Started as a standalone password manager, LastPass has grown into an Internet-based multi-platform password manager and vault serving over 10 million users worldwide.
Although it has been marred by over half a dozen security breaches in the last half-decade, the security team at LastPass has managed to keep the data of their users pretty much untouchable.
This password manager/vault is bundled with features that their competitors certainly lack. Apart from password management and vault, LastPass has the option to store notes, addresses, bank account details, and digital wallet details on top of a few more exciting things.
The ease of access from anywhere on the planet from a trusted device or an authenticated (trusted) one is what caught our eye. The centralization of access that a free user gets is not that something that most of their rivals offer in their free versions.
Universal access – Synchronization across devices
This is a feature that many of their competitors do not choose to offer for free. LastPass is an Internet-based password vault that decided to do away with the need of a desktop client when they acquired Xmarks, a web-browser extension that enabled passwords synchronization between browsers.
Synchronization across devices removes the need for storing passwords on a particular device. You get the mobility and portability of a password vault which you can carry with your tools and LastPass login credential. Carry your credentials with you on the move. Log in your LastPass account from anywhere around the world and access your stored credentials, notes, and other data you may store.
Before 2016, this was not possible for free users. LogMeIn, the parent company of LastPass, announced the availability of this feature for free users, which was previously exclusive to paid members.
Import and Export passwords
Right after installing the LastPass desktop client and logging in, the option to import passwords from other browsers and managers appears in the installation wizard window. You can import passwords from various web-browsers, from over two dozen other password managers of all kinds, and from CSV documents, among others.
The option to import passwords from browsers can also be accessed at a later point by exporting passwords from browsers onto a CSV document and then importing them from the web panel, under Advanced Settings.
In any case, if you are shifting to a different password manager for some reason then exporting the user credentials into a CSV format. For doing that, log in your web panel and head over to the collapsible sidebar on the left side. Click on the three dots with more options written right next to them. A long list of options will appear in a vertical menu. Click on export and a dialogue box will appear. Save the document in a secure location on your desktop/laptop.
Multiple Master password recovery options
In the unfortunate case that you forget or lose your master key, LastPass has a few options to recover it.
Send a Password Hint
When you set up the Master Password for the first time, it prompts for setting up a hint which can be used to remember your password or offer a clue of the location of the password if you stored it somewhere secure.
Navigate to the forgot password page. Enter your registered email and click on the big red send hint button. LastPass will send the hint via SMS to the phone number you provided for your account.
If you haven’t already, you can set up a hint by heading over to the account settings that are located in the sidebar on the left. Under the General tab, scroll down to the SMS recovery section. Add your phone number including the country code and complete the OTP verification process.
Note: Only provide a phone number you plan to keep for a long time.
Account recovery using a one-time password
The one-time password is used to reset your Master Password in case you either misplaced it or cannot remember it.
SMS-recovery enables users to enter their email address on the recovery page and receive the OTP. However, if you do not have that enabled but the security email is in place, then an email with recovery instructions will be sent to the designated email for the purpose. The email contains a link which will direct you to a page where the new master password can be set.
Revert to an old password
If you remember your older master password but not the current one, you can use it to log in the vault. However, there is a catch to this. The old master password will take you to the version of your vault with the data present in the vault at the moment before the Master Password was changed.
Note – If your Master Password was changed in the last 30 days, this option will not work.
To be fair, an additional layer of security is something that none would complain about. Worrying about someone finding out your master password can take a back seat. The one-tap authentication provides password verification through SMS, automated push notification or a 6-digit generated passcode. As soon as you try to log in from any of your devices with the right user credentials, an authentication verification process starts rolling, using one of the above methods set by the user.
To enable the push-notification based verification, you will need to install the LastPass authenticator app on your smartphone.
URL rules and Equivalent Domains
Some websites may not support the autofill option in their login forms in a compatible manner. Adding entries to the Never URLs tab of the Account settings creates exceptions for which LastPass is then turned off.
