Editors' Note: Previously, LastPass had been a four-star Editors’ Choice product. In late 2022, the company announced that a data breach exposed users' encrypted vault data and other unencrypted personal data. Additional details about the breach and the aftermath came to light in February 2023.
Because LastPass initially failed to inform its users of the breach and to adequately protect them, we removed the score and Editors' Choice designation from this review. PCMag is currently reviewing its recommendations of password managers and retesting them.
At this time, we recommend open-source Editors' Choice winner Bitwarden for anyone looking to switch to a new password manager.
Keeping track of dozens or hundreds of strong and unique passwords isn't possible without a password manager. Using a password manager is difficult without trusting the company behind the product. At PCMag, we expect password management companies to secure users' credentials and inform customers when their vaults may be at risk. In 2022, LastPass failed to immediately inform users after a malicious third party stole data related to their encrypted vaults. The breach and security incident also revealed that LastPass stores unencrypted URLs in user vaults, a practice that can potentially expose users' credentials.
Similar Products
1Password
NordPass
Dashlane
RoboForm
Keeper Password Manager & Digital Vault
LogMeOnce
Bitwarden
Enpass Password Manager
Proton Pass
As of now, we no longer recommend LastPass because we cannot trust the company to alert users promptly about future security incidents. This review, however, outlines the pricing, features, and notes from our hands-on tests with LastPass.
How Much Does LastPass Cost?
LastPass offers three different plans for consumers: Free, Premium, and Family.
The Free edition includes standard password manager capabilities such as auto-filling, a password generator, secure notes, a password strength report, and support for multi-factor authentication. LastPass' free tier limits credential sharing to one-on-one, restricts vault syncing to a single device, and does not offer advanced multi-factor authentication options.
What Is a Password Manager, and Why Do I Need One?
Other free password managers, such as Enpass, limit the number of passwords free users can save. Then there's Dashlane and Keeper, which are free if you use them on a single device. Bitwarden’s free version does not impose limitations related to cross-device syncing or total passwords.
LastPass Premium costs $36 per year. In addition to all the free version’s features, you gain one-to-many password sharing, advanced multi-factor options (such as YubiKey support), Emergency Access features (password inheritance), dark web monitoring, priority tech support, the LastPass for Applications app, and 1GB encrypted file storage.
The top tier for non-corporate accounts is LastPass Family, which costs $48 per year. LastPass Family subscribers get six LastPass Premium licenses, unlimited shared folders, and access to the LastPass family dashboard.
LastPass’ pricing for its Premium and Family versions is slightly more expensive than equivalent versions of competing software. For example, Keeper Password Manager and Digital Vault’s Personal and Family tiers cost less than LastPass at $34.99 and $74.99 per year. Bitwarden’s Premium and Family versions are significantly cheaper than LastPass at only $10 and $12 per year.
Getting Started With LastPass
To sign up for LastPass, enter an email address and create a strong master password. You only know the master password, so if you forget it, LastPass cannot help you access your vault.
After you create your account, LastPass offers to install its browser extension, which is how you log in to the service. If you choose to skip this setup, you can always use the LastPass Universal Windows, macOS, or Linux installers to add the LastPass extension to the browsers on those platforms. LastPass offers Chrome, Firefox, Edge, Safari, and Opera browser extensions.
Once you log in, LastPass walks you through saving a password for Google, Facebook, PayPal, or Netflix. Pop-up notifications explain that you first login as usual and then click the Add button when LastPass offers to save it. LastPass also takes you on a quick tour of the Web Vault.
Simple Tricks to Remember Insanely Secure Passwords
During installation, LastPass used to offer to import passwords from your browsers and turn off password capture in the browsers. This feature is still available; it just doesn't happen as part of the installation.
LastPass can import from six competing products: 1Password, Bitwarden, Dashlane, KeePass, Keeper, and Roboform. That's not many compared to Keeper, which can import from nearly 20 competitors. LastPass can also import passwords stored in Chrome, Edge, Firefox, Internet Explorer, Opera, and Safari.
