LastPass is arguably the world’s most popular password manager. Given its high public profile due to a plethora of rave revues, its smart looking and easy to use browser integration, and the fact that it allows users to sync passwords and sensitive information across devices and platforms, this is quite understandable. A recent successful hack of LastPass’ servers, however, shows some weaknesses in how LastPass handles password security, and the closed source nature of the software does not sit well with us. Nevertheless, for ordinary tech-shy users, LastPass remains an excellent password manager.
LastPass is a freemium product with a free version and a Premium version (in addition to LastPass Enterprise, which is designed for team use.) Until recently you needed to pay for LastPass Premium to sync across mobile devices, but this has recently changed. You can now sync across an unlimited number of either mobile devices (such as Android and iOS smartphones) or desktop devices (Windows, OSX, Linux.)
To sync from desktop computers to mobile devices requires the LastPass Premium plan, which costs a very reasonable $12 per year. LastPass Premium users also enjoy support for two (or more) factor authentication (2FA) through a variety of devices such as the YubiKey, biometric authentication (e.g. laptop fingerprint scanners), Sesame (LastPass’ own USB thumb drive), and have access to priority support.
Premium users also get the LastPass for Applications (LastApp) program for Windows (see later).
There is a 14-day free trial available, and Premium subscribers can also take advantage of a 30-day refund. LastPass for Applications is available for trial users to test out. To activate the free trial sign-in to LastPass from the mobile app if you already have a desktop free account (and presumably vice-versa.)
Features of LastPass include:
Auto-generation of secure passwords
Auto form-field completion
Import existing passwords from your browser
Ability to share website login details securely with another person
Shared Folder to manage and access joint accounts with family or friends
Secure Notes to store private information securely (great for storing security information about non-web services)
Multifactor authentication (including various biometric options)
Real time credit card monitoring to prevent unauthorized use (US customers only)
LastPass Sentry (monitors the PwnedList database of 24 million publicly leaked usernames and passwords for details belonging to LastPass users)
Bookmarklets – for situations when you cannot use the LastPass browser plugin (such as older versions of iOS)
One time passwords (generates secure passwords for websites that can be only used once). This is great if you plan to login to services from computers you do not trust, and if you are going away on holiday (for example), you can generate a bunch of them in advance.
We have to say that this is an impressive and very comprehensive list of features!
Aesthetics, usability and customer support
The LastPass website is great looking and is designed to be easy to navigate, making managing your account and finding relevant information a doddle. LastPass itself works as a browser plugin and not as a stand-alone program (as KeePass does), and, therefore, integrates with the browser (see below for more details).
Well produced video tutorials give an overview of LastPass’ features, and are great for getting new users up and running. Further support is available through an extensive FAQ and a Forum board. Although no direct support options are available, forum queries appear to be answered promptly.
Security and Privacy
LastPass is a cloud-based service that encrypts users’ passwords locally with strong AES-256 encryption, and then stores them online (transfer is via secure SSL connection.) Passwords stored online are then strengthened using a random salt and 100,000 rounds of PBKDF2-SHA256.
Because encryption/decryption is performed in your browser, and only you have the master password and decryption key (these do not leave your computer), LastPass technically uses end-to-end encryption. However…
LastPass does allow password recovery. It achieves this by making a password hash out your master password + username (salted many times), which is sent to the LastPass servers. To recover this master password, it must be combined with your username (email address) and password.
In June this year (2015) LastPass was successfully hacked. Although no master passwords were stolen (as LastPass does not store these), ‘account email addresses, password reminders, server per user salts, and authentication hashes,’ were taken.
In theory this information could allow the hackers to quite easily guess users’ master passwords (especially if easy-to-guess password reminders were used), although this would have to be done on a case by case basis (and would, therefore, be very slow). We should also note that if required by law, LastPass could potentially also hand over this kind of information to the authorities, who could similarly use it to discover users’ master password.
Perhaps even more worrying is that this is not the first time LastPass has been hacked and information stolen! These incidents point not only to the weakness introduced by allowing password recovery but of storing such information on a centralized database that can be hacked in the first place.
A further concern with LastPass is that it is closed source, so we simply have to trust the company that its software does what it says it does.
