Is LastPass safe to use? A look at its security approach

LastPass is one of the oldest cloud-based password managers, designed to help users store and manage passwords. The company has also published public disclosures about security-related incidents.

For example, in 2022, LastPass experienced a data breach that exposed unencrypted customer metadata and encrypted vault contents (passwords and secure notes were not exposed in plaintext at the time of the breach). In response, the company disabled and replaced some access codes and security keys and reported changes related to password and account security.

In this guide, we break down LastPass’s current security model so you can decide whether it’s the right fit for you.

What is LastPass, and how does it work?

LastPass is a cloud-based password manager that stores your logins and other sensitive information in an encrypted vault. It uses 256-bit Advanced Encryption Standard (AES) to encrypt your data on your device before syncing it to the cloud. When you sign into your LastPass account, your device retrieves the encrypted data and decrypts it locally, allowing you to manage or autofill your passwords.

LastPass also uses a zero-knowledge architecture for vault contents and the master password. This means LastPass stores only encrypted vault data on its servers and does not have access to users’ master passwords or vault contents in plaintext.

On top of password storage, LastPass includes support for passkeys, so you can use passwordless logins on compatible sites. Thanks to how they work, passkeys can reduce exposure to certain types of social engineering attacks.

Master password and vault access

Your master password is the single key that unlocks your vault. You create it during account creation, and it’s stored locally on your device. When you log in, your device derives two values from the master password:

• A cryptographic key that decrypts your vault locally.
• A hashed authentication value that LastPass uses to verify the login.

Only the hash is sent to LastPass, which lets the service confirm your identity without learning your password. Because the encryption key is generated on the device, LastPass notes it can’t recover the vault if the password is lost. However, it does offer several recovery options, including mobile account recovery using biometrics and a master password hint.

LastPass encryption explained

As mentioned, LastPass protects vault contents with AES 256-bit encryption, a widely used and well-established encryption standard. Your device encrypts entries before upload, and the data remains encrypted while stored and synced.

When you create a LastPass account, you choose an email address and a master password. LastPass uses these two pieces of information together as part of its vault protection mechanism. Instead of sending your master password to LastPass, your device processes it locally.

Your master password is combined with your email address and run through a process that deliberately makes it slow to guess. This process creates cryptographic values that are used both to encrypt your vault and to verify your identity when you log in. These derived values are shared with LastPass; the master password isn’t stored or transmitted.

What to know about the 2022 LastPass data breach and its aftermath

LastPass faced two connected security incidents in 2022. The first involved a compromised engineer account in the development environment. The second used information from that intrusion to access a third-party cloud storage service that held archived customer data, including encrypted vault backups and metadata.

How LastPass responded and what changed

After the initial breach, LastPass removed the compromised development environment and rebuilt it as part of its response to the intrusion. It introduced additional security controls and replaced internal secrets and digital certificates that may have been exposed.

When investigators confirmed the attacker had accessed cloud backup storage, LastPass treated this as a separate incident. It rotated exposed secrets, applied new cloud-security policies, tightened access restrictions, expanded monitoring and logging, and tightened security controls across its infrastructure.

What information was exposed in the breach?

The two incidents exposed different sets of data. In the first incident, the attacker accessed a cloud-based development environment and copied portions of LastPass’s source code and technical documentation. According to LastPass, this environment did not contain customer or vault data.

In the second incident, they targeted cloud-hosted backups containing:

• Customer metadata: Account and personal details such as names, email addresses, billing information, phone numbers, and IP addresses. Portions of this information were not encrypted.
• Encrypted vault backups: The stolen backups included visible website URLs. Items such as passwords, usernames, secure notes, and form-fill data remained encrypted.
• Operational secrets: Internal configuration data, API keys, and third-party integration secrets used across LastPass systems.
• Encrypted MFA/federation database: A backup of LastPass’s multi-factor authentication (MFA) and federation data was accessed, including authenticator seeds and backup phone numbers (where enabled). Although the data was encrypted, LastPass disclosed that the threat actor also obtained the storage access key and decryption keys needed to access the encrypted backups

Evaluating LastPass after the 2022 security incidents

LastPass stated that the threat actor may still possess copies of encrypted vault data taken during the 2022 breach and may attempt to use brute-force methods to guess master passwords and decrypt those copies. While the encrypted vault contents remain protected by encryption, exposed metadata could still be used for phishing or other targeted attacks.

