What is LastPass and why should you use it?
LastPass is, in my opinion, one of the best password managers available on the market at the moment. With both a free and paid version, there is a version for both personal and enterprise use. LastPass provides a means of storing passwords securely for all of your online accounts in one solution. These passwords are protected by one long and secure master password, which is the only password you have to remember. With the number of online services I use regularly, I find LastPass to be a huge time saver on a day-to-day basis.
LastPast Main Features
LastPass has been recognised as one of the most secure password managers available. With end-to-end encryption using 256-bit AES encryption, which is the same standard of encryption used by the military, meaning your data is practically uncrackable. Transport Layer Security (TLS) is enforced to prevent in-transit attacks. This means that data is encrypted as it travels across a network which prevents an attacker seeing the information you are sending.
LastPass is very privacy cantered and gives its best effort towards privacy to generate trust among users. An example of this is their zero knowledge policy, which means LastPass doesn’t track, access or sell any data stored in a user’s LastPass account. Essentially, no one, including LastPass, can access a user’s encrypted data remotely.
The following image is taken from LastPass’s website and shows their encryption process in use. All information is both encrypted and decrypted at the device level. This security feature means that even LastPass can access your passwords of login information and protects users if LastPass servers get hacked.
LastPass also have a bug bounty program running in the community. This program encourages hackers to find bugs in the LastPass software and pays them if they do, further protecting the platform’s security framework.
In my opinion, LastPass is one of the most secure password managers on the market at the moment. “Hold on a minute, wasn’t LastPass hacked in the past??” Yes, if you are in the information security field you likely know that LastPass was hacked in 2015 which was the only security incident in their 10-year history. Hackers got away with encrypted versions of some users master passwords, which at the time LastPass stored on their servers. However, since all passwords are salted and encrypted with military grade encryption (AES 256) no user data was at risk. LastPass stated at the time that only users with weak, easy to guess Master Passwords were at risk due to their password being possibly guessed. Now that LastPass doesn’t store user passwords in any format, encrypted or otherwise, the risk of a hack exposing user’s passwords is non-existent.
Why is Two-Factor Authentication (2FA) a good idea? 2FA makes phishing attempts, malware and social engineering attacks redundant when attempting to hack your account. If an attacker does get your master password, 2FA will prevent him from getting access to your account. 2FA means that you need your phone as well as your master password in order to login to your account, providing an extra layer of security. Implementing 2FA is an excellent idea for any password manager that stores all your passwords, credit card info, addresses etc.
LastPass also incorporated numerous 2FA security options such as sending emails to users asking them to verify any logins on new devices. If someone discovers your master password and attempts to login to your account on a new device which has never been used to login to your LastPass account before, these security emails will prevent access to the attackers.
There are many third-party Multi-Factor Authentication (MFA) options supported my LastPass for extra security. LastPass also makes use of One-Time Passwords (OTPs) which are unique, one-use passwords which grant access to your LastPass account. These passwords can be used when logging into your accounts in potentially unsecure locations, such as when using a public computer or someone else’s device. These passwords will be saved in your list of one use passwords that can be used to access your account.
In my opinion, the LastPass MFA app is the most convenient and easy to use solution and other MFA’s should take a leaf out of their book. When using other MFA options such as Google Authenticator or Microsoft Authenticator, after you enter your master password and press sign-in they require that you open the app, get a 6 digit code and enter it in online. While this is secure, it’s not exactly convenient when you have to enter a different 6 digit code every time you want to sign-in. The LastPass MFA is much more user friendly. You simply have to open the app and press “Allow Sign-in” at which point you will sign-in to your account.
Now if you are new to password managers, you may be thinking, “what happens if I forget my master password?!” Not to worry, LastPass has configured numerous methods to get you back into your account.
The first and probably the handiest method for regaining access is the mobile account recovery option. You can easily confirm your identity using either Touch ID or Face ID on the mobile app login screen, and then set a new Master Password, hopefully one that you’ll remember!
A master password hint can be set when creating your account to help remind you of your master password. If you have trouble remembering the password, you can have your hint sent to the email you sent up the account with.
The third method is the Recovery One-Time Password
The fourth method is SMS recovery, something which I’m sure everyone is familiar with. The process is simple. If you set up your account with this option enabled, LastPass will be able to send you a numeric code which can be used to reset the master password.
The fifth and final method provided by LastPass is recovering your account using your previous master password. You can recover your account using your old master password is the password change was made within the last 30 days. There is a catch however, your account will be restored to how it was when you changed passwords, so there may be some recent data lost.
