LastPass Review – Still Safe and Secure After the Data Breach?
LastPass is one of the most popular and well-known password managers around – but does it live up to it’s name? In this LastPass review we’re going to put it under the microscope to answer that question. Additionally, we’re going to examine the history and security of LastPass, to include previous security breaches that sent alarm through the user base. Can LastPass still be trusted with your private data? Is it one of the best password managers – or has it been eclipsed by competitors? Keep reading this LastPass review to find out.
- Passwords encrypted locally
- Automatic sync between all devices
- Built-in walkthroughs for new users
- Data encrypted in transit and at rest
- Single and multi-user accounts
- 1 GB encrypted file storage (paid accounts)
- Supports 2FA
- Complies with GDPR
- Third-party audit of internal processes conducted
- Difficult to contact support personnel
- Poor quality responses even for priority support
- Large recent price increase for premium plan
- Based in, and data stored in, United States
- Collects and shares some user data
- Can be compelled to disclose user data
LastPass features summaryHere’s a quick summary of the full set of LastPass features, some of which are only available on paid versions of the product:
- Supported platforms include macOS, Android, iOS, and major browsers
- Data encrypted in transit and at rest
- Secure Password Generator
- Secure Password Sharing
- Reports & Analysis
- Form Filling
- 2FA and Multi-factor Authentication Support
- Password Import/Export
- AES-256 and PBKDF2 Encryption
- Encrypted File Storage
- Synchronizes across all your devices and browsers
- Emergency Access
- LastPass Authenticator
- LastPass for Applications
LastPass core features (available for free users)Here are the core features of LastPass, the ones that you have access to in the free versions of the product. You have the ability to:
- Store passwords, secure notes, addresses, credit card info, bank accounts
- Securely sync passwords between all your devices
- Save & fill passwords
- Secure password generator
- Secure notes
- Two-factor authentication
- Security challenge
- One-to-one sharing of data
- LastPass authenticator
Company information (Who owns LastPass?)LastPass has been storing passwords for the world since August 2008. In October 2015, LastPass was acquired by LogMeIn, Inc. LogMeIn is a public company, based in the United States, and listed on the NASDAQ stock exchange, with annual revenue of over $1 billion. If you are concerned about trusting your data to a small company with not much revenue and just a few employees, that won’t be a concern here. Then, in December 2019, LogMeIn officially announced that it was being acquired by US private equity firms. From their press release:
LogMeIn, Inc., a leading provider of cloud-based connectivity, today announced that it has entered into a definitive agreement (or the “Agreement”) to be acquired in a transaction led by affiliates of Francisco Partners, a leading technology-focused global private equity firm, and including Evergreen Coast Capital Corporation (“Evergreen”), the private equity affiliate of Elliott Management Corporation (“Elliott”), for $86.05 per share in cash. The all-cash transaction values LogMeIn at an aggregate equity valuation of approximately $4.3 billion.Is it good that LogMeIn has been acquired by US venture capital firms? Time will tell, but this matches up with the trend we’ve been seeing of privacy services selling out to various entities: But this is not surprising, given the increasing concerns over data protection, identity theft and fraud, and other alarming cybersecurity statistics. People are spending more money on these services, hence the growth – but back to the LastPass review.
LastPass Terms of ServiceSince LastPass was purchased by LogMeIn, the applicable Terms of Service (TOS) is the LogMeIn document. It is general in that it covers all the many services they offer. It is also pretty dense legalese. Here’s what I got out of it (but I’m not a lawyer). The Terms of Service seem pretty standard. There is one point that some people may be leery of. The company states that,
If necessary and in accordance with applicable law, we will cooperate with local, state, federal and international government authorities with respect to the Services.Since the company is based in the United States, which is a Five Eyes surveillance country, this means that your data may be accessible to various US agencies, in accordance with US laws. Since your data is encrypted and LogMeIn doesn’t have the ability to decrypt it, there isn’t much they can hand over. This isn’t anything out of the ordinary, however, as it also affects secure email services. For example, ProtonMail was also forced to comply with lawful data requests, but because emails are stored encrypted at rest, there’s not much that can be gained anyway. That said, since the LastPass code is not open source, unlike Bitwarden, for example. Therefore you need to take the company’s word for it that they can’t read your data and there’s nothing fishing going on with backdoors or exploits.