According to LastPass, it does not share personal information ‘anyone except to comply with the law, develop our products, or protect our rights.’ Personal information is not stored on LastPass’ ‘servers unless required for the on-going operation of one of our services. (For example: If you choose to store login history, we keep login history, if you choose not to, we don’t).’
We find the number of permissions required by the Android app (basically just about everything) rather worrying. LastPass does, however, do a pretty good job of explaining why it needs these.
Assuming that you trust LastPass (although as open source fans we prefer to trust nobody), passwords stored with the services are probably pretty secure, but we would rather not use LastPass to highly sensitive information such as bank details. We would also recommend taking advantage of the one of the various multi-factor authentication methods available to protect against any further hacking incidents.
Once you have signed-up for an account and installed the browser plugin (available for Firefox, Chrome, Internet Explorer, Opera, and Safari, with Windows 10 Edge support on the way) operation is very straightforward.
By default LastPass will import past passwords saved by your browser, and then turn off the browser’s integrated password saving features so that all passwords are managed by LastPass.
We like the fact that login can be performed using a screen (web based keyboard). This is great if you are concerned about the presence of keyboard loggers
You can setup and manage passwords through the online Vault
Password forms display a star to the right, with a small number indicating how many logins LastPass has stored for that website. If you enter a new username or password, LastPass’ excellent password capture feature will offer to remember these for you in future (or you can set this to automatic)
By clicking on the star you can choose alternative logins, ask LastPass to generate a secure new password, or fill in a form (works just like the Password features)
Alternatively, the more traditional LastPass browser button gives you quick access to the service’s main functions
LastPass for Applications (Windows only)
Windows users can also install an app that allows you control your account from the desktop.
This most useful feature is that this gives you direct access to your LastPass Vault and Secure Notes, allowing you to past passwords and other information directly into stand-alone programs.
Using LastPass Mobile (Android version tested)
The LastPass mobile app provides access to your passwords on the go, although to sync with your desktop account you will need to purchase a Premium account. The smart looking and intuitive app provides access to the full range of LastPass’s impressive feature list, and comes with a layout that will put users of the desktop website instantly at ease.
By default, links are opened within the LastPass app’s built-in browser. As long as you use this built-in browser to navigate the web, LastPass will happily do an excellent job of filling in passwords and form for you, creating new passwords, etc. One thing we really like is support for using the fingerprint scanner on Samsung Galaxy devices (that have a one) to easily unlock the app (this worked well on our test phone.)
The LastPass web browser, while perfectly serviceable, is nowhere near as good as the likes of Firefox or Chrome (for example it does not permit you to install security-enhancing plugins). It is fortunate, then, that LastPass integrates well with other browsers such as Chrome, Dolphin (with the Dolphin Browser extension), and the stock Android Internet browser.
This is where the funky fingerprint unlike function really shines!
LastPass did not want to play game with our Firefox browser on Android, but this may because the version we run is heavily tricked out.
Due to a DRM screen lock in Android, we are afraid that we cannot display screenshots of the app itself in action.
Cost of LastPass Premium is very reasonable
Comprehensive feature list
Easy to setup and use
Imports saved passwords from browser
Great browser integration
Good mobile apps
Multifactor authentication support (including impressive biometric authentication support)
We weren’t so sure about
Security and encryption are pretty good, but password recovery and centralized storage of data introduces weaknesses
LastPass servers got hacked… twice!!! (Ok, so as far as we know nothing vital was stolen, but this does alarm us)
It is not difficult to see why LastPass is so popular. It does not cost much, and offers a very slick and easy way to remember passwords and other sensitive information. We do have concerns about the way in which LastPass secures users’ data, but in fairness these are probably theoretical rather than practical worries. The recent hacking incident is also worrying, but as the hackers failed (we think) to obtain users’ master passwords, it at the same time demonstrates that LastPass’ security measures are indeed fairly robust.
The main problem with LastPass (and indeed all commercial password managers) is that its open source rival KeePass is so good. Although not as pretty, and bit more fiddly to setup, KeePass can do pretty much everything that LastPass can (except for biometric support), while also being a great deal more secure.
Nevertheless, for ordinary users happy to trust LastPass with their passwords, and who want minimal setup effort, LastPass is a very complete, intuitive, and professional password manager.