LastPass Review

LastPass Review

 

Keeping track of dozens or hundreds of strong, unique passwords just isn’t possible without a password manager. LastPass Premium offers plenty of top features including cross-platform syncing, secure sharing, a password strength report, and dark web monitoring. However, a change to device syncing rules makes LastPass’s free version borderline useless for most people. LastPass is still an Editors’ Choice password manager overall for its ease-of-use and excellent features, but we don’t recommend it for free users anymore.


LastPass Free vs. Premium vs. Family

LastPass offers three different plans for consumers: Free, Premium, and Family. The Free edition includes all the standard password manager capabilities, plus a few features other services restrict to paid accounts. With LastPass’s free version you get auto-filling capabilities, a password generator, one-to-one sharing capabilities, secure notes, a password strength report, and support for multi-factor authentication.

Unfortunately, LastPass changed the device-syncing rules for free users. Previously, free users could sync passwords across any platforms LastPass supports, including desktop and mobile devices. Now, LastPass makes free users choose between syncing passwords with Computers (browsers, desktops, laptops) and Mobile Devices (phone, tablets, and smartwatches). This severely limits the utility of LastPass’s free edition and, therefore, it’s no longer one of our top choices for free password managers.

Other free password managers also have stringent limitations. Some, like RoboForm and Enpass, put a limit on the number of passwords free users can save. Others, like Dashlane and Keeper, are only free if you use them on a single device. MyKi’s and Bitwarden’s free versions, however, do not impose limitations related to cross-device syncing or total passwords.

 

LastPass Premium costs $36 per year. In addition to all the free version’s features, you gain one-to-many sharing, advanced multifactor options (such as YubiKey support), Emergency Access features (password inheritance), dark web monitoring, priority tech support, the LastPass for Applications app, and 1GB encrypted file storage. Previously, Emergency Access tools were available for free users, so this is a step back. I tested LastPass using a Premium account.

 

The top tier for noncorporate accounts is LastPass Family, which costs $48 per year. LastPass Family subscribers get six LastPass Premium licenses, unlimited shared folders, and access to the LastPass family dashboard.

LastPass’s pricing for its Premium and Family versions is consistent with equivalent versions of competing software. For instance, Keeper Password Manager and Digital Vault’s Personal and Family tiers cost $34.99 and $74.99 per year respectively. Sticky Password Premium is $29.99, while 1Password costs $35.88 per year. Dashlane Premium costs $59.99 per year. Bitwarden’s Premium and Family versions are significantly cheaper at only $10 and $12 per year.


Getting Started With LastPass

To sign up for LastPass, you need to enter an email address and create a strong master password. LastPass has tightened up its master password requirements since the time of our last review. Your master password must now be at least 12 characters, include a number, have both uppercase and lowercase letters, and must not be your email address. Read our tips on how to remember a strong master password for additional help. Amusingly, LastPass does not prevent you from using the example password on the account-creation page. You should also enable two-factor authentication as soon as you create your account.

After you create your account, LastPass offers to install its browser extension, which is how you log in to the service. If you choose to skip this setup, you can always use the LastPass Universal Windows, macOS, or Linux installers to add the LastPass extension to the browsers on those platforms. LastPass offers browser extensions for Chrome, Firefox, Edge, Safari, and Opera.

 

Once you log in, LastPass walks you through saving a password for Google, Facebook, PayPal, or Netflix. Pop-up notifications explain that you first log in as usual and then click the Add button when LastPass offers to save it. LastPass also takes you on a quick tour of the Web Vault. Keeper Password Manager & Digital Vault offers a similar onboarding process.

During installation, LastPass used to offer to import passwords from your browsers and turn off password capture in the browsers. This feature is still available; it just doesn’t happen as part of the installation. LastPass also used to offer a one-time password each time you’d install it on a new device. In the event you forgot your master password, you could reset it using the one-time password, much as Keeper uses your security answer for a master password reset. Here again, you can dig in and create one-time passwords, but it’s not part of the installation flow.

LastPass can import from 31 competing products, but some are defunct (McAfee Safekey is now True Key) and others are simply obscure (such as Clipperz, Figaro’s Password manager, and Revelation Password Manager) The import list remains wildly out of date and is missing five out of PCMag’s nine best-rated password managers (excluding LastPass itself).

 


Multi-Factor Security

It doesn’t matter how complex your master password is if a thief gets ahold of it. LastPass does require email verification the first time you log in from a new device, which is good. But you can seriously enhance your security by using the available multi-factor authentication options. To set up multi-factor authentication, head to Account Settings > Multifactor Options tab in the Web Vault.

