LastPass is an excellent password manager. It stores your personal information and login credentials in its encrypted password vault. The tool offers many features – an easy-to-use interface, robust encryption, two-factor authentication, password sharing, digital legacy, etc. LastPass aims to improve the user’s online security and make logging into several accounts more convenient. However, the tool raises several security concerns because of recent breaches. This brings us to the question: “Is LastPass safe?” Let’s find out!
In this article, we will extensively review the LastPass tool (its features, pros, and cons) to help you determine whether it’s secure enough to use.
Overview of LastPass Features – Quick List
LastPass offers a comprehensive suite of features to meet all your password management needs. It allows you to keep all your sensitive data, including usernames and passwords, secure and protected. Here’s a quick list of what you can expect from its privacy and security offerings.
Impressive list, isn’t it? To give you a better understanding of each feature’s benefits, we’ve taken the time to review them individually. Keep scrolling to discover what makes each of LastPass’s security tools so valuable.
What is LastPass?
LastPass is a popular password manager tool that stores your passwords in an encrypted vault and auto-fills them whenever you visit a website or an app. Using the tool, you can store your login credentials, build shopping profiles, generate strong passwords, etc. You only need to remember your LastPass master password, and it will do the rest of the work for you. The software comes with a mix of free and premium features.
LastPass offers extensions for many popular browsers like Chrome, Firefox, Opera, etc. Also, it has handy mobile apps for both iOS and Android devices.
Is LastPass Safe?
LastPass is generally considered a secure option for managing passwords. However, its large user base of over 33 million subscribers makes it an attractive target for criminal hackers. You might have read security reports of data breaches regarding LastPass that date back to 2011. Yet, the company has always been forthcoming about informing users if there were any data leaks. They were also quick to mitigate the impact of such incidents until recently.
In August 2022, LastPass suffered a significant data breach, followed by another attack on December 22, 2022. During these cyber-attacks, criminals gained access to millions of LastPass users’ password vaults. These incidents and subsequent attacks on LastPass raised concerns among cybersecurity experts and made users question the system’s overall security.
It’s normal for cyber-attacks to happen at times. But instead of promptly reporting this leaked data, LastPass executives chose to withhold information. This caused users to distrust the company even more.
How Does the LastPass Platform Work?
LastPass is a top-tier password manager with advanced security features, like strong end-to-end encryption and a strict zero-knowledge policy. It also offers extra protection with options for multi-factor authentication (MFA). LastPass can be your go-to for storing, organizing, and automatically filling in passwords across your browsers and devices.
When setting up LastPass, you must create a unique and complex master password. This serves as a key to unlock your private vault of information. LastPass encrypts this master password using the 256-bit AES encryption to ensure it’s super secure. After setting up your LastPass account, simply input the login details for your various online accounts into the system. From there, LastPass will automatically fill in those login fields whenever you revisit those sites.
What’s more? LastPass can also generate secure passwords for new accounts, store sensitive notes, sync across different platforms, and even securely share your passwords with trusted contacts.
Now, let’s dive deeper into how you can create strong master passwords and better understand LastPass’ data encryption methods.
Master Password
Creating a powerful master password is essential to sign up for LastPass. A reliable master password should be up to 12 characters and include a mix of symbols, numbers, and uppercase letters. Once you’ve set this password, LastPass will use unique encryption methods to safeguard it and make it difficult for criminal hackers to crack.
The company uses PBKDF2-SHA256 hashing to encrypt your master password. This encryption method slows down forceful attacks from intruders significantly. With PBKDF2-SHA256 encryption, a hacker can only attempt to guess thousands of passwords each second rather than billions during such an attack.
LastPass also provides MFA options, which require you to complete an additional verification step(s) to access your account. It could involve receiving a text or using biometric authentication. Regardless, MFA makes it harder for intruders to gain unauthorized access to your account unless they have physical access to your phone.
Encryption
When it comes to security, LastPass has you covered with top-notch encryption. Your data is shielded during transmission (as it moves between your smart device and the company’s servers) using TLS encryption, safeguarding it from potential threats like man-in-the-middle attacks. Plus, LastPass uses AES 256-bit encryption to protect your stored data, a standard trusted by security-focused institutions like the military, banks, and top VPN providers like ExtremeVPN.
What’s more? LastPass operates under a strict zero-knowledge policy, ensuring that all data stored on its servers remains encrypted and protected. No one, including LastPass employees, can access your data.
Additional Security Measures
LastPass goes the extra mile to ensure all stored passwords remain safe and fortified. The company takes proactive measures such as conducting regular audits, penetration tests, and providing incident reports for transparency. They even offer a bug bounty program to incentivize discovering and resolving any potential security vulnerabilities.