URL rules can also be set up to reduce the number of login credentials for similar users.
Desktop Application (collection of browser extensions)
There is no desktop application like we had in RememBear or 1Password. LastPass universal installer provides a collection of extensions for major web browsers like Chrome, Firefox, Safari, and Opera. Standalone extensions can be installed as well if you want it for a particular web browser. However, before we forget, the universal installer also has the option to install an extension for the browser of your choice (from the above list).
The web and extension main panel have a collapsible sidebar on the left side.
The minimalist-inspired user interface of the extension is friendly and has a search functionality which is effortless and swift. The search feature does pretty well, using the character combination method to find the stored items. The only downside we could see was that the notes attached to the items were not indexed for search. This could be a nice little added touch although we do understand that elongated notes could hinder the accuracy and efficiency of the search results.
Moving downward, you can see the Open My Vault option which takes you to the web-panel of LastPass if you want to manage your credentials.
The panel is identical to the web-panel used after logging in via their official URL.
Next, there is the All Items option which contains Passwords, Addresses, Notes, Payment Cards, and Bank details. The option to edit any of the credentials is right next to each of them. When you click on the edit button, a new tab opens with the edit dialogue box. This can come handy in those cases where a large number of credentials are involved.
Adding a new item requires just a few clicks. The Add item option can be used to add all sorts of credentials that are offered by LastPass, ranging from a driver’s license to database information.
Managing passwords is a lot of work with the added burden of creating new secure passwords for login credentials for new authentications. The secure password generator is here to lessen that burden.
The generated passwords can be up to 99 characters long with the option to include numbers, lower and uppercase, etc. What we missed in the LastPass password generator was the word/phrase password option.
You can access most of the settings (except the authentication and security) from the Account Options. Recent Used shows the list of recently accessed/modified credentials.
As soon as you click on the Accounts option from the extensions control tab, it takes a good 5-6 seconds for the settings pop up to appear. On some occasions, it failed to pop up and the tab froze and we had to refresh the browser tab.
The application is available for both Android and iOS. You can get the download link by entering your email ID on their download page if you don’t like going through official app stores.
The mobile app has all the features that are present on the web-panel like search, the ability to add new items and modify the existing items except for an inbuilt web-browser.
The web browser, called InBrowser is in beta phase. It has tabs based surfing functionality, which can be disabled for a generic single window experience from the settings.
The look and feel are similar to that of Google Chrome. You get the option to save credentials to a particular URL by visiting the website and using the save site option from the three dots vertical button on the right top corner of the browser’s standard bar.
You can request the desktop version of a webpage if the mobile version seems inadequate for any reason.
Website forms can also be filled from the vertical button option. The Fill Forms option lists all the web-based credentials you stored.
The developers of LastPass have made promises about the tightening the security of their in-app browser.
Every time you minimize or exit the app or browser, it prompts for clearing the browser history. However, this can be disabled depending on your preferences.
The chances of any unsolicited intrusions into the app are low. The presence of timer, idle, inactivity and screen off based lock keeps the chances of any intrusion at a minimum in case your phone is lying around somewhere unlocked.
The authentication of the app is augmented enough to keep third party intrusion at bay. The fingerprint login, for which credentials are imbibed from the phone’s default fingerprint authentication information, is a bonus. There is no need to enter the master password. Open the app and authenticate your identity with your fingerprint.
Note – Fingerprint scan based authentication requires your phone to have a finger scanner. Check with your smartphone manufacturer if you are unsure.
Is LastPass Safe and Secure?
The data is stored using the 256-bit AES encryption, which means that the hackers and data thieves will have a very hard time in penetrating the encryption without the encryption key. Other password managers like 1Password and RememBear also rely on this grade of encryption.
Password security is increased with the Password-Based Key Derivation Function (PBKDF2). The SHA-256 encryption bundled with PBKDF2 encrypts the master password and creates a login-hash using the latter.
Re-Prompt is a much-needed feature that many password managers choose to overlook.