- Your device type
- Operating System and version
- The device UDID (Unique Device IDentifier)
- The IP Address you connect from
- Location information
- Language settings
- Other diagnostic data
LastPass auditLastPass and other LogMeIn services have been subjected to a type of third-party audit. The LastPass audit was conducted in 2018 by Tevora Business Solutions. This audit, titled, “SOC 3® – Reporting on Controls at a Service Organization,” was designed to examine whether the company’s internal controls meet specified Trust Service Principles as defined by the AICPA (American Institute of Certified Public Accountants). The report is meant to show that the security, availability, processing integrity, confidentiality, and privacy controls at LogMeIn meet those principles. The results of the audit were that in the opinion of the auditors, the controls within LogMeIn’s Identity and Access Management System were,
…effective throughout the period September 1, 2017 to August 31, 2018, to provide reasonable assurance that LogMeIn IAM’s service commitments and system requirements were achieved based on the applicable trust services criteria is fairly stated, in all material respects.This is good information, in that it tells us that a third-party auditor feels that LogMeIn has good internal procedures. However, it is important to realize that this is a very different type of audit than the type conducted for products like Bitwarden. The Bitwarden audit, conducted by security firm Cure53, involved white box penetration testing, source code auditing, and a cryptographic analysis of Bitwarden’s code and security against attacks. This type of security audit is really the gold standard, as Cure53 has also audited VPN services, such as ExpressVPN. Ideally, a company would conduct regular audits against both internal and external threats. Realistically, however, any audit is better than nothing, although it would be better to see the bar raised in this area.
LastPass appsLastPass offers a full range of apps (clients) and extensions for you to use. These include apps and extensions for:
- Desktop apps for Windows, Mac OS, and Linux
- Mobile apps for Android and iOS (iPhones and iPads)
- Browser extensions for Chrome, Firefox, Safari, Internet Explorer, Opera, Microsoft Edge, and Chromium browsers (including Brave)
LastPass hands-on testing and reviewFor this LastPass review, I am concentrating on the Free (Personal) plan. This plan should be sufficient for most people. We’ll look at installing and using the LastPass extension on the Brave browser.
Installing the LastPass extension and creating an accountYou install LastPass like any typical browser extension, through the web store. Once you have the LastPass extension installed, clicking it opens a window like the one below so you can create an account. Click the Create an account link at the bottom of the window and LastPass will guide you through the signup process. You’ll need to enter a valid email address to complete the account creation process. LastPass will send a confirmation message to that address, and once you reply to that you will be ready to go.
Adding login credentials to LastPassOne of the nice features of LastPass is the walkthroughs that it provides for new users. You’ll encounter one right after you get LastPass set up. It offers to help you store your first set of login credentials, and also allows you to login through a third-party account. It just takes a moment, and by the time you are done, you’ll be ready to enter passwords yourself. With the LastPass extension installed and active, simply log into sites normally. If the site credentials are not already stored in LastPass, it will pop up a box similar to the one below, allowing you to add the site’s credentials to the vault with one click. What if you are switching from a different password manager, and aren’t excited about the idea of manually reentering all the passwords you have stored in another product? Fortunately, LastPass can import data from many other password managers. However, the process can be a bit complicated. If you are considering switching to LastPass from another password manager, you can visit this page and see what’s involved for your particular case.
Working with your passwordsOnce you add some login credentials, your LastPass vault will look something like this: When you hover the mouse over one of these items, LastPass displays your options for that item. This makes for a clean and attractive view of your vault’s contents. While LastPass is primarily used for passwords, it can handle far more than just login credentials. It supports these data types:
- Payment cards
- Bank accounts
- Wi-Fi passwords
Editing your dataLastPass stores an encrypted copy of the vault on each of your devices, in addition to the copy that is stored on their servers. This allows you to view your vault whether you are online or not. However, when you are not online, you can only view the local copy of the vault; you cannot edit it. If you want to edit the data in your vault (and are online), you can simply click Open My Vault in the LastPass extension. This opens your vault in a new tab of your browser.
