By: Marvasol, Inc.
LastPass is a product from the US-based software company called LogMeIn Inc. The heritage of using uppercases in the middle of the name should make the lineage even more obvious.
The company gets its name from the fact that the Master Password is supposed to be the last password that the user needs to remember once he/she starts using the service.
LastPass has been on the password manager scene for a long time now. The service has a lot of loyal users, and that should signify that the service provider must be doing some things right.
This review will try to find out all the things that LastPass has been doing right, and we will also try to figure out if there is room for some more improvement in the service.
Since it is a password manager, we will have a keen eye for the methods that the service provider employs to keep the user’s data safe on the manager.
Along with the security, there will be other things also which will undergo detailed analysis. Some of these sections will be security monitoring, the emergency measures, sharing of data, etc.
There will be some direct comparisons with the other password managers as well.
The review will end with the reader having a lot of knowledge about LastPass as well as password managers in general.
Most of us know LastPass as a web-based product which avails mobile applications as well.
However, the downloads section of LastPass may give you a bit of a surprise when you see the download options for Windows, MacOS, and Linux as well.
But don’t get carried away yet. Once you download these so-called desktop applications and install them on your PC, you will realize that it is nothing but a browser link for the web-based application.
We must admit that we felt scammed after finding out the purpose of desktop applications from LastPass. But there turned out to be a silver lining in all of this procedure.
Once you download and then install the desktop application, it automatically detects the passwords which are present on your device but in an unsecured way. The application proposes to save all these unsecure passwords for the user.
Other than the desktop applications there was nothing out of order in the downloads sections. The manager can be downloaded in the form of mobile application available on both Google Play and the App Store.
The browser extensions are for Chrome, Firefox, Internet Explorer, Safari, and Edge web browsers. These extensions make it a bit easier for the user to access the password manager.
Other than a dedicated desktop client, there is nothing much that the user should miss. The elimination of local desktop devices makes synchronization a lot easier across the service.
The service provider made sure that there are ample ways available for the user to access the password manager even in the absence of a dedicated client.
Since the service is mostly cloud-based, there are no concerns when it comes to platform support for the service.
Mainstream password managers store a lot more than just the passwords these days. LastPass, is without a doubt, a giant in the password manager scene, and you can expect a big yet sorted vault from them.
LastPass allows the storage of 50 MB data for the free users and up to 1 GB for the premium users. Keeping in mind the nature and form of data that gets stored in these applications, 1 GB is more than enough by any margin.
The user won’t feel the need for additional storage space on the service even after saving thousands of passwords on it.
The vault has been divided into various categories on the web app. On first glance, it will seem as if there are five categories in which the user can store information. But a slight investigation will show that there is more to the vault then what appears at the beginning.
There are a lot of categories which are not displayed on the home screen until there is some content inside the category. On top of all these categories, the user also gets to create a custom category in the manager.
Let us discuss the important ones among these categories and try to find how they make life easier for the user.
What can be a more critical category other than Passwords in a password manager? There are multiple ways to save a password in this category.
First one is by manually adding the credentials in the application. It is alright to use this method if there are only a few passwords, but we don't recommend this way for a large number of passwords.
If you are switching from some other password manager to LastPass, then you can try importing the passwords from the other password managers using a .csv file. There is a guide about this subject in the help section of the service.
You can also make use of a custom .csv file to import the passwords if you happen to have data of all your passwords along with the other details in a file. However, we hope that you don’t have such a file as it is not a very bright idea to store such sensitive information in such an unsecure way.
The last and easiest method is to let the manager do the job for you. Whenever you login into a website, it will prompt you to save the credentials in the manager if they are not stored already.
All it takes is just a click to save the password in the manager.
Once you have got all the password saved, there are a lot of options for you to customize the tab. The manager automatically sorts the passwords according to the category of the website and allows modifications in it as well.
We feel that the service providers should have done a better job naming this category. It saves not just the address but the whole profile of a person.
And what makes it so important is the fact that these details can directly be auto-filled in various forms on the internet. It helps while signing up for a new service and reduces the time consumption significantly.
You can store more than one profile in this category even though you may never need it to be auto-filled anywhere.
You can eliminate the need to reach out for your card and enter in all the details and credentials while making an online payment.
Use LastPass as a digital wallet instead. It will require you to enter in the card details just once in your LastPass account and be done with the need to enter the same details for every transaction.
Once you have saved your card details, the next time you need to make an online payment, just click on the autofill icon of LastPass and choose the card which you want to use to make payment.
Some might argue that most the online stores offer the option to save cards and addresses then why go with LastPass.