Asking to re-enter passwords for specific actions when entering accessing passwords, notes, etc. is beneficial in the cases where the web-panel is left unattended for a minute or two by the user.
However, if the user is in a hurry and would prefer non-interrupted access to their data, then they can disable it the next 24-hours from the re-prompt window as it appears asking to confirm the identity.
When we tested it, there was a delay and lag in the re-prompt popup of the web panel. Also, it failed to appear on numerous locations and sometimes it took some good 8-10 seconds to appear on our 50 Mbps fiber Internet connection.
The Multi-Factor Authentication is where the LastPass really upped their security level above all their competitors. The multifactor authentication adds an extra layer of security that requires the authenticating user to verify their identity with a second login step. Generally, it requires push notification approval or a one-time password on your smartphone device or a USB-based key (premium feature), amongst other ways of authentication that LastPass has to offer.
The free version offers 8 different kinds of authenticators including LastPass’s authenticator, Google authenticator, etc.
You can add trusted devices which will not require the multifactor authentication. This is valid for 30 days after which you need to add the trusted device again.
The level of user-friendliness is above average if not excellent. The lower score can be attributed to the large number of features that LastPass has to offer.
Full points for the extensions, which are fairly easy to use. All the features are there with a complementing search option.
Vault tour on the web-panel could have some more content added to help the user get acquainted with all the key features and settings. A short vault tour followed by an option to “explore further” would be a nice touch.
The knowledgebase section of their official website has an extensive amount of information regarding operations, troubleshooting, and features. Further queries can be escalated to the support team.
Free users have to wait up to 72 hours for a response from the support team. We cannot blame them as they have a large user base and giving priority to premium customers is what keeps them afloat in this competitive market.
Once you raise a ticket from their support section, a confirmation email with the ticket id is sent to your email address as they receive your message.
The support section for logged in users has an extensive section for communication with the support staff. The ticket expires in 4 days if you fail to reply to their message.
Their Twitter support account @LastPassHelp is pretty active in providing support and ticket escalation to the support staff.
Perks of the Premium Account
Additional Multi Factoring
There are 4 additional multi-factoring options on the top of the 8 you get in the free version. These additional options include USB-key Yubico authentication, as well as fingerprint sensors and card readers.
With emergency access, you can choose to give a trusted person access to our vault in cases of emergency when you are unable to access it.
There is an access delay which is set by the user. Access delay works in the following manner:
- USER A adds a TRUSTED B to the trusted list
- USER A sets a delay of 2 hours for access
- TRUSTED B tries to access the vault. He/she has to wait 2 hours before the vault can be accessed. The moment TRUSTED B tries to access the vault, an email is sent to notify USER A.
USER A can decline access within 2 hours for any reason if he wishes. Failure to do so will give TRUSTED B access to the vault as designated and intended by USER A.
Note – If your premium plan expires and there is an emergency contact in place, it will continue to work. However, no users/contacts can be added.
You get the ability to share user credential items and even folders with others over email, granting them access is what you get in premium plans.
A similar feature is free in TunnelBear’s password manager, RememBear, where a self-destructing link is created for sharing credentials.
Users who are always on the move and frequently have to deal with untrusted Internet connections would prefer to use this feature instead. With IE Anywhere, you can carry your credentials on your USB drive.
You will need to install LastPass’s IE anywhere extension on the USB drive and accesses your vault items from it. There is no need to install browser extensions or access the web-panel.
Note – The USB-based vault can carry a maximum of 5000 items, and the performance starts to degrade after 2,500 items as stated in their support manual.
- Feature-rich for free users
- Augmented Security
- Easy to use browser extension
- Support response is slower than that of their competitors
- History of security breaches
Industry leader LastPass has ticked all the right boxes in terms of features for their free users which have certainly helped them gain popularity on the market and spread the good word. Despite their bug-bounty and regular security audits, they have been at the receiving end of security compromises.
Better bug-bounty programs should help their case, to begin with. Expanding the size of the security staff may or may not be the best path forward.