LastPass review: Still the leading password manager, despite security history
"'Don't put all your eggs in one basket' is all wrong. I tell you 'put all your eggs in one basket, and then watch that basket,'" said industrialist Andrew Carnegie in 1885. When it comes to privacy tools, he's usually dead wrong. In the case of password managers, however, Carnegie is usually more dead than wrong. To wit, I've been using LastPass so long I don't know when I started using LastPass and, for now, I've got no reason to change that.
It's not that I'm brand-loyal. I've test driven other password managers, and with a growing stack of encryption lit at my office-away-from-office, I'm itching to get further under their hoods. LastPass, however, has so far outlasted them all. Through no effort of my own (save for software updates) it's remained my most low-maintenance, die-hard privacy vehicle.
Read more: Best password manager to use for 2020
While it's true you'll find a higher tier of technical security among certain premium services and software, you'll also find they often come at the cost of usability -- the most important factor, I'd argue, in establishing long-term privacy by habit.
Given how overrun the security app field is by malware in sheep's clothing, I can't believe I'm recommending a free privacy service (one that's not even open source), particularly after everything I've said about never trusting free virtual private networks.
But here we are. And if you're going to trust a free password manager, this is the one I recommend. For now.
A free version that's almost as good as premium
LastPass offers a free tier that will let you store all of your passwords and sync them across your phone, tablet and laptop. At $36 a year, the Premium version of LastPass is a solid deal, sweetened by the inclusion of YubiKey and 1GB of encrypted storage. A $48 annual subscription will get you the Families plan -- that's six individual accounts, shared folders and a dashboard that goes beyond your own security analytics and lets you manage the family accounts.
Cheaper options are out there -- Bitwarden's first-tier premium version starts at $10 -- but LastPass is on par with most of its peers in price. Competitors Keeper and 1Password, for instance, cost $30 and $36 respectively for their first-tier premium subscriptions.
Loaded with easy-to-use features
If you're new to password managers, here's how it works: You sign up for an account and create a master password. You then use that master password to log into your password manager instead of entering your login information into every different site. That's how LastPass works too, but it's hard to find any piece of privacy freeware that has quite as many features as LastPass.
Overall security is also bolstered by LastPass' username and password generator -- making it easier to create stronger passwords every time, rather than being tempted to re-use others. This feature is at its best when combined with LastPass' automatic prompts: Not only does LastPass detect data entry fields and invite you to save a new password in your Vault (instead of directly into your browser, something you should never do) but it encourages you to generate a unique one with a single click.
LastPass' multifactor authentication, a practice we recommend for any apps with sensitive data, is also great for bolstering secure logins. If you're willing to buy the premium version, LastPass will also cross-reference your information against databases of logins known to be compromised via its Dark Web Monitoring option, alerting you if your email address has been flagged. Even if you don't spring for the upgrade, though, the free version still has a dashboard full of graphics illustrating your overall security. For instance, a visual gauge analyzes your collection of passwords and displays the percentage which are considered too weak.
One of the tricky things about browser extensions for privacy management tools is that free versions tend to offer incomplete services, so you've got to supplement your protection with other companies' conflicting extensions, which often leads to overall privacy failure.
That's why the smooth functionality of LastPass' browser extensions can't be overstated. They've gotten along with nearly every other extension I've used. The same can be said of its mobile apps. Even as app store permission schemas have changed over the years, I've never run into major conflicts between LastPass and other apps. That amiability extends to platforms, too. I've yet to find an operating system or device that can't run LastPass. I've recommended it to journalists, lawyers, activists, family -- you name it -- not just because of its compatibility, but because I've found it intuitive and user-friendly in its setup.
I can create folders for groups of sites -- carefully partitioned areas are designed to hold your credentials and banking information -- and I can import and export blocks of passwords. If I went Premium, I could even share folders and items, grab some secure note-taking space on the cloud, and set up an emergency contact to access my account if I can't.