Whether LastPass is the right fit for you depends on:

• Master password strength: A strong, unique master password is essential. Use a long passphrase made up of unrelated words, and aim for at least 12 characters. Weak or reused passwords significantly reduce the effort required to brute-force an encrypted vault.
• Iteration count: Confirm your vault is set to a high iteration count (currenly 600,000 iterations). To do this, log into your vault and navigate to Account Settings > Show Advanced Settings. In the Security section, you’ll find the Password Iterations field.
• Vault and account protections: Review your vault for weak, reused, or exposed passwords, especially for sensitive accounts, and update them if your security settings were weaker at the time of the incidents. It’s also important to review login history for unfamiliar activity and enable MFA to reduce the risk of unauthorized access. Some services, including LastPass itself, offer breach monitoring alerts that notify you if your email address appears in a known data leak.

Security features of LastPass

LastPass offers a relatively wide range of features. In this section, we’ll focus on the ones specifically designed to improve security.

Autofill functionality

This is a basic password manager feature that’s not only convenient but also helps reduce the risk of accidentally entering your credentials on fake websites. When you log into a legitimate site or app, LastPass can prompt you to save your credentials in your encrypted vault. On future visits, it shows the matching login in a pop-up, allowing you to fill it with a single click or tap. Because LastPass matches logins to specific websites, autofill is limited to associated domains rather than look-alike or unrelated sites, even if they appear similar.

Password generator and strength reports

The built-in password generator lets you control password length and choose whether to include uppercase and lowercase letters, numbers, and symbols. It also offers options to generate passwords that are easier to say or read by excluding numbers, special, or ambiguous characters.

LastPass evaluates each generated password and shows a strength meter before you commit to using it. The Security Dashboard gives you a security score based on overall strength of passwords in your vault and whether you’ve enabled MFA. This lets you see weak and reused passwords and review alerts in one place.

Secure password sharing options

When you share a credential with someone who already has a LastPass account, it appears in their vault. You can control whether the recipient can view the password or use it without viewing it. Access can be revoked at any time, which removes the item from their vault.

Shared folders extend this model to multiple users and multiple vault items. You add items into a folder and invite other LastPass users, assigning permissions that control whether each person can use the items, edit them, or manage the folder itself. You can also remove a user from a shared folder at any time.

Dark web monitoring

Dark web monitoring checks whether email addresses stored in your vault appear in known breach datasets. When enabled, it performs an initial scan and then continues monitoring, alerting you in the app and by email if a breach involves one of your addresses.

Email addresses are hashed before being checked, so only hashed identifiers are compared against breach data. This allows breach detection without revealing the underlying email addresses.

You can monitor up to 10 email addresses on the Free plan and up to 200 on the Premium, Families, Teams, or Business plans. When an alert appears, LastPass recommends updating the affected account with a strong, unique password as soon as possible.

Multi-factor authentication features

MFA is an optional feature that adds an extra verification step when you access your vault. After you enter your master password, you confirm the login using a second factor, such as an authenticator app or physical security key. This means that, even if someone learns your master password, access would still require an additional verification step.

LastPass supports a variety of MFA options, including app-based authentication, hardware security keys, and biometric verification on supported devices. Note that LastPass’ Authenticator app can also be used for two-factor authentication (2FA)-based sign-in methods for your other accounts.

LastPass alternatives

Here are some LastPass alternatives you can consider if you’re looking for a different approach to security, a different feature set (whether that means a more comprehensive toolset or a more lightweight solution), or simply another option to compare:

• 1Password: A password manager that uses a Secret Key in addition to the master password and supports hardware security keys and passkeys.
• Bitwarden: An open-source, lightweight password manager with a straightforward approach to credential management.
• ExpressVPN Keys: ExpressVPN’s password manager that offers unlimited password storage and autofill features for users who want a simple, bundled option.