LastPass
Once-dominant password manager whose reputation has been significantly damaged by multiple serious security breaches.
Feature Checklist
Strengths
- +Mature product with a wide feature set built over many years
- +Emergency access allows trusted contacts to request vault access
- +Password sharing and family management features are well-developed
- +Supports a wide range of two-factor authentication methods
Weaknesses
- -Suffered a catastrophic data breach in 2022 exposing encrypted vault data
- -History of multiple security incidents dating back several years
- -Free plan now restricted to a single device type — desktop or mobile, not both
- -Slow to increase PBKDF2 iteration counts, leaving older accounts vulnerable
- -Trust has been severely eroded — many security professionals now recommend against it
Overview
LastPass was once the most popular password manager in the world, known for pioneering the freemium model in the credential management space. Founded in 2008 and now based in Boston, it built a massive user base by offering a capable free tier and straightforward browser integration. However, a series of security incidents — culminating in a devastating breach in 2022 — has fundamentally damaged its reputation. Whilst LastPass continues to operate and has made security improvements since, the trust deficit is significant, and many security professionals now actively recommend migrating to alternatives.
Security
LastPass uses AES-256-CBC encryption with PBKDF2-SHA256 key derivation. In August 2022, attackers gained access to LastPass's development environment and subsequently obtained copies of customer vault data — including encrypted password vaults, unencrypted URLs, and other metadata. Whilst the encrypted vault data theoretically remains protected by users' master passwords, the exposure of unencrypted URLs and metadata was a serious privacy breach. Furthermore, LastPass was criticised for having historically low PBKDF2 iteration counts (as low as 5,000 for some older accounts, compared to the OWASP-recommended minimum of 600,000), meaning that weaker master passwords could potentially be brute-forced from the stolen vault data. LastPass has since increased the default iteration count and made other security improvements, but the damage to trust was done.
Features
Setting aside the security concerns, LastPass offers a comprehensive feature set. The password vault supports all standard entry types — logins, secure notes, addresses, payment cards, and identities. Emergency access allows you to designate trusted contacts who can request access to your vault after a configurable waiting period. The security dashboard analyses vault contents and flags weak, reused, and compromised credentials. Password sharing is straightforward, and family plans support up to six users with shared folders. The autofill engine is mature and handles most login forms reliably. Two-factor authentication options include authenticator apps, YubiKey, and biometric methods.
Verdict
It is difficult to recommend LastPass in good conscience given its security history. The 2022 breach was not an isolated incident — it followed earlier breaches in 2015 and other security issues over the years, suggesting systemic problems with the company's security culture. The feature set is solid, and the user experience is adequate, but these qualities are meaningless if the fundamental trust in a password manager's security has been compromised. If you are currently using LastPass, the most prudent course of action is to migrate to a more trustworthy alternative — Bitwarden, 1Password, or Proton Pass are all superior choices. If you choose to remain, ensure your master password is long and unique, enable multi-factor authentication, and increase your PBKDF2 iteration count to the maximum available.
External link. May be an affiliate link — see our methodology.
Pair With a VPN
Strong passwords are step one. A VPN encrypts your traffic and hides your IP address.