Multi-Factor Security
It doesn't matter how complex your master password is if a thief gets it. LastPass requires email verification the first time you log in from a new device, which is good. But you can seriously enhance your security using the available multi-factor authentication options. To set up multi-factor authentication, head to Account Settings > Multifactor Options tab in the Web Vault.
The available multi-factor authentication options depend on your subscription tier. Free users can use an authenticator app. Setting up an authenticator app requires snapping a QR code using the app of your choice. Each time you log in, you'll need to supply a time-based one-time password (TOTP) generated by the app (essentially a six-digit code that typically changes every 30 seconds) in addition to your master password.
LastPass also offers authentication through its LastPass Authenticator app, which lets you accept or reject a login attempt via a push notification without entering the six-digit code. LastPass recently announced it is consolidating the enterprise-focused LastPass MFA app into the LastPass Authenticator app and integrating the former's passwordless authentication capability.
Don't have a smartphone? You can print a wallet-sized authentication grid. Talk about low-tech!
What Is Two-Factor Authentication?
Premium users can use hardware keys (such as a YubiKey) or biometric options as a second authentication option. LastPass does not support the more modern Universal Two-Factor (U2F) FIDO 2 standard, instead relying on an OTP-based method. When you tap a Yubikey to log in, the key supplies a string of numbers for authentication. 1Password, Dashlane, Zoho Vault, and many more password managers support the U2F authentication method.
Multi-factor authentication can get tedious after a while, so LastPass lets you define specific devices as trusted. When you log in from a trusted device, you only need the master password. Trust expires every 30 days, and you can delete a lost device from the trusted list. For even more control, you can ban logins from any device not already on the trusted list.
LastPass Web Vault and Browser Extension
LastPass offers desktop apps for Windows (via the Microsoft Store) and macOS, but you can manage all your passwords and personal data on the web. LastPass’ Web Vault uses a red, gray, and white color scheme and a straightforward layout.
At the top of the interface, there’s a search bar for sifting through all your saved data. A right-hand drop-down menu lets you access your Account Settings and other helpful resources. In the Account Settings section, you can define equivalent domains such as youtube.com, google.com, and gmail.com. A password for one is suitable for all.
You navigate the experience via a left-rail menu that includes All Items, Passwords, Notes, Addresses, Payment Cards, and Bank Accounts sections. Secure notes store and sync sensitive information, optionally with an attachment. Addresses are similar to what previous editions called Form Fills. Payment cards and bank accounts are self-explanatory. If you add one of LastPass’ item types, such as driver's licenses, passports, or Social Security Numbers, those categories also appear in this menu. We discuss these item types in more detail in the form-filling section. You add entries and folders via the red plus button at the bottom of the page. The left-hand menu includes the Security Challenge, Sharing Center, Emergency Access, and Account Settings sections.
The middle of the screen is reserved for viewing and editing your stored details. You can view entries in a list or grid view, sort entries and folders alphabetically or by recently used, and switch to a slightly magnified view.
Hovering over a password entry reveals three icons for editing, sharing, and deleting. We will discuss sharing options in a later section. Right-clicking on the item allows you to clone it, copy the username or password, launch the associated site, or move it to a new folder. LastPass supports dragging and dropping items into folders. When you edit an item, you can change its displayed name, add a note, or add it to your favorites. Advanced options let you require reentering the master password for the item, autofill it without waiting, and keep the entry but disable autofill entirely.
Although LastPass does offer the ability to organize items into custom folders, it does not support the creation of separate vaults (such as for personal and work passwords), something 1Password does.
One oddity spotted in the LastPass vault following news of the data breach: unencrypted URLs related to credential entries. While you capture passwords and usernames around the web in your password manager, the URL data is stored in the vault. Bafflingly, LastPass does not encrypt these URL text strings, though they could contain username or password information. This choice seems like another security incident waiting to happen, so we recommend LastPass change its policy on storing unencrypted URLs.