We acknowledge that online stores do offer the storage of card and profile information for faster transactions, but not all of them can be trusted.
The avenues to make online purchases are increasing exponentially, and it won’t be a smart move to save your sensitive data on all such sites.
With LastPass, you don’t need to even go through with the process of saving your card information which will require you to enter in at least once.
Keystroke loggers will also not be one of your concerns if you are not typing in the important details as the manager automatically fills them up for you.
If injected in your device, a keystroke logger will track all the keys pressed by you while using the device, and then it is not a very tough task for any hacker to make out your passwords and other important details.
You can make use of both ‘Addresses’ and ‘Payment Cards’ to make faster online transactions. The sections also make it a lot easier to use different combinations of cards, addresses and profile while making the transactions.
LastPass offers the user an option to store a lot of other details categorically. Even though the user may not feel the need to refer to these details quite often, their importance cannot be undermined.
You also get the option to add your custom-made category on top of the ones already present in the application.
Some of the categories already present on the client are driver’s license, passport, Wi-Fi password, software license, database, etc. Now we can start explaining the importance of all of these categories individually, but we guess we should boil it all down in a sentence for you.
You can save ANY information in the LastPass vault and access it anytime if you have access to the internet.
The sheer number of categories already available in the application helps the user to effectively sort all the data while securing it. But we feel that a lot more flare could have been added to the sorting feature.
Many password managers allow color coding in various categories along with the already available sorting methods to make the process a lot more intuitive for the user. Dashlane is one such password manager with exceptional sorting and categorization techniques implied in it.
How often has a past mistake come back to haunt you?
Using weak and easy to guess passwords and using the same password for every website are some of the mistakes most of us have committed at some point. Some people still use bad password practices without realizing the potential risk they carries with them.
The Security Challenge feature of LastPass allows the user to undo all such past and present mistakes and strengthen the security across all his/her accounts.
The manager scans all the passwords for the last time they were changed, if they are repeated for different accounts, if they are compromised or not, if the website is compromised or not, etc.
The current state and strength of the user’s password is also assessed in the Security Challenge.
Once the user goes for the challenge, the manager asks for the Master Password one more time. Then the manager displays the result in a suitable time depending upon how many passwords are saved in the manager.
The maximum possible score is 100, in which ten is for the use of Two-Factor authentication. We will discuss Two-Factor authentication on LastPass in the later sections of the review.
Along with the security score, the manager also displays the user’s standing among all the LastPass user and a score for the user’s Master Password as well.
Depending upon the anomalies found in the security standards for various passwords for the user’s accounts, the manager then suggests the possible remedies.
All the compromised passwords are given the top priority. These are then followed by weak, reused, and old passwords.
Some of these passwords can be changed directly from the manager by using ‘Auto-Change.’ Once you click on ‘Auto-Change’ button, the manager will automatically login into the account, replace the password with a strong one, and save the new password for the user.
It is a convenient and fast method to make the changes, but this feature is not available for all the websites. For these websites, you will need to manually login into your account and then change the password.
LastPass can still be used to generate strong passwords and save them simultaneously on the manager.
There is no need to worry if you ever feel the need to know one of your old passwords which you changed using LastPass. You can view all the old passwords for an account ‘history’ of a password icon.
The manager provides a window with detailed stats about the passwords. The user can separately asses the different sections and have a better idea about the shortcomings in his/her password practices.
Once all the inadequacies are addressed, there will be an improvement in the Security Score on subsequent testing.
The user should try to reach for a score in the green region. The absence of Two-Factor authentication is not cited as an issue, but it is essential to get a security score above 90 as it counts for 10 points.
The stats window shows the strength of individual passwords as well. The service provider suggests that the user should at least try to have a score above 50 for all the passwords individually, else they are classified as weak.
The ‘Sharing Centre’ in LastPass makes it easy for the user to share passwords and other items stored in the vault with other people such as family members or team members in the office.
You can also get access to the content which others have shared with you on LastPass.
To share an item, all you need to do is go to ‘Shared with others’ tab of the sharing center, click on the ‘Share item’ icon, and fill in the requisite details. There is an option to share the password directly from the website using the browser extension.
It is necessary that the recipient also has a LastPass account for him to be able to access the shared items.
You also get to decide the extent of access that the recipient gets by choosing if you want to let him/her see the password or not. There is an option to revoke access to the shared items whenever you want.
However, one downside to this sharing feature is that the recipient may be able to see and store password using some advanced techniques. Therefore, it is important that you make wise decisions when it comes to sharing passwords with other people.