Usability and design are about more than how smart a program looks, though. The hardest security flaw to fix is the human one. While security bugs often follow attempts to make software more convenient, it's better to make a privacy tool behaviorally appealing even if it is slightly less secure. A password manager that's easy to use is one that gets used, and it's infinitely better to have people using imperfect security than none at all.
Come back with a warrant
Back in 2015, LastPass was the darling of password managers and LogMeIn was a freshly hated company after announcing it would be charging for its remote desktop software. So when LogMeIn announced plans to buy LastPass for $110 million that year, the internet sounded a death knell. LastPass didn't die, though. And, unlike LogMeIn, it didn't suddenly stop offering its freeware. Fast forward to August 2020 when the ink dried on the $4.3 billion purchase of LogMeIn by private equity firm Francisco Partners and Evergreen Coast Capital, the affiliate of vulture mega-hedge Elliott Management. LastPass still touts a growing user base in the millions.
Yes, this means LastPass is a US-based company and your data is therefore stored in a Five Eyes jurisdiction -- a mass surveillance and intelligence-sharing agreement between countries including the US, UK, Australia and Canada. And yes, both the LastPass and LogMeIn terms of service openly say they'll comply with requests from government agencies for access to your information. Unlike with virtual private networks, however, a Five Eyes jurisdiction on a password manager isn't an immediate dealbreaker for me.
With managers like LastPass, your information gets encrypted client-side -- meaning locally, on your computer. The biggest threat to your privacy, then, isn't necessarily that your password manager will be served with a subpoena and a gag order. In theory, there'd be nothing for that company to hand over to authorities anyway.
Case in point, LogMeIn told Forbes in 2019 that LastPass gets fewer than 10 such requests a year. For a privacy company that hit a 25-million user milestone in September 2020, that's a ridiculously small number of requests. A more important criteria is what the company does with those requests.
When LastPass got slapped with a legal order from the US Drug Enforcement Administration in 2019, demanding it hand over information including a person's passwords and home address, the company basically shrugged. It couldn't give the feds what its own encryption kept it from having.
As I've said of VPNs, surviving a privacy trial by subpoena fire is one of the surest ways a privacy tool can earn my trust. And while being forced to hand over documents to government entities is a liability for any privacy-oriented company, a company that hands over a cache of unreadable data while its parent company loudly decries federal anti-encryption policies is one that gets my nod.
Regardless, third-party audits would be helpful here. In at least two of its security white papers, LastPass claims to have them. Currently, though, LastPass has only a bare-bones organizational audit for 2018-2019 publicly available, along with a list of companies it works with. But those aren't the droids we're looking for.
In a security audit for a password manager, you want to see source code auditing, cryptographic analysis and white box penetration tests -- not only for LastPass' mobile apps and desktop client, but for its backend technology. Why isn't LastPass leading here?
With the trust of 25 million people at stake, LastPass has a responsibility to supply the public with more independent, third-party cybersecurity audits like those conducted for peers RememBear, NordPass and Bitwarden. And while LogMeIn keeps a collection of audits for several of its properties, the company says its additional cloud security audit for LastPass is only available if you sign a non-disclosure agreement.
To make sure I wasn't missing anything, I asked LastPass for the goods.
"Security is fundamental to what we do and we strive for transparency with our users. We agree that having these security audits and penetration tests are important when evaluating our service, but due to the sensitive nature of these reports, we cannot make them available without an NDA," a company spokesperson told me in an email.
Under the hood: Data collection and encryption
The source code is private and the audits are missing, but we know LastPass collects some of your data. That includes basic contact information and billing addresses, as you'd expect, but it also includes your unique device identifier number, your operating system, the IP address you connect from, your location information and what apps you're using LastPass to store passwords for. LogMeIn has repeatedly said it doesn't collect user browsing history.
Of all the types of attacks a password manager has to ward off, it generally needs to be strongest against brute force attacks -- those aimed at cracking passwords by breaking encryption.
LastPass encrypts your information with AES-256 -- that's the baseline standard for encryption that you should expect from any privacy product. It also employs something called PBKDF2 -- it's how your master password gets turned into a key to unlock that encryption.
