Security Review: LastPass password manager

last pass stick figure

Last Updated: Jan 17, 2017 @ 1:33 pm

There’s a whole crowd of password managers forming on the internet, and they’re all competing to be the app you trust most with your login details. They’re also competing for your hard-earned money – because most of these apps aren’t free. You’ll generally get to use them for a month at no cost, before losing important features like syncing across devices behind the paywall.

Choosing between password managers is getting more difficult by the week too, because they all offer roughly the same features. LastPass, the focus of the latest password manager review, doesn’t really stand out from the crowd with unique, must-have gimmicks. But as you’re about to see, it covers the essentials really well.

And while you will need a Premium subscription to make full use of LastPass long-term, it’s pretty cheap at only $12 per year.

Could this be your ideal password manager? Let’s take a look.

So many apps

LastPass is a free download for Windows, Mac, Linux, iOS, and Android. It also has free apps for other mobile systems like Firefox Mobile, Windows Phone, and Surface RT. That’s a pretty good spread of platform compatibility by anyone’s standards.

LastPass features

last pass passwords

LastPass doesn’t really wow with unique features, but it covers most of the things you’ll need from a password manager. Features include:

  • “Save as you go” passwords for new sites, via the browser extension
  • Auto-fill logins and online shopping info
  • Centralized login data, synced across all of your devices
  • Secure notes for important information like credit cards and Wi-Fi logins
  • Automatic strong password generation

Nice and easy setup

import lastpass passwords

On desktop, LastPass has a nice and easy setup process that automates a lot of the more tedious tasks associated with installing a password manager.

It automatically finds all the browsers on your system and lets you choose which ones to install LastPass on. It then automatically downloads and installs the LastPass extension for each browser you chose. And, it finds the passwords saved in your browsers and offers to migrate them to LastPass.

It’s probably the most convenient setup service of any of the password managers reviewed so far.

Save as you go passwords

save passwords as you go

In your browser, with the LastPass extension installed you’ll see a grey asterisk button added to every field in web forms. Clicking this gives you options like auto-fill and ‘Save this site,’ and the whole user experience is nice and smooth.

LastPass master passwords aren’t 100% secure

A key feature of some other password managers, like Dashlane and 1Password, is that they don’t store your master password anywhere. This means nobody can ever steal it, but it also means no password reminders. If you forget your password, you need to start over.

LastPass goes down a different route – it does store you master password, and you can get a reminder. So it’s less secure and less private, but it’s also a little more convenient.

Talk about pricing – $12 per year

Going premium with LastPass unlocks extra features like syncing across the full range of apps (and there are a lot), family sharing and multifactor authentication. If you use a non-Apple or Android mobile device, LastPass’s range of apps could be useful. And $1 per month sounds like pretty good value.

Verdict: Cheap and easy to use, but less secure

LastPass is pretty great in terms of ease-of-use, cost and its range of apps. If security and privacy are your top priorities, you may prefer a password manager that doesn’t store your master password. Otherwise, LastPass could tick all your boxes.

Click here to read more ExpressVPN reviews

Click here to go back to ExpressVPN’s internet privacy guides

One thought on “Security Review: LastPass password manager

  1. You said “it does store you master password, and you can get a reminder. So it’s less secure and less private, but it’s also a little more convenient.”

    That’s wrong, LastPass can store a hint, but it does NOT store your master password in the cloud.

    How secure is LastPass?

    All encryption and decryption happens on your computer.

    When you create your LastPass account, an encryption key is created on your computer (your Master Password, or MP, and email go through a complex, irreversible process known as hashing to form your encryption key). Any sensitive data you then save to your account is ‘locked up’ by the encryption key while still on your computer, then sent in encrypted form to LastPass’ server.

    The sensitive data that is harbored on LastPass servers is always encrypted before it’s sent, so all LastPass receives is gibberish.

    Since the encryption key is locally created each time you submit your MP and email, all that we store and have access to on our servers is your encrypted data. Without your unique encryption key, your sensitive data is meaningless gibberish. Even if someone were to mandate that we provide a copy of our database, the data would still be unreadable without your encryption key.

    We never receive the key to decrypt that data.

    The unique encryption key formed from the hashing of your email and MP is never sent to LastPass servers. LastPass never, for any reason, would ask you for your MP, so the key remains safely with you.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>