Recent LastPass Security Breaches: What You Need to Know
The recent string of cyberattacks targeting LastPass has rattled both cybersecurity experts and the many users relying on the service to safeguard their passwords. These events have caused some damage to LastPass’s finances and reputation as a company. If you want to review these incidents, here’s a breakdown of the key occurrences that have rocked LastPass in recent months.
August 8, 2022
On this day, a hacker breached one of LastPass developer’s corporate computers. This was the first major data breach in recent years, as they managed to access a development environment. The hacker stole the source code, technical documents, and sensitive company data.
August 12, 2022
Only four days after the first attack, a threat actor launched a more severe attack using the information collected from the earlier breach. The current CEO of LastPass, Karim Toubba, confirmed that while the intruder tampered with source code within that period, there was no proof of them accessing any password vaults or user data. LastPass reassured users that everything was under their control, with the intruder no longer posing a threat.
October 26, 2022
The company disclosed that the same intruder remained undetected within their systems for nearly three months, engaging in enumeration, reconnaissance, and data exfiltration activities. Cybersecurity experts did not detect any further intrusions after this date.
November 30, 2022
LastPass acknowledged, for the first time, that customer data had been compromised in this year’s series of breaches. It started due to the data obtained during the intrusion in August 2022.
December 22, 2022
CEO Toubba confirmed reports of third parties accessing customers’ vaults. He admitted that the hackers stole IP addresses, usernames, encrypted passwords, contact details, and users’ billing information.
January 23, 2023
Five months after the initial breach, attackers successfully obtained encrypted user backups and a LastPass encryption key.
March 1, 2023
CEO Toubba finally issued a statement acknowledging the frustration and criticism expressed by LastPass users. He emphasized that LastPass never stored its users’ master passwords at any point, so hackers couldn’t have obtained them during that breach. Toubba also reassured customers that LastPass’s security team had yet to identify any stolen data circulating on the dark web.
Who is LastPass’s Proprietor, and are they Trustworthy?
LastPass was acquired by GoTo (formerly LogMeIn Inc.) in 2015 for a whopping $110 million. However, some longtime users have raised concerns about this new ownership. Their concerns are not far-fetched because the company has a history of hackers trying to misuse stolen customer details to access systems dubiously using remote access software.
GoTo is a Boston-based organization responsible for managing various cybersecurity products. These include collaboration, online meetings, administration, and remote access software.
LastPass Review: Pros and Cons
Like any service or product, LastPass has benefits and drawbacks as a password management tool. We have summarized things we love about LastPass and things it lacks compared to its alternatives.
What we like about LastPass (Pros)
- Has a free version
- Offers multi-factor authentication
- Intuitive and easy to use
- Supports many browsers and platforms
- Offers offline access to your password vault
- Excellent autofill
- 30-day free trial
What we didn’t like (Cons)
- No live chat
- Doesn’t have a desktop app
- Android app includes trackers
- Logs occasionally
- Free users can’t submit tickets or complaints
- No cross-device support in the free tier
- Recent data breaches warrant security concerns
LastPass Features – The Detailed List
Here’s a detailed list of LastPass’s most notable features.
2FA, MFA, and LastPass Authenticator
LastPass uses 2FA and MFA to make your information even more secure. 2FA ensures better security by requiring extra steps before anyone, including you, can access your LastPass vault, where your important usernames and passwords reside. You have several options for your second factor, including LastPass’s Authenticator app. Others include:
- Smartphone apps like Microsoft Authenticator, Google Authenticator, or Symantec VIP
- Software-based services such as LastPass Sesame or LastPass Grid
- Hardware tokens like RSA SecurID or YubiKey
If you decide to use LastPass Authenticator, you can download the app for free from the Apple Store, Google Play Store, or Windows Store.
MFA takes your security even more seriously by allowing you to combine multiple authentication factors. This way, you can protect your LastPass login credentials and those for other online services. You can freely choose which online accounts require MFA, which devices to trust, etc.
On the other hand, LastPass MFA is a separate app aimed at business users for managing permissions and security levels. It also offers decent customization options. The B2B-oriented service is available with the Identity, Teams, MFA, and Enterprise plans.
However, Premium users also have access to advanced MFA. To manage your LastPass MFA and 2FA settings, simply go to the Multifactor Options section from your online dashboard.
One-time Passwords (OTPs)
When accessing your web vault from a device that isn’t your own, there’s always a risk of falling into a trap. You never know if the device might be infected with a keylogger or some software designed to capture your keystrokes. LastPass offers a handy solution with its one-time passcode feature. An OTP lets you log in to your account without revealing your master password.