The number and variety of methods provided by LastPass for account recovery make it far more user-friendly than other password managers, which often block you from your data if you forget your master password. LastPass have done their best to ensure this doesn’t happen with your account.
Maximum Password Strength
LastPass provides a number of features to ensure that each of your passwords are super secure. When creating a new account for a site, you can choose to have LastPass create a random username and password which will then be stored in your LastPass account. The password generator come with a variety of options to make your password as secure as possible. The minimum password length supported is 1 character and the maximum is 50. You also have the option of choosing between using uppercase letters, lowercase letters, numbers and symbols. You can even specify whether you want the password to be easy to say or read. With over 80% of hacking-related breaches due to weak or stolen passwords, this is a feature which I can appreciate. LastPass also offer some tips which should be followed when creating a password to make it uncrackable.
LastPass also offers a username generator with which users can generate secure usernames. You may be wondering why a secure username is important, like many people do. Many people use the same online username across multiple platforms and websites. If a hacker gets hold of your username, they can use it to launch password brute forcing attacks. This is when an attacker attempts to log into your account hundreds or thousands of times using your username and a variety of passwords with the hopes of guessing your password. If the attacker doesn’t know your username, this attack is rendered useless.
LastPass backs up all users’ accounts so that user’s information can be used from any device once they sign in. This information is also synced across all devices for easy access to passwords no matter where you are. The LastPass mobile app can be downloaded for both Android and IOS and offers fingerprint support. This allows for easy access to the app instead of having to enter your long master password each time, something which is very convenient.
It is important to note that LastPass is not just a password manager. LastPass also provides the ability for users to store credit card information, Wi-Fi passwords and notes in their secure vaults.
When using the browser extension which is available for chrome, Firefox and safari, users can enable the auto form filling option. When a user is filling out a form to purchase something on Amazon for example and is logged into the browser extension of LastPass, this feature will automatically fill in their credit card details stored in their LastPass account. Users can also use this feature to automatically fill in their usernames and passwords when signing into various accounts, allowing you to login with just one click. You can also autofill addresses, credit card information and more.
I personally find this feature very handy. As a security researcher myself, I would be wary of storing my credit card information on any password manager, but LastPass has my vote of confidence! I found it very time saving to simply choose the credit card I want to pay with from a list of options and have it automatically fill in, rather than go looking for my card and input the details. The same can be said for Wi-Fi passwords!
Plans and Pricing
Plans for Personal Use
There are a number of pricing plans available for LastPass. There are two categories of plans: Single Users & Families and Business Plans.
Within Single Users & Families there are three plans available: Free, Premium and Families. Personally, I feel that the free plan offers so many features that there is no real need to upgrade if you are using LastPass just for yourself. The Family plan may be worth the money if there are numerous people going to be using the account.
The free plan includes the following features:
- Secure password vault
- Access on all devices
- Save & auto-fill passwords
- Password generator
- One-to-one sharing
- Security dashboard
- Secure notes
- Security challenge
- Multi-factor authentication
- LastPass Authenticator
- Advanced multi-factor options
This is more than enough for the average user and in my opinion is more than many other password managers are currently offering for free. With the number of features on offer for free, I see no real reason to upgrade your account unless you are going for the family option.
The Premium plan includes all features listed above with the following additional ones:
- One-to-many sharing
- This option allows for the sharing of one single item (a password or one-time password) with multiple people so that everyone has convenient access. This is useful in the case of a family Netflix account for example.
- Dark web monitoring
- This option is a useful addition to the premium plan for those worried about their data being stolen or accounts breached. LastPass will monitor the Dark Web for any information matching the email address associated with your account and will notify you of a potential breach if it finds any. This can be very useful as when a data breach occurs users information (typically usernames and passwords) are often sold on Dark Web market places and forums.
- Emergency access
- Using this feature, you can give emergency access to trusted family and friends in the event of an emergency or crisis. You can specify Emergency Access contacts who can request access to your account and securely receive the passwords and notes without knowing your master password.
- Priority tech support
- Useful if you have a problem that needs urgent solving, this option places LastPass Premium member’s queries to the top of the que so that your problems are solved faster.
- LastPass for applications
- This is an application which can be installed on your desktop which can be used to store and access the contents of your LastPass Vault. Once installed, you have the option to add sites, secure notes, form fills and applications. Essentially this allows you to store passwords for applications you have installed on your desktop. You can launch the applications from the content tray, which will use your username and password to automatically sign-in, allowing for faster launch times and transitions between apps.
- 1GB encrypted file storage
- This secure storage feature allows you