There is a ‘Shared with Me’ folder in the Sharing Center where you can accept the items that other people have shared with you. There is an option to reject the invitation if you deem it irrelevant.
With the sharing feature of LastPass, you can improve productivity while staying safe if the recipients are reliable enough.
There is an option to allow other people access to your account in case of emergencies. The feature might prove to be beneficial in crunch situations.
You can choose some trustworthy people and allow them to retrieve data from your vault if you get trapped outside you account for some reasons.
The other needs to have an active LastPass premium account so that you can add him/her as one of your emergency contacts.
You can set the time period after which the access to the vault will be granted after initiating the request. During this period LastPass will try to reach you and notify you about the emergency access request.
You can interject in between and prevent the manager from allowing the person to look inside your vault.
However, since there are ways to regain access to one’s account even if the Master Password gets lost, we don’t see much benefit of the Emergency Access on the client.
The user should try to rely on other methods to regain access to his/her account instead of allowing others to access the contents of the account.
Security is going to be a huge concern on a password manager as it can be used to undermine the security on the rest of the user’s accounts.
The security model of most of the password managers may seem alike as they all make use of Master Passwords and claim of AES 256-bit encryption for the vault which is the most robust encryption available.
Well, things are just not as simple as they appear to be. There is more to the security of a password manager than just the encryption and the Master Password.
Let us try to understand the architecture behind the security mechanism of LastPass in elementary terms.
It all the starts when the user tries to login into the LastPass account using the username and the Master Password. It locally generates a hash and a decryption key.
The hash is analogous to an obfuscated version of the Master Password. The service uses PBKDF2-SHA256 to make salted hash.
By salted hash, you should understand that it gets even more complicated for the hacker to make out the contents of the hash. What it does is that it increases the number of rounds for guessing the password.
When the password hash reaches the server and gets accepted, the contents of the vault stored in the encrypted form, are then sent to the device. LastPass used AES 256-bit encryption to secure the contents of the vault.
Once this encrypted data reaches the device, the key generated using the Master Password is used to decipher the contents of the vault.
The user should know that the key never leaves the device, so it negates someone else from getting the key and leaking the contents of the vault.
The advantage of storing the data in an encrypted form in the LastPass servers is that even if someone gets access to the server, it will still take him/her billions of years to make out the contents under the encryption layer.
The security mechanism employed by LastPass is as robust as it can get, and then they have a few more security features on top of it.
Two-Factor authentication is the first thing that comes to mind when additional security features on a password manager are discussed.
We will discuss Two-Factor authentication in the upcoming sections.
LastPass is SOC Type 2 compliant which should help the user trust the service. SOC 2 is criteria for handling customer data and is based upon certain rigorous standards.
The bug bounty program of LastPass can also be counted as one of the security features as it helps make the security even more robust on the manager.
The security measures undertaken by LastPass seem reliable and capable enough to trust the service with the passwords and other important data.
Apparently, all the password managers use Master Password as the only mode for the user to access the account. It makes it tough to breach the system as there is theoretically only one point of access.
But this also makes for a single point of failure. Everything relies on the Master Password, and if the hacker somehow gets hold of it, the implications can be disastrous.
Two-Factor authentication helps combat this issue by creating the requirement of another key which will be needed along with the Master Password to login into the user account.
It adds another layer of security to the system and makes it tougher to breach the system. There are various options available on LastPass when it comes to choosing the authenticator for this feature.
LastPass has got an authenticator of its own which can be also be used while enabling Two-factor authentication.
Other options include the popular authentication services such as Google authenticator, Microsoft Authenticator, YubiKey, RSA SecurID, etc. The user has the option to choose between the hardware and the software-based authenticators.
It is very easy to setup Two-factor authentication on LastPass. The guide to employing Two-Factor authentication for the service is available on the support page of the manager.
There is also an option to add a device in the ‘Trusted Devices’ list. It will eliminate the need to use Two-Factor authentication on that device for 30 days.
With this feature, the user can make sure that there is a need for Two-Factor authentication every time there is a login from an unknown device.
We all know how important it is to follow sound password strategies. It starts with the rule of not using the same password for all the accounts as a breach in just one of them can soon affect all your accounts.
The next most important rule is to stay away from the frequently used and easily guessable passwords and use strong passwords to secure the account.
However, it is not an easy task to come up with a strong password every time especially if the user has a lot of accounts.
This is where password generators come in handy. LastPass also provides a password generator which the user can employ to generate as many strong and unique passwords as he/she wants.
The generator can be easily accessed from the browser extension also. There are various parameters which the user can change to generate the password of his/her preference.