The available multi-factor authentication options depend on your subscription tier. Free users can use an authenticator app. Setting up an authenticator app just requires snapping a QR code using the app of your choice. Each time you log in you’ll need to supply a time-based one-time password (TOTP) generated by the app (essentially a six-digit code that typically changes every 30 seconds) in addition to your master password.

LastPass offers authentication through its LastPass Authenticator app too, which lets you accept or reject a login attempt via a push notification, without the need to enter the six-digit code. LastPass recently announced it is consolidating the enterprise-focused LastPass MFA app into the LastPass Authenticator app and integrating the former’s password-less authentication capability.

LastPass’s authentication methods support SMS codes and voice calls codes. Don’t have a smartphone? You can print a wallet-sized authentication grid. For authentication, LastPass requests characters found at specific grid coordinat

Premium users can use hardware keys (such as a YubiKey) or biometric options as a second authentication option. Note that LastPass does not support the more modern Universal Two-Factor (U2F) FIDO 2 standard, instead of relying on a TOTP-based method. In essence, when you tap a Yubikey to log in, the key supplies a string of numbers for authentication. 1Password, Dashlane, Zoho Vault, and many more password managers support the U2F authentication method.

 

Dashlane, Myki, and Keeper include built-in time-based one-time password (TOTPs) generators and effectively replace the need for a third-party authenticator app for logins to other online accounts. LastPass recently added this capability, too. 

Two-factor authentication can get tedious after a while, so LastPass lets you define specific devices as trusted. When you log in from a trusted device, all you need is the master password. Trust expires every 30 days, and you can delete a lost device from the trusted list. For even more control, you can ban logins from any device that’s not already on the trusted list.


LastPass Web Vault and Browser Extension

LastPass offers desktop apps for Windows (via the Microsoft Store) and macOS, but you can manage all your passwords and personal data on the web. LastPass’s Web Vault uses a red, gray, and white color scheme and a straightforward layout.

 

At the top of the interface, there’s a search bar for sifting through all your saved data. A right-hand drop-down menu lets you access your Account Settings and other helpful resources. In the Account Settings section, you can define equivalent domains such as youtube.com, google.com, and gmail.com. A password for one is good for all.

LastPass Web Vault

You navigate the experience via a left-rail menu that includes All Items, Passwords, Notes, Addresses, Payment Cards, and Bank Accounts sections. Secure notes just store and sync sensitive information, optionally with an attachment. Addresses are similar to what previous editions called Form Fills. Payment cards and bank accounts are self-explanatory. If you add one of LastPass’ item types such as driver’s licenses, passports, or social security numbers, those categories show up in this menu, too. We discuss these item types in more detail in the form-filling section. You add entries and folders via the red plus button at the bottom of the page. The left-hand menu also includes the Security Challenge, Sharing Center, Emergency Access, and Account Settings sections.

The middle of the screen is reserved for viewing and editing your stored details. You can view entries in a list or grid view; sort entries and folders alphabetically or by recently used, and switch to a slightly magnified view.

Hovering over a password entry reveals three icons, for editing, sharing, and deleting. We discuss sharing options in a later section. Right-clicking on the item allows you to clone it, copy the username or password, launch the associated site, or move it to a new folder. LastPass supports dragging and dropping items into folders. When you edit an item, you can change its displayed name, add a note, or add it to your favorites. Advanced options let you require reentering the master password for the item, autofill it without waiting, and keep the entry but disable autofill entirely.

LastPass Browser Extension

Although LastPass does offer the ability to organize items into custom folders, it does not support the creation of separate vaults (such as for personal and work passwords), something 1Password does. Like 1Password and Enpass though, LastPass does support nested folders (the other two services offer the same capability with tags).

 

We tested the LastPass extension on Firefox. From the extension, you can view recently used passwords, view all items, and generate new secure passwords. The Add Item and Account Options items redirect you to the Web Vault. For specific password entries, you can launch the associated website directly, copy the username or password, and edit them.


Password Capture and Replay

When you log in to a secure site, LastPass offers to save your credentials. You can click Add and continue or click the pencil icon to edit the entry. You can assign the captured login to a new or existing folder or tell LastPass you never want to save a password for the site. As with 1U Password Manager, you can’t enter a friendly name directly in the pop-up window, but you can take care of that in the main interface. In testing. LastPass captured logins from both one-and two-page logins without issue.

LastPass Password Replay

LastPass no longer immediately fills in your credentials when you revisit a site by default, but you can enable the auto-login option on a per-account basis. Enpass and KeePass are other examples of password managers that require you to manually trigger filling credentials. If you’ve stored more than one set for a site, LastPass adds a small number to the icon it puts inside the username and password fields.

 


Security Dashboard

Getting all your passwords safely stored with LastPass is a good first step, but it’s not enough. Now you need to fix the weak ones and the ones you’ve recycled for use on multiple websites. That’s where LastPass’s Security Dashboard comes in.

