[Updated with Google Pixel 4 facial-recognition support and expanded features for LastPass Pocket. This review was originally published Dec. 18, 2017.]
LastPass is the biggest name in password management. There's some strong competition out there, but it's still easy to see how LastPass stays on top. The service strikes an excellent balance of providing many features without overwhelming the user with options, and the software is intuitive and fast across numerous supported platforms.
At $36 per year, a price that was introduced in early 2019, LastPass Premium is approaching the high end on pricing. (In 2016, LastPass Premium was just $12 per year.)
Many users will find that they can get by with LastPass' free tier, which, remarkably, supports syncing across all of a user's devices. However, people willing to pay $60 per year may want to check out Dashlane, which matches LastPass on features and adds a few unique ones of its own.
Costs and What's Covered
LastPass offers the most feature-rich free service of any password manager we tested. The big difference is that you can sync your passwords and data across all your devices for nothing. That's a feature you'll have to pay for with every other freemium password manager.
LastPass free users also get unlimited passwords, a password generator, secure note storage, one-to-one sharing and a "challenge" to test their own security situations. For many users, LastPass Free will be enough.
LastPass Premium costs $36 a year for a single user, or $48 a year for a family plan that supports up to six users. Premium brings with it 1GB of encrypted file storage, credential storage for desktop applications, priority tech support, advanced two-factor authentication options (including hardware keys), emergency access and one-to-many sharing.
The Family plan adds a management dashboard and unlimited shared folders to the rest of the Premium features.
The service can pull data from dozens of browsers and services.
LastPass supports Windows Vista and above, Mac OS X 10.7 Lion and up, the most common distributions of Linux and Chrome OS. Supported browsers include Microsoft Internet Explorer, Microsoft Edge, Mozilla Firefox, Apple Safari, Google Chrome, Opera and Maxthon.
On mobile devices, LastPass is available for iOS 5.1 and above, Android 2.3 and up, and Windows Phone 7.1 and beyond. You can download old versions of LastPass for BlackBerry, Symbian and webOS.
For users who would rather not have the passwords flung across the internet, even in encrypted form, LastPass Pocket for Windows and Linux lets you use LastPass locally or even carry the entire program on a USB drive.
For this review, we used LastPass on a laptop running Windows 10 and macOS 10.12 Sierra, an iPad Pro 12.9, a Samsung Galaxy S8+, and a Google Pixel. Google Chrome was our primary browser across all platforms, but we also tested with Safari on macOS and iOS.
There are a few different ways to set up LastPass on the desktop. If you stick to a single browser, then simply installing the LastPass extension in that browser will be sufficient.
But if you switch up your browsers occasionally, then it would be faster to download the universal binary from the LastPass website. This will simultaneously install the extension across all supported browsers on your system.
The two exceptions to this rule are the Microsoft Edge LastPass browser extension, which can be found only in the Microsoft Store, and the LastPass for Mac standalone application, which you can download from the App Store.
Regardless of which option you select, your first task is going to be selecting a master password. This password isn't stored by LastPass, so it is the one password you will still need to remember.
However, in the event that you do forget your master password, LastPass gives you a few options to reset it and keep your account. You have the option to create a password reminder or to ask LastPass to save a phone number to which the service can send an account-recovery SMS.
Finally, there is a one-time recovery password for any browser on which you have previously used LastPass; triggering account-recovery mode will give you a recovery password you can use to reset your master password.
The mobile apps for Android, iOS and Windows Phone are all available in their respective app stores. After installing each for the first time, you will be prompted to log in using your master password. But after that initial login, you can switch to either a PIN or a biometric login, such as your face or your fingerprint, to save time in the future.
If you were using either the built-in password management in one of your browsers or a competing password manager, you'll want to import your existing information into LastPass.
The service can pull data from dozens of browsers and services as well as CSV files, so regardless of what you were using previously, you should be able to bring that data over. The service will even attempt to categorize your passwords from some services, saving you a tremendous amount of time.
LastPass on the Desktop
For most people, using LastPass on the desktop is going to mean using the browser extension or the website interface. But LastPass Pocket does provide a somewhat primitive stand-alone desktop application for Windows or Linux.
Mac users also have the option of installing stand-alone LastPass desktop software, but I would advise against it. The design of the application is sparse and more confusing to navigate than what you'll find on the web option. The lone advantage of the Mac stand-alone application is Touch ID fingerprint-login support for MacBook Pros, but it's not worth the trade-off.
Whether you use the LastPass browser extension or directly log in to the LastPass website with your master password; either way, the interfaces are identical.
The web interface features a familiar-feeling modern design. A left-hand column breaks out all of the major sections, and relevant content displays on the right as either a grid or a list. This is true whether you use the LastPass browser extension or directly log in to the LastPass website with your master password; either way, the interfaces are identical, with only the URLs differing.
By default, you view all of the data in your vault at once. If you know what you are looking for, the prominent search bar at the top of the screen is going to be your fastest option to find it. However, there is an abundance of filtering tools if you aren't quite sure what you need.
When possible, each set of login credentials picks up the logo for the site with which it is associated, which helps when you're scrolling through your long list of passwords.
Other sections, such as credit-card numbers, rely on color coding that you select. This is helpful, but it's a step down from the best of these implementations, such as Dashlane's, which displays a reasonable copy of the card itself.
