We first took a look at LastPass in 2016, not long after it was acquired by the much larger SaaS company, LogMeIn. Since then, LastPass has had a bit of a revival, of sorts, working through notable security issues that thankfully never impacted its users.
At the time, we gave LastPass a solid 9 out of 10, downgrading it mostly for its user interface. Two years on, however, the password manager market is even more crowded than it’s ever been, and LastPass has had a few upgrades to match.
If you’re in the market for a password manager or wondering whether a service like LastPass can add more security to your life in a hacker-friendly internet, we’ve got a few insights to offer below.
Combining a host of great features with a handful of additional security tools, LastPass has overcome some of its past issues to become a password manager easily worth the already low price.
LastPass overview and features
LastPass is one of the lowest-cost password managers on the market. While it has a very functional free option, it also offers its services for a paltry $2 per month (billed at $24 per year). By comparison, competing manager Dashlane costs $40 per year, while 1Password costs $36 per year.
The service can easily be used with most devices, but you’ll find its best use to use it either in mobile app form or as a plugin for your web browser. Note, however, that since most web browsers already have built-in password managers, you might need to turn off the one your browser uses by default. There likely won’t be any kind of conflict, but redundant password saving and autofill requests can get annoying. We’ll show you how to do that later on.
LastPass has a large number of features in place, all designed with some type of security angle in mind. In all, LastPass has the following features and options:
- Locally-stored master password
- Two-step verification (2FA)
- AES 256-bit encryption
- PBKDF2 SHA-256 and salted hashes
- Password autofill
- Password editing
- Password generator
- Password strength auditing
- Store and autofill web forms (financial information, addresses, and other types of common web forms)
- Accessible via any browser, browser plugin, or mobile apps
- Secure note taking
- Secure password and note sharing
- SMS account recovery
- Weak or duplicate password alerts
- Automatic duplicate password removal
- Merging with browser-saved passwords
- Restrict login to specified countries
- Digital legacy sharing
- Password or site searching
That’s a lot of marks to hit for any service. But when it comes to password managers, the necessary security and functionality measures are absolutely essential to making the program work for consumers or businesses. LastPass probably has more features and advanced settings than most consumers will actually use, but that’s not a bad thing.
Even more features are available, some of which are locked out if you’re using the free service. Additionally, some unique options exist for those signing up for the company’s family or business options. Get a full side-by-side comparison here.
Signing up to LastPass
LastPass wins a big thumbs up on the sign-up process. Almost no hassle is involved, and LastPass is very clear about what you get. You don’t need to sign up with a credit card or any other payment information to try it out, however. LastPass offers a very feature-rich free version, which you can download right to your browser from the home page. Indeed, for Windows and Mac, your only option is a browser plugin as LastPass does not offer an app for desktop or laptop-based operating systems.
From there, you’ll add the plugin to your web browser and go through the account creation process. That includes setting up your new master password:
And you’re done! The next step to getting started with LastPass is actually using the program, which is where you’ll either come to love it or hate it, depending on what you’re looking to get out of a password manager.
To give you an idea of what most users will experience, we’ve reviewed some of the more prominent features just below.
LastPass features review
As shown earlier, LastPass has a large number of features. Most users, however, are likely to restrict their activities to the most basic functions related to password management. That usually includes saving passwords, autofilling passwords into sites, and changing passwords when necessary. LastPass has a lot to offer on this angle, although some issues might give you pause or reason to consider other password management tools.
Once you’re set up with a LastPass account, you can start adding in passwords. You can do this manually or in bulk. For the manual process, one simple method is to just go to the websites you normally use and log in with your credentials. During that process, LastPass will prompt you to save the password to its vault after a successful login attempt.
As expected, adding passwords is quite easy. Just clicking Add will add the password, username, and website to your password vault. The next time you try to log in to that site, LastPass will automatically fill in those credentials for you. If for some reason LastPass doesn’t autofill, you might see a notification on the plugin icon in the form of a number. Clicking the icon and opening up the plugin menu will show some notifications under Show matching sites:
From there, you can choose the site you’re trying to access. This likely happens because LastPass will save a password for a very specific login page. Meanwhile, some websites have various login pages, depending on where or how you’re trying to log in. LastPass won’t attempt to generically autofill on any address it finds for the site. Instead, it only autofills the specific web page visited when you first saved your password.
Outside of that, you can add passwords manually from your LastPass Vault. You can access the vault either through the plugin (Open My Vault) or by logging in from the website. From there, you’ll add new sites with the associated usernames and passwords by clicking on the plus symbol button on the bottom right of the screen.
Unless you’re giving an exact URL for the login page, you probably won’t get an autofill using this method, but you will be able to add in the username and password from the drop-down menu LastPass gives in the username/password boxes.
Bulk adding passwords
If you already have a lot of saved passwords from your browser, you can add them in bulk. The process to do this is a bit tedious, however, and far from obvious. In fact, I had to do a web search just to figure out how to bulk add passwords from Google Chrome.