You can quickly generate these OTPs after successfully logging in to LastPass. It’s worth noting that you can only use each passcode once, as it immediately expires afterward. This makes it impossible for anyone to reuse it to access your account. Also, you can print these codes or store them using other methods for future use or in an emergency recovery.
Credit Monitoring
You can use LastPass’s free credit monitoring alert feature if you’re US-based. This feature lets you receive real-time protection by alerting you to any sudden changes in your credit report. By enabling credit monitoring, you can effectively monitor your credit report and protect yourself from identity theft.
Follow these four simple steps to enable it:
- Log in to your LastPass account.
- From the left side menu, click on More Options.
- Click on Advanced, and then select Credit Monitoring.
- Choose Enable Credit Monitoring.
Once you complete these steps, you’ll be prompted to create a new Form Fill Profile or choose an existing one.
If you want to enable the feature on an existing profile, locate your profile on the left side and click on Enable Credit Monitoring. Alternatively, you can edit your form-fill settings and enable credit monitoring afterward.
Password Vault
LastPass stores your passwords in a secure online vault. It is accessible from your desktop, web browser, or mobile device. Because the vault is encrypted, your usernames and passwords are well shielded from online snoops.
One thing to love about LastPass is its offline accessibility. You can still access your online storage or vault even when you’re not connected to the internet. Just ensure that you’ve logged into your vault at least once with an internet connection. This allows your device to cache a local version of your encrypted data, ensuring you can access it even while offline.
Country Restriction
LastPass automatically limits access based on the country you’re currently in as of the time you first set up your account. However, if you frequently travel or need access from multiple locations, you may add additional countries to your allowed list.
You can do this in 8 simple steps:
- Open your LastPass Vault.
- From the left bar, click on Account Settings.
- Go to the General tab and then click on Show Advanced Settings.
- Check the box labeled “Only allow login from selected countries.”
- Select the countries you want to add to your access list.
- Click Update to save your changes.
- If prompted, enter your Master Password.
- Click Confirm to finalize the changes.
There you go. You’re now free from the restriction to access LastPass only from one country. You should know that if you use a VPN, you can bypass country restrictions by changing your virtual location. ExtremeVPN is your go-to option for bypassing geo-restrictions easily.
Password Generator
Another specific standout feature of LastPass we love is the password generator. It simplifies the process of creating strong passwords for websites and applications you often visit.
So, what exactly does a password generator do? It takes the hassle out of creating passwords by generating them for you. With LastPass’s password generator, you can say goodbye to weak passwords like “123456789” or “qwerty” that fail to protect online privacy and security. Rather, it ensures you receive unique passwords with a mix of numbers, symbols, uppercase, and lowercase letters.
What’s impressive about this password generator is that it lets you control how strong or meaningful you want your password to be. For context, you can add or skip symbols and numbers, choose your ideal password length, or opt for one that’s easy to read.
We always recommend using longer passwords with more diverse characters to strengthen your security. After all, with LastPass, you don’t need to commit your passwords to memory. While we always advocate for using long and complex passwords, having the ability to customize them to your liking is a significant advantage.
Since LastPass has faced several security challenges in recent years, you should think carefully before using its password generator. One of the best alternatives to the LastPass password generator is ExtremeVPN’s Password Generator Tool, which helps you create unique, strong passwords without compromising your security.
Security Challenge
One of the best parts of using a password manager is storing all your passwords in one vault. While it’s convenient, it also raises security concerns. How do you know if your passwords are strong enough? That’s where LastPass’s security challenge comes in handy.
The LastPass security challenge is a straightforward tool that analyzes the strength of your passwords. It scans through all your stored passwords and rates their complexity. If you’re using weak or reused passwords across multiple accounts, you’ll instantly see low-security scores highlighted in red.
The beauty of this tool is that it not only evaluates each of your account passwords but also assesses the strength of your master password. This means you can strengthen the passwords you use across several accounts passwords and also change your master password to something more complex and powerful.
Conclusion
We have covered LastPass and agree that the password manager has had its share of security issues. The platform uses strong encryption methods and several protective features to protect your passwords. However, many LastPass reviews, complaints, and concerns regarding the recent data breaches make it hard to ignore the growing concerns about LastPass’s security.
It’s human to start doubting its ability to keep your data safe. You should explore other LastPass alternatives to prioritize protecting your credentials online.
If you continue using LastPass, remember to remain cautious, keep your passwords updated, and make the most of LastPass’s security tools. You can also use a robust VPN like ExtremeVPN to hide your IP address and encrypt your internet traffic to secure yourself further online.