You get to choose between numbers, symbols, uppercase characters, and lowercase characters. On top of this, you can control the length of the password also.
Once you get a password which you like, you can copy it from the board or click on the ‘Fill Password’ button to fill it directly into the website.
To make the feature better, LastPass could have gone with the option of suggesting passwords as well. In this feature, the managers automatically suggest a strong password to the user whenever needed.
Since we are discussing the password generator of LastPass, it might be worth mentioning the username generator from the service as well. It is not available either in the web application or the browser extension.
You need to access it on the internet. We found it very useful and intuitive. It seems to be working on the same algorithm as the password generator of LastPass.
So it might not be a terrible idea to tweak the settings of the password generator and use it as a username generator.
We discussed all the cool features available on LastPass which are supposed to make life easier for the user.
But when not appropriately implied, these features start repelling the user away from the product. Something similar happened with us when we used LastPass for some time.
Let us first discuss the autosave feature of LastPass. Ideally, it is supposed to save the credentials and the passwords when the user signs in to a service.
But this was not always the case with LastPass. The manager was not able to detect the credential each time, and we had to add in the details in the manager manually.
The browser extension should be used more effectively to counter such anomalies. If there were an option in the browser extension to save content related to the site currently in the display, it would have been easier for us to manually fill in the details in the manager.
If we talk about the auto-fill feature of the service, there were again some issues. Even if we used LastPass to auto-fill the details for signing up on a website, it was unable to provide the login details on the login window.
It got even more annoying when we realized that we used the password generator of the service as now we need to get into the vault and then enter it into the respective tab.
There were also so many times that we felt the service is not snappy enough and the autofill and the autosave icons don’t pop-up quickly enough.
One specific case which annoyed us the most was when we tried to login into the SoundCloud account. We used the form autofill of LastPass while creating the account, yet it never showed the autofill icon for the password on the login page.
The manager had absolutely no problem in logging into the service when we do it directly from the vault. But each time we try getting in through the login page, we get nothing from the password manager.
It may sound like we are critiquing the service a bit too much, but these minor issues do more bad than good to the services. The service provider should focus some attention on the subject and make things more efficient for autofill and autosave.
Since LastPass lacks a dedicated client, it lacks customization options as well. There is nothing much that the user can do to modify the application according to his/her preferences.
There is just a web application for the manager which does not leave much room for the user to make any changes in the client.
However, there are some options available to make a few changes in the user’s account itself. When you click on the ‘Account Settings’ option on the side panel of the application, it will serve you with a bunch of settings options for the account.
The options are presented on a pop-up screen. It is divided into various categories which serve the user with various settings for the account.
The first category is ‘General,’ and it helps the user with the option to change the Master Password, change the language, change time zone, etc. It also contains the option to set up an SMS recovery phone number to deal with the emergencies.
The next section is ‘Multifactor Options,’ and it displays a full range of multifactor options available on the manager. You can set up as well as make changes in the options available.
The next two sections are ‘Trusted Devices’ and ‘Mobile Devices’ respectively. The first one is to add any device in the list so that it won’t ask for multifactor authentication in the future. And the second one lets you decide what smartphones and tablets get access to your LastPass account.
‘Never URLs’ is to add any specific website on which you don’t want the manager to work. ‘Equivalent Domains’ can be used to mark websites on which you have the same login credentials.
Apart from these settings options, there are a few more options that are scattered across the manager and have already been mentioned in the previous sections.
Even though all the options presented seem useful, there is no denying of the fact that a dedicated client would have made things a lot merrier.
You must be having a clear idea as to why this is such a popular password manager. LastPass is filled with features which draw the user towards the service.
But there are also somethings about the manager which don’t make us feel excited about the service. Let us first recall all the good parts though.
The storage space, as well as the storage options on the service, are excellent. They present so many categories to the user that the need to create a new section in the vault is hardly ever felt.
It is easy to save passwords as well as other stuff on the client. The security challenge feature on the client is an exciting way to keep all the user’s account safe.
The scoring system acts as a big motivator and helps the user strengthen the security of his/her account.
We have no issues with the security measures used for the service. The strong encryption and then further salting of the hashes make for decryptable content.
The inclusion of Two-Factor authentication makes the user’s account even more secure. The password generator also aids the process by generating not-easy-to-guess passwords.
However, the absence of a dedicated desktop client for the service seemed to be the biggest roadblock in the manager becoming more accomplished.
It limits the password manager only to online usage and makes it tough to use along with locally stored desktop applications.
LastPass does its job very well as a password manager, and we do recommend this service if the user has no desire for a desktop client and offline usage.