LastPass password manager in actionLastPass tries to make using your stored passwords easy. Once you get to the login page of a site that LastPass knows, it inserts itself into the relevant fields, like this: Clicking that icon causes LastPass to display a box with the credentials it has for this page. Click to tell LastPass to enter that data into the fields it knows has data for. Do you see the little number in the bottom-right corner of the LastPass icon? That indicates the number of entries LastPass has for this page. If a number greater than one appears here, LastPass will display a list of all the relevant logins that you can choose from.
Generate secure passwords with LastPassOnce you have a password manager to remember things for you, you can use long, complex passwords for everything. LastPass includes a secure password generator that can create those long complex passwords for you. To use it, click the extension, then select the Generate Secure Password option. The password generator looks like this: It is set to create strong passwords by default, although I would suggest you change the password length to at least 16 characters for a more security.
Increasing LastPass securitySpeaking of increasing the security of your data, there are two other options available in the Free version of LastPass. The first is Multi-factor authentication. LastPass supports a range of different hardware and software-based authenticators. You can find all the options on this page. The other tool LastPass offers is their Security Challenge. This is an automatic analysis of the data in your vault. It does things like check to see if any of the email addresses in the vault are associated with a website that may have been hacked. It also detects and helps you update:
- Weak passwords
- Reused passwords
- Old passwords
Sharing passwords and other dataLastPass allows you to securely share data with other people. The Free version supports sharing with one other person. The LastPass Sharing Center is where you can manage shared items. You can find out how it works here.
Additional LastPass featuresWe’ve been concentrating on the core features (the ones included in the free version) of LastPass so far. But depending on your situation, you may find that you need one or more of the features that are only available in paid versions. To help you decide if you need more than the basics, I’ve compiled short descriptions of the most interesting features below.
Emergency accessEmergency access exists to give another user complete access to your LastPass data, if something should happen to you.
LastPass for applicationsLastPass for Applications (LastApp) is a Windows desktop app that has access to your LastPass Vault. It can enter your passwords into desktop apps for you.
1 GB of encrypted file storageThis increases the available vault space for secure notes from 50 MB to 1 GB.
Family manager dashboardThe LastPass Families plan allows you to have up to six users for one account. The Family Manager Dashboard is the control center for this.
Team featuresLastPass Teams allows you to manage up to 50 users with one account. This includes team policies and simple reporting.
Enterprise featuresPassword management for the entire enterprise, from onboarding to automated reporting, administrative controls, and more. The complete breakdown is here.
LastPass supportThe LastPass Customer Support pages have lots of information that lets you resolve many problems without contacting the Support team. This is good since it is fairly hard to contact a live support person. The chat system is a bot that isn’t great at answering questions, and unless you have a plan with Priority Support, you will need to wade your way through some possible solutions before the site will offer you the chance to email a technician. I’ve not had any problems with LastPass Support. However, the majority of comments about the company on sites like ConsumerAffairs.com complain about the difficulty of finding a way to contact Support, along with slow and/or not-very-useful responses even for people with Premium Support.
LastPass security (Still trustworthy after multiple hacks?)While LastPass encrypts your data on your device using AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes, they have still been hacked. In June 2015, LastPass admitted that hackers were able to steal account email addresses, password reminders, server per user salts, and authentication hashes. The company found no evidence that vault data (including form fill profiles, secure notes, site usernames, and passwords) were taken. The company took immediate steps to improve their security. According to this HackRead story, LastPass was also hacked at least twice more in 2016. In both cases, the attackers were white hat hackers who reported the issues to LastPass. In 2017, Darknet.org.uk reported that the LastPass Firefox and Chrome extensions had both been made to leak all your LastPass passphrases simply by browsing a malicious website. Reportedly, the problem could also allow a malicious site to run commands on the user’s computer. Once again, the LastPass engineers went to work to fix the problems. While seeing hacks and leaks isn’t pleasant, there are a few ways to look at this.
- The Critical Approach. Go after LastPass for the number of problems that have turned up and perhaps move to a different password manager.
- The Philosophical Approach. With so many users, and so much notoriety, it is likely that LastPass is attacked more than other password managers. At the same time, there are probably more white hat hackers and other “good guys” looking for problems with LastPass than there are for less popular products.
- The Optimistic Approach. You could also see this as a positive. Realistically, any moderately complex piece of software has bugs and vulnerabilities. People are finding and fixing the problems in LastPass. Over time, that makes the product safer and more secure (at least in theory).