To bulk add, follow these steps:
- First, install the LastPass binary file. To find that, click on browser plugin symbol and then More Options > About LastPass. You’ll find the binary file link there. After you download the binary file, reset your web browser.
- After you have the binary file installed, run the executable file. The executable file is not the best place to do the bulk import. While you can import more than just browser passwords there (such as wifi SSIDs and passwords), it’s a lousy interface.
- You’ll need to sift through which passwords you want to add in, and then use the shift or CTRL keys to select multiple items. Otherwise, you’ll have to click on them one by one.
Troublingly, however, LastPass says it will delete those password files from your computer after importing them using the binary file executable. That’s not really preferable to me, but if you’re determined to go all-in with LastPass, it’s certainly a more secure option.
The other method of import is to go to your LastPass browser plugin, and then go to More Options > Advanced > Import, then choose your web browser. This option automatically selects the whole set of account passwords for you, so you can more easily deselect passwords you don’t want to be imported. It also won’t delete the passwords from your system (phew!).
That said, LastPass does have an export feature in case you want to move any saved passwords from LastPass to another service.
Aside from the somewhat tedious import process, LastPass seems to have one of the key elements—adding passwords—down well.
In most cases, as long as you have a password saved to your LastPass vault, it will attempt to autofill that password for you. As stated, there are occasions when it won’t autofill, but you’ll rarely run into that problem.
You’ll know LastPass is working on a website when you see three dots in a grey box on the right side of the username or password box:
LastPass will automatically insert what it believes is the correct password for the site. If you see a number in subscript next to the ellipses (“…”), this will indicate you have more than one username or password for the site in question. If you do have multiple accounts for a site, you can click on the ellipses and choose which username/password combo to use.
Here’s where things get interesting. Let’s say you’re signing up to a new website. LastPass won’t have the ellipses symbol next to the username section, but it will have it next to the password box. Why? Because you can use LastPass to create website passwords for you. To do that, click on the ellipses symbol, then Log in as and Generate password. Then, click on the red Generate and fill button.
LastPass will automatically insert its auto-generated password into the password section. However, you can change the security level of the password LastPass generates, and quite frankly, you probably should. By default, LastPass is set to generate a password that’s 12 characters long and does not include symbols. This type of password is OK, but not overly strong.
To change the settings, before you hit Generate and fill, select More options.
LastPass provides a good number of options here, such as adjusting your password length, making it easy to read or say, and, importantly, including symbols in the password. Using the password generator, you can create passwords of up to 100 characters long with a mixture of lower and uppercase letters, symbols, and numbers. And given you won’t need to remember the password yourself (you are using a password manager for that purpose, after all), there’s almost no reason not to make your password ridiculously difficult to crack.
LastPass should create a strong password with the generator, but it’s good that you can choose to change the strength. Not all password generators have that option. Beyond that, loading passwords from the vault is an easy enough affair, and switching between passwords when multiple accounts exist is simple as well.
And while letting LastPass create your passwords for you during account sign-ups is good and all, it won’t work on all websites. During testing, I found StackExchange won’t integrate with LastPass’ generator. It will work on most sites, though.
LastPass is a good place to test the strength of your current passwords. The Security Challenge feature (available only from the Vault) is a great way to do that. It’s also a good tool for those who are bulk adding their passwords from a browser-based password manager, as built-in managers don’t commonly do anything beyond just for storing and autofilling your passwords and user IDs.
All you need to do is click on Security Challenge from the left side of the Vault menu. Then, click on Show My Score:
Be forewarned: LastPass is going to be brutally honest about your password strength levels. That includes the strength of your master password:
Looks like I have some work to do! Thankfully, LastPass is more about helping you improve your password security than shaming you for being bad at it. The tools to improve your passwords are right there in the program:
If you want to update your passwords, LastPass can help. Click on either Change Weak Passwords or Change Used Passwords, and then select the site(s) you want to update. LastPass will then walk you through the process of updating your password for that site, which will include logging in from the LastPass interface and going through the password change procedures for that website.
The service runs a script that performs this task for you, so there’s nothing you need to do. Once it’s complete, it’ll let you know your password was changed. And of course, in case you’re curious as to what the new password is, you can check in your Vault.
This can be a somewhat long process, but you can change your passwords in bulk by checking the box next to multiple password and user ID entries for the various sites you’re transferring to LastPass. However, if you’re going to do a lot of sites at once, you might as well walk away from your computer for a while. The script is pretty much going to eat up all of your processing power and it’s likely going to take a while. Especially if you’re like me and have over 200 different website accounts (don’t judge me).
Passwords are one thing, but LastPass is also designed to autofill most common forms you’ll come across on the web. In all, LastPass can autofill forms for personal information, financial information (credit card numbers, bank account information, etc.), and contact info. You can also add unique forms that are not built into the program, although that’s more of a higher-level feature most consumers won’t use.
The real question is whether you’re willing to hand over this kind of information to LastPass. If you already have that info saved in your web browser, giving it over to LastPass isn’t going to increase your security risk by much more. The only risk is in someone breaking into LastPass, which thus far hasn’t happened on their end since the company has never had a data breach. According to LastPass, they’ve “implemented AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure complete security in the cloud.”
