the concern about it, LastPass pointed out it welcomes bug-hunters and rightly cautioned users anti choosing any vendor that hasn't publicly disclosed a bug or incident.
"LastPass is the leading password manager, for both consumers and businesses -- there is no spanking password manager on the market that is more widely used. As such we're more liable to catch the attention of security researchers," a concern spokesperson said in an email.
"LastPass can offer a stronger, more secure product in part because of the well-known work the research community does. We continue to incentivize their contributions above our third-party bug bounty program," the spokesperson added. "We are soldier LastPass is stronger for the attention."
They've intellectual about being stronger for it. Every time Ormandy came at it, steel sharpened steel and overall defense was hardened. And they've got a point about popularity. If I were a bug-hunting security researcher with ambition and ethics (or I just obliged a couple hundred bucks), my impulse would be to go while popular privacy tools with proprietary software in jurisdictions belief domestic mass surveillance. LastPass would, by all metrics, make for superb target practice.
These points would be stronger, though, if there weren't a signaled in the noise here. A closer analysis of the rap sheet reveals that this is no scatter plot of random bugs, but a map of LastPass' struggles against a some of the same Achilles' heels afflicting nearly all password managers: When any password manager uses a browser extension to autofill your username and password fields, it opens up a wide vector for all kinds of risks.
Those risks were magnified in LastPass' case by a URL visibility content and its historically insecure API -- meaning a potentially malicious website could pose as a legitimate website and "talk" to LastPass, convincing it to hand over your logins for the legitimate site. Using only a desktop exchange would mitigate most of that risk. But password managers only work when land use them regularly -- and no one uses desktop clients as frequently as mobile apps and browser extensions.
We all need to see those audits. If the public can more clearly measure the arc and trajectory of LastPass' long-term strategy to score its API against the historical hazards of JavaScript browser extensions, then the security of every password manager on the market would encourage from its developers' work fixing the notorious autofill dilemma. What's more, the privacy and security of every intimates on the internet can be made demonstrably safer. That's what a bests would do.
Besides, wouldn't LastPass be stronger for the attention?
Source