Click the Security Dashboard menu item to get started. On the main screen, you see a security score LastPass calculates based on the strength of your passwords and whether you have multi-factor authentication enabled.

LastPass Security Dashboard

Click on the View passwords link to see a list of all the passwords in your vault. LastPass rates the strength of each one, identifies any potential risks (old, reused, or weak), and adds a Change Password button for any offending items. The button does not automate the password change. Rather, it takes you to the login’s associated website. If LastPass identifies many of your passwords as needing to be changed, don’t panic. Just try to update a few at a time.

 

Another feature is LastPass’s Dark Web Monitoring for Premium and Family account holders, powered by Enzoic (read LastPass’ full explanation of what information Enzoic uses to generate this report). After enabling this protection, a list of all your associated account emails appears in the section. You can choose which ones to monitor and will receive an email notification if any are compromised. Dashlane and Keeper offer similar password audit and dark web monitoring tools.


Password Generator

When you sign up for a new account or change your password for an existing account, LastPass offers to generate a secure password. By default, the password generator creates 12-character passwords, the same default as Keeper and Dashlane. LastPass defaults to using all four character sets (upper case letters, lower case letters, numbers, and symbols), which is good. LastPass can generate passwords that are Easy to Say (omits numbers and symbols) or Easy to Read (avoids ambiguous characters like capital O and digit 0), but you should avoid using these unless strictly necessary. The strongest possible passwords use all four character sets, without the limitations imposed by these options.

LastPass Password Generator

Default settings for password generation vary wildly between programs. At the low end, Ascendo DataVault Password Manager defaults to a password of just eight alphabetic characters. At the other end, Myki’s default settings give you huge 30-character passwords. In between, Password Boss and KeePass create 20-character passwords by default. Since the program remembers it for you, your password might as well be long. We recommend cranking the length up to at least 20 characters and including symbols.

 

When you change your password, LastPass offers to update the associated entry. This works whether or not you accept the aid of the password generator.


Emergency Access

It’s not the most cheerful thought, but what happens to your passwords when you die? How will your heirs access your bank account or let your social media circle know what happened? The Emergency Access feature lets you define one or more contacts who can access your passwords in the event of your untimely demise. This feature is not available to free users.

Emergency Access in LastPass works similarly to Dashlane’s and Keeper’s equivalent features. You enter your recipient’s email address and define a waiting period. Recipients must install LastPass, if they haven’t already, and accept your connection request. Now if something happens to you, the recipient simply requests access to your account. Dashlane lets you pass along just a subset of your saved credentials—for example, you might define a coworker as the recipient of your work-specific passwords. That’s not an option in LastPass. Zoho Vault distinguishes work passwords from personal ones; the administrator can unilaterally take over work passwords for an ex-employee.

 

Here’s where the waiting period comes in. Suppose your trusted recipient decides to jump the gun and get your passwords before you’ve kicked the bucket. The initial request for access triggers a notification, and you can deny the access request at any time during the waiting period. In a real emergency, your recipient automatically gets access after that time elapses.

Clicking Emergency Access lets you view two pages, People I Trust (your password heirs) and People Who Trust Me (those who’ve made you their emergency access contact). On the People I Trust page you can delete anyone from the list or change the waiting period. On the People Who Trust Me page, you can bow out of the emergency access role.


Password Sharing

You shouldn’t share your passwords promiscuously, but some situations merit sharing. You and your partner may use a joint bank account, for example. If you must share credentials, you should do so safely.

 

Sharing passwords with other users is a common feature among password managers, though it’s found more in commercial products than free ones. 1U Password Manager limits sharing to its mobile app. Users of the free LogMeOnce can share just five passwords. Free LastPass users can only set up one-to-one sharing, but that’s hardly as restrictive as with the free versions listed above.

LastPass Password Sharing

Premium subscribers can share one item with several other users, and those who pay for a Family account can share an unlimited number of folders. Shared folders used to be a feature of LastPass Premium, but not anymore.

 

Sharing a password is easy. Just select an item in the vault, click the sharing icon, and enter the recipient’s email address. Recipients who already use LastPass will see a notification that a new share has arrived; others will get an email message explaining how to create an account and accept the share. The recipient can use the shared item to log in. As with LogMeOnce, you choose whether to make the password visible.

The Sharing Center within the Web Vault lets you easily manage your shared items. As with emergency access, you can relinquish access to credentials others have shared with you, or you can cut off others with whom you’ve shared passwords.


Filling Web Forms

You can store multiple Addresses, Payment Cards, and Bank Accounts in LastPass, each with a variety of personal and contact information. RoboForm Everywhere lets you create multiple instances of any form-fill field, while Dashlane stores the various components of personal data (phone numbers, emails, and so on) separately.