However, if you have a weak LastPass account password and don’t set up two-factor authentication to gain access, you might be in trouble. LastPass can ultimately protect your passwords, but only insofar as you’ve made access to your password vault difficult.
For something as commonplace as name and address information, there should be no real qualms here. LastPass works just the same as with your passwords when it autofills forms.
Other features: shared folders, secure notes, advanced settings
If you really do need to get more out of your password manager, LastPass does have some good additional options. A paid account comes with 1GB of storage space, making it a decent location to store and share a limited number important of files.
You can use the Sharing Center to share files with other accounts, but this is a feature only available as part of the Family plan. Anyone can use Secure Notes, however, which can be used to hold secure information you can’t really remember yourself (such as wifi passwords). What’s more, you can share your notes with others, although they will need a LastPass account to accept the share.
Beyond that, there’s a wealth of little ways you can manipulate LastPass in the advanced settings, available only from the Vault. For example, you can better secure your account using two-factor authentication. LastPass integrates with all of the following multifactor authenticators:
- LastPass Authenticator
- Google Authenticator
- Fingerprint / Smart Card
- Salesforce Authenticator
You can also make other interesting security adjustments, like disallow logins from Tor networks, set other devices running LastPass to log off automatically when you log in to a new device, and even let LastPass know when some URLs have the same login information (a good way to autofill websites with multiple login pages).
Should you use LastPass?
LastPass is a strong contender if you’re looking to have a more secure password management option than your built-in browser manager. That said, it might be worth exploring some of the other options out there before making a decision.
Nevertheless, LastPass has an almost ludicrous amount to offer. The password tools are strong and secure. And while the bulk import for other passwords is can be a bit annoying, it doesn’t take more than a few minutes when done correctly, and you’ll likely only have to do it once.
The primary reason we marked LastPass down in our previous review was because of its lousy user interface. The company has since upgraded it with a rather attractive, modern aesthetic, which you may not even use that often if you’re using LastPass for its primary functions. The company even gives you the option to revert back to the boring 3.0 interface if you so choose.
Additionally, LastPass is also available as a mobile application, which unlocks a few additional benefits. With the mobile app version, you can also save and autofill passwords for your all of your mobile apps. And since the passwords are stored securely in the cloud, you’ll have access to all of your website passwords through the mobile app version as well.
LastPass is a fairly powerful and thankfully modern security tool. Given it’s also one of the cheapest options among its competitors, with even the free option providing more than enough features for the average user, LastPass is password manager worth giving a shot.
LastPass and password managers
Password managers are a growing trend, and LastPass is one among many services now offering password protection and storage. These programs are designed to help consumers better organize their growing number of passwords, as well as help secure those passwords in a manner befitting the internet age.
The broad questions regarding both LastPass and password managers, in general, are going to be, “do I need this?” and “does it work as intended?” While we took a more detailed look into LastPass above, we can more easily address the overall need for password managers from a broader perspective.
Most internet users already employ a password manager; they just might not realize it. If you’re an Apple user, the company utilizes its own password manager for your Apple devices in the form of Keychain. If you’ve saved passwords to Keychain (you probably have), you can log into your accounts across your devices quickly and easily. Keychain was actually a project Apple initially conceived of in the 90s and began to fully flesh out and utilize in its desktop, laptop, and mobile operating systems in the early 2000s.
If you’re a Microsoft or Android user, you’ve probably still dipped your hands into the password manager waters as well. Most web browsers now come with built-in password management systems, notably Chrome and Firefox. For Android users, password management is connected to your Google account, so you’re likely already able to access your saved passwords on your Android mobile devices and Chrome browser seamlessly.
Yes, you need a password manager
Do you need a password manager? Unequivocally, yes. In a 2016 poll, Intel Security found people have, on average, 27 different password-protected accounts. The survey also found that most people not only don’t use dedicated password managers (probably not the case if you count built-in browser managers) but that 37 percent of surveyed adults forget at least one password per week.
I’ll easily admit to being one of those 37 percent, even with my password managers in place. But forgetting passwords is less of a concern than the security risk associated with having so many accounts in the first place. Unfortunately, most people utilize the same, or a small number of passwords across all of their accounts. This is fundamentally dangerous, given just how many of us are losing our passwords in data breaches these days. And if a hacker gets a hold of that one password you’ve been using for the past 5 years for all of your accounts, he’ll have access to all of your accounts. I probably don’t need to explain why that’s a problem.
So password managers like LastPass and its many competitors exist to not only reduce the number of passwords you need to remember but also to help you mix it up a bit on the variety and strength of those passwords. As long as you don’t have to remember 27+ passwords by yourself, you can easily have a different password for everything. And since writing down all of your passwords on sticky notes is a bad idea (just ask the Hawaii emergency alert worker who took a fall for that gaff following the accidental missile strike warning), you need a password manager for your security and to make your life easier.