We tested the LastPass extension on Chrome. You can view recently used passwords from the extension, view all items, and generate new secure passwords. The Add Item and Account Options items redirect you to the Web Vault. You can launch the associated website directly for specific password entries, copy the username or password, and edit them.
Password Capture and Replay
When you log in to a secure site, LastPass offers to save your credentials. You can click Add to continue or the pencil icon to edit the entry. You can assign the captured login to a new or existing folder or tell LastPass you never want to save a password for the site. You can't enter a friendly name directly in the pop-up window, but you can take care of that in the main interface.
In testing, LastPass captured logins from both one-and two-page logins without issue. LastPass does not fill in your credentials when you revisit a site by default, but you can enable the auto-login option on a per-account basis.
Security Dashboard
Getting all your passwords safely stored with LastPass is an excellent first step, but it's not enough. Now you need to fix the weak ones and the ones you've recycled for use on multiple websites. That's where LastPass' Security Dashboard comes in.
Click the Security Dashboard menu item to get started. On the main screen, you see a security score LastPass calculates based on the strength of your passwords and whether you have multi-factor authentication enabled.
Click on the View button to see a list of all the passwords in your vault. LastPass rates the strength of each password, then identifies any potential risks (old, reused, or weak), and adds a Change Password button for any offending items. The button does not automate the password change. Instead, it takes you to the login's associated website.
Another feature is LastPass' Dark Web Monitoring for Premium and Family account holders. After enabling this protection, a list of all your associated account emails appears in the section. You can choose which ones to monitor and will receive an email notification if any are compromised.
Password Generator
When you sign up for a new account or change your password for an existing account, LastPass offers to generate a secure password. We recommend making your password at least 20 characters long and including symbols.
By default, the LastPass password generator creates 12 characters, fewer than competitors such as Keeper and Dashlane, which default to 20-character passwords using all character types (letters, numbers, and symbols).
When you change your password, LastPass offers to update the associated entry. This works whether or not you accept the aid of the password generator.
Emergency Access
What happens to your passwords when you die? How will your heirs access your bank account or tell your social media circle what happened? The Emergency Access feature lets you define one or more contacts who can access your passwords in the event of your untimely demise. This feature is not available to free users.
Emergency Access in LastPass works similarly to Dashlane’s and Keeper’s equivalent features. You enter your recipient's email address and define a waiting period. Recipients must install LastPass and accept your connection request. Now, if something happens to you, the recipient simply requests access to your account. Dashlane lets you pass along just a subset of your saved credentials—for example, you might define a coworker as the recipient of your work-specific passwords. That's not an option in LastPass. Zoho Vault distinguishes work passwords from personal ones; the administrator can unilaterally take over work passwords for an ex-employee.
Here's where the waiting period comes in. Suppose your trusted recipient decides to jump the gun and get your passwords before you've kicked the bucket. The initial request for access triggers a notification, and you can deny the access request at any time during the waiting period. In a real emergency, your recipient automatically gets access after that time elapses.
Clicking Emergency Access lets you view two pages, People I Trust (your password heirs) and People Who Trust Me (those who've made you their emergency access contact). You can delete anyone from the list or change the waiting period on the People I Trust page. You can bow out of the emergency access role on the People Who Trust Me page.
Password Sharing
You shouldn't share your passwords promiscuously, but some situations merit sharing. You and your partner may use a joint bank account, for example. If you must share credentials, you should do so safely.
Free LastPass users can only set up one-to-one sharing, but Premium and Family subscribers can share one item with several other users. Those who pay for a Family account can share an unlimited number of folders.
Sharing a password is easy. Select an item in the vault, click the sharing icon, and enter the recipient's email address. Recipients who already use LastPass will receive a notification that a new share has arrived; others will get an email explaining how to create an account and accept the share. The recipient can use the shared item to log in. The person sharing the password can manage the recipient's access to the credential via the Sharing Center in the web vault. You can manage whether the recipient can view the password while they have access to it and also relinquish access to credentials others have shared with you or cut off others with whom you've shared passwords.