LastPass Addresses

LastPass can store many other types of personal data, too, including driver’s licenses, passports, insurance policies, and your Social Security Number. However, these options are a bit hidden in the interface (go to All Items, hit the Add button in the bottom-right, and click the More Items drop-down menu) and some of the categories are obscure.

 

In testing, we found the autofill handling to be inconsistent. LastPass didn’t offer to fill every type of saved data—for example, driver’s license and passport information didn’t appear, though address, bank card, and social security number did. In addition, many of the item types store duplicate data. For example, a driver’s license entry includes full snail-mail address info, also found in the Address type.


Secure Notes and Online Storage

Secure notes are just another way to store information in your LastPass account, that doesn’t fit into any of the other categories. The notes only support unformatted text. 1Password allows you to use markdown formatting for notes with some of its apps and we’d like to see this added.

Only Premium LastPass subscribers get online storage, but the total space is limited to 1GB (free users get 50MB). You can’t upgrade this storage. To store an attachment with LastPass, you must attach it to an item

 

Keeper’s Family Plan includes 10GB of storage space by comparison. Kaspersky Password Manager does not place restrictions on attachment storage and includes a scanning feature that helps you find and organize attachments.


LastPass for Mobile

We tested LastPass on an Android 11 device and had no issues logging in to the test account. LastPass does well at keeping the user experience the same across different platforms. Both the Android and iOS editions have all LastPass’s features, including password generator, emergency access, sharing center, and security challenges sections. LastPass’s iOS app does organize elements a bit differently; you navigate the experience via four icons across the bottom: Sites, Browser, Security, and Settings. Android and iOS’s built-in auto-filling capabilities have vastly improved over the years and LastPass relies on the built-in options for filling credentials on sites and apps.

LastPass Mobile App

In addition to app-based authentication options, you can configure LastPass to authenticate using your device’s biometric login options. LastPass supports both face- and fingerprint-based authentication methods on both Android and iOS devices. Yubikey authentication requires a Yubikey model that supports authentication via NFC (Near Field Communication) or your phone’s connection type (such as USB-C or Lightning port).

 


LastPass for Business

LastPass makes it easy for administrators to see who is following password policies on the job and who is not. For example, the adminstrative dashboard shows the company’s enrollment rate with the password manager, user activity, and average password security score for the company.

LastPass for Business Admin dashboard

LastPass’ reporting dashboard is the most comprehensive real-time breakdown of employee interaction with the password software we’ve seen from a password management company. Only Dashlane comes close with its reporting dashboard for administrators, but it doesn’t hold the wealth of information about the company LastPass offers.

 

Each employee has access to a vault where they keep their work-related credentials. From the Users page, the administrator can see all the employees invited to use the password manager, when employees last used the software, whether employees enabled multi-factor authentication (MFA) for their account, password security scores, and other options.

As with competitors Dashlane and Zoho Vault, LastPass supports single sign-on (SSO). SSO reduces the number of passwords an employee must memorize to get into their work accounts. Admins add applications such as SSO, MFA, and password-less apps from the Applications section of the Admin console.

LastPass commits to helping administrators encourage MFA. Admins have the option to enforce many types of MFA for linked SSO applications, including app push, phone call, one-time-passcodes, SMS, or YubiKey. Again, we haven’t seen this kind of commitment to security from any other password management company we’ve reviewed so far.

The app also has federation integrations with ADFS, Azure AD, Google Workspace, and Okta, meaning employees access LastPass using their existing corporate credentials in their current workspaces. Eliminating the need to remember another password could make a password manager more attractive to employees.

 

LastPass Business also includes a free Families account for every employee, to encourage vigilant password practices at home. The LastPass Families data is separate from the Business data. LastPass has a zero-knowledge security model, so only the users know their passwords. If an employee leaves the company, their Families account unlinks from the Business account. The former employee can either buy a Families plan or let the account become a Free account.


Pay for LastPass Premium, Look Elsewhere for Free

LastPass Premium packs more features than most other password managers. Secure sharing, a slick Security Dashboard, dark web monitoring, and multi-factor authentication are among its top offerings. It remains intuitive to use even with all these capabilities.

However, LastPass continues to make its free version less and less useful. Aside from losing Emergency Access features, free users face seemingly arbitrary device-syncing restrictions. This change is detrimental enough that we no longer include LastPass in our roundup of the best free password managers.

 

Still, LastPass earns an Editors’ Choice award overall, because its premium tier includes features consistent with other top password managers. Keeper Password Manager & Digital VaultDashlane, and MyKi are our other Editors’ Choice winners for password managers. All those services have extensive sets of features and are easy to use.

 

plugins premium WordPress