The red button in the lower-right corner of the screen lets you add a new item to any section of the LastPass interface, regardless of where you are on the site. If you hover your cursor over this button, a secondary button will appear to give you the option of creating a new folder.
I found it odd that this button doesn't operate contextually. For instance, it could instead automatically assume you are going to add a payment card if you are in the Payment Cards section of the interface. But perhaps this apparent oversight is a deliberate choice to make sure users can always add any new item without having to return to the home screen.
The Security Challenge in LastPass reviews your existing passwords, provides you with an overall score and warns you about passwords that are insecure. This can apply to a variety of types of passwords, including duplicate, compromised, weak and old passwords.
LastPass offers an option similar to Dashlane's Password Changer, which will change your passwords on multiple online accounts with a single click. This is a handy option to have in the event of a massive data breach.
The feature is considerably more scaled back on LastPass, with only about 80 compatible sites as opposed to more than 500 on Dashlane, but it is sure to expand in the future. For passwords with websites not covered by the password changer, you simply need to go to the site and change the password using the standard LastPass Password Generator.
The Sharing Center is where you identify passwords that you want to share with other LastPass users, who need to have LastPass accounts of their own. When sharing a password, you can choose whether the recipient is able to actually view the password or must simply use the login blind.
LastPass Family users are able to share passwords with other registered family members via shared folders. You simply create the folder; specify, for each user, if they have administrator, read-only or no access to the folder's contents; and then return to the main passwords screen and drop the relevant passwords into that folder. Any changes made to shared passwords are synced up to the accounts that they have been shared with.
Emergency Access lets you establish friends or family members with whom you would like to share access to your vault if you should be incapacitated for any reason. You select the individuals along with an amount of time that each would have to wait to receive access to your account, which can vary from no wait to a full month. If you do not deny the request before the allotted time is up, then that person gets joint access to your account.
LastPass Family subscribers get one additional section, in which the family manager invites each new member to the family. The rest of the family functionality is handled within the previously covered sharing section.
LastPass Mobile Apps
The mobile apps on both Android and iOS share most of the features and design of the desktop browser interface. But you do lose a few features, among them the ability to change multiple passwords at once.
The iOS app breaks slightly from the navigation used by the desktop-browser interface and Android app; it adds a second navigation bar at the bottom of the screen to move among your vault, the built-in LastPass browser, Security and Settings.
You can log in with Face ID on an iPhone X, and with Touch ID on any iPhone that supports it.
The iOS app also moves the button for adding new items to your vault to the top right from the bottom right. It also supports iOS 12's automatic form-filling feature.
The Android app, on the other hand, mirrors the design of the browser interface almost identically, which makes for an easy transition from desktop to mobile. Users of Android 8 Oreo and Android 9 Pie can take full advantage of form- and password-filling functions. Fingerprint recognition is supported on all phones that have it, and LastPass also supports the Google Pixel 4's facial recognition.
Like many newer password managers, LastPass stores your data on its own servers in the cloud as well as on your device. This makes syncing among various devices easy and convenient, but it does create a greater risk that the data could be compromised.
Fortunately, LastPass secures your data with AES-256-bit encryption and salted hashes. Your data is encrypted and decrypted on your device, so the data stored with LastPass is in a readable state only on your device(s).
Two-factor authentication is available to both free and premium users of LastPass. The free options include software tools such as LastPass Authenticator, Duo Security Authentication, Google Authenticator, Transakt Authentication and Grid Multifactor Authentication.
Premium subscribers gain hardware two-factor options like Fingerprint Authentication (via Windows Biometric Framework), Yubikey Multifactor Authentication and Sesame Multifactor Authentication.
Yubikey NFC-based authentication is supported on iOS as well as Android. LastPass added support for the Yubikey 5 series of security keys in September 2018, and support for the iPhone-friendly Yubikey 5ci in August 2019.
Notably, LastPass is one of only two password managers that I tested that claims compliance with Service Organization Controls (SOC) 2. (The other was Keeper.) SOC 2 compliance is developed by the American Institute of Certified Public Accountants, which assesses whether a company that stores customer information in the cloud manages to meet five trust service principles: security, availability, processing integrity, confidentiality and privacy.
This is a make-or-break issue for some businesses and governmental agencies using cloud services. But if you're a personal or family user, just rest assured that this means the company thoroughly documents its security policies and procedures and has to undergo audits.
Another convenient and rather rare option offered by LastPass is LastPass Portable, which lets you install a portable Chrome or Firefox browser with the LastPass extension on a USB drive. That lets you use the service on a public or shared computer that doesn't allow for the installation of the LastPass browser extension.
Perhaps even better is LastPass Pocket, which puts a stand-alone Windows or Linux LastPass application, complete with its own credentials vault, on a USB stick. More recently, this was extended to create a stand-alone desktop application for those two platforms.
This will sync with your locally cached LastPass browser extension when plugged into your PC, but can also be run straight from the USB drive. This procedure may be a bit clunky, but it lets you sync your passwords among your various computers (if not mobile devices) without putting your data online.
LastPass continues to lead the pack in password management, thanks to its robust free version and relatively inexpensive premium upgrade. The app hits all of the major use cases for a password manager; the core functionality works flawlessly, and extras such as form filling, secure file storage and the security auditing are all among the best in class.
Strong cross-platform and two-factor authentication support further help sell the app as the best recommendation for most users. For those seeking a bit extra — and willing to pay quite a bit extra — we can recommend Dashlane.
Image Credit: LastPass