Sure, if you're the type of person at whom the US government would target its full capacity for quantum computing and an absurd amount of man-hours (so, if you're Edward Snowden) then LastPass may not be your best bet.
But the rest of us -- barring some bizarre, inside-job exploit of LastPass' One Time Password account recovery feature -- can feel confident we aren't worth someone enduring the 100,100 PBKDF2 iterations required to get close to our passwords.
The rap sheet
The mark of a good privacy tool isn't a clean rap sheet. It's how the company responds to incidents and vulnerabilities. Is it transparent and timely in telling the public? How bad were users hit? Does it respond quickly with repairs, and incorporate what it's learned into long-term improvements?
In LastPass' case, the company has created an environment that encourages bug-hunters and security researchers. Despite its lengthy list of discovered vulnerabilities, it's so far only had two significant user data breaches (only one was malicious and resulted in actual user data loss). It generally responds quickly to vulnerabilities, and rolls out updates along with its tidy log of release notes. Still, it's had more issues than many of its competitors, and their trail stretches all the way back to 2011.
The 2015 breach saw the most publicity, and is the only breach noted on LastPass' official site. The same year, though, Asana Security Head Sean Cassidy discovered a phishing vulnerability created by a CSRF bug. A research paper also emerged detailing another CSRF bug and how LastPass's Safari bookmarklet option was found vulnerable if users were tricked into clicking certain parts of an attacker's site.
The hits kept coming in 2016: Two vulnerabilities were found. One was discovered by security researcher Mathias Karlsson, and the other by Google Project Zero bug assassin Tavis Ormandy, the latter prompting LastPass to urge users to update their browsers.
Ormandy wasn't done with LastPass, though. In 2017, he found another browser extension leak which LastPass fixed. His work foreshadowed that of University of York researchers in 2019 who found a vulnerability that would allow malicious copycat apps to exploit LastPass' autofill feature. By 2019, Ormandy was coming back for another helping, discovering a third browser extension vulnerability -- which LastPass resolved -- that would expose login credentials you entered on a previously visited site.
Heavy is the head
Without seeing the audits, it's hard to pinpoint exactly why LastPass has accumulated such a long list of found bugs compared to its competitors. That length could speak to the popularity and ongoing evolution of a complex piece of software, or be held as evidence of slipshod development and recurring problems.
When I reached out to the company about it, LastPass said it welcomes bug-hunters and rightly cautions users against choosing any vendor that hasn't publicly disclosed a bug or incident.
"LastPass is the leading password manager, for both consumers and businesses -- there is no other password manager on the market that is more widely used. As such we're more likely to catch the attention of security researchers," a company spokesperson said in an email.
"LastPass can offer a stronger, more secure product in part because of the important work the research community does. We continue to incentivize their contributions through our third-party bug bounty program," the spokesperson added. "We are confident LastPass is stronger for the attention."
LastPass is right about being stronger for the attention. Every time Ormandy came at it, steel sharpened steel and overall security was hardened. And it's got a point about popularity. If I were a bug-hunting security researcher with ambition and ethics (or I just needed a couple hundred bucks), my impulse would be to go after popular privacy tools with proprietary software in jurisdictions under domestic mass surveillance. LastPass would, by all metrics, make for excellent target practice.
The company's points would be stronger, however, if there weren't a signal in the noise here. A closer analysis of the rap sheet reveals that this is no scatter plot of random bugs, but a map of LastPass' battles to cover some of the same Achilles' heels afflicting nearly all password managers. When any password manager uses a browser extension to autofill your username and password fields, for example, it opens up a wide vector for all kinds of risks.
Those risks were magnified in LastPass' case by a URL visibility issue and its historically insecure API -- meaning a potentially malicious website could pose as a legitimate one and "talk" to LastPass, convincing it to hand over your logins for the legitimate site. Using only a desktop client would mitigate most of that risk. But password managers only work when people use them regularly -- and no one uses desktop clients as frequently as mobile apps and browser extensions.
Besides, wouldn't LastPass be stronger for the attention?