Filling Web Forms
You can store multiple Addresses, Payment Cards, and Bank Accounts in LastPass, each with various personal and contact information. RoboForm lets you create multiple instances of any form-fill field, while Dashlane stores the various components of personal data (phone numbers, emails, and so on) separately.
LastPass can store many other types of personal data, too, including driver's licenses, passports, insurance policies, and your Social Security Number.
Secure Notes and Online Storage
Secure notes are another way to store information in your LastPass account that doesn’t fit into any other categories.
Only Premium LastPass subscribers get online storage, but the total space is limited to 1GB. You can’t upgrade this storage. To store an attachment with LastPass, you must attach it to an item. By comparison, Keeper’s Family Plan includes 10GB of storage space.
LastPass for Mobile
We tested LastPass on an iOS device and had no issues logging in to the test account. LastPass does well at keeping the user experience the same across different platforms. Android and iOS editions have all of LastPass’ features, including a password generator, emergency access, sharing center, and security challenges sections.
In addition to app-based authentication options, you can configure LastPass to authenticate using your device's biometric login options. LastPass supports face- and fingerprint-based authentication methods on Android and iOS devices. Yubikey authentication requires a Yubikey model that supports authentication via NFC (Near Field Communication) or your phone’s connection type (such as USB-C or Lightning port).
In previous tests, filling in site forms on mobile devices using LastPass was a bit clunky, but the experience has improved. On iOS devices, LastPass replaces Apple's Keychain functionality, so you can use the credentials stored in your vault to fill, create, and save logins around the web without having to open the LastPass app. Users running Android 11 or newer get a similar autofill experience.
LastPass for Business
LastPass makes it easy for administrators to see who is following password policies on the job and who is not. For example, the administrative dashboard shows the company’s enrollment rate with the password manager, user activity, and average password security score.
LastPass’ reporting dashboard is the most comprehensive real-time breakdown of employee interaction with the password software we’ve seen from a password management company. Only Dashlane comes close with its reporting dashboard for administrators, but it doesn’t hold the wealth of information about employee password habits LastPass offers.
Each employee has access to a vault where they keep their work-related credentials. From the Users page, the administrator can see all the employees invited to use the password manager, when employees last used the software, whether employees enabled multi-factor authentication (MFA) for their account, password security scores, and other options.
As with competitors Dashlane and Zoho Vault, LastPass supports single sign-on (SSO). SSO reduces the number of passwords employees must memorize to get into their work accounts. Admins add applications such as SSO, MFA, and password-less apps from the Applications section of the Admin console.
LastPass commits to helping administrators encourage MFA. Admins can enforce many types of MFA for linked SSO applications, including app push, phone calls, one-time-passcodes, SMS, or YubiKey.
The app also has federation integrations with ADFS, Azure AD, Google Workspace, and Okta, meaning employees access LastPass using their existing corporate credentials in their current workspaces. Eliminating the need to remember another password could make a password manager more attractive to employees.
LastPass Business also includes a free Families account for every employee to encourage vigilant password practices at home. The LastPass Families data is separate from the Business data. LastPass has a zero-knowledge security model, so only the users know their passwords. If an employee leaves the company, their Families account unlinks from the Business account. Like Dashlane's Business tier, the former employee can buy a Families plan or let the account become a Free account.
LastPass Lost Our Trust
The company's poor public response to the data breach and subsequent security incident and its practice of storing unencrypted URLs in vaults are the primary reasons why LastPass is losing our trust and why the product has lost our Editors' Choice designation. Transparent answers for customers about when their data was accessed may help repair the company's standing with the public. We intend to continue holding the company accountable for keeping users informed and keeping their data safe.
We recommend switching to an open-source password manager because the software is collaborative, so security problems are often discovered and fixed quickly. Our Editors' Choice winner for open-source password management is Bitwarden. Keeper Password Manager & Digital Vault and Zoho Vault are also Editors' Choice winners in the password management category because they have innovative features and are easy to use.
Following a major security breach in which users' encrypted vault data was stolen, LastPass needs to make changes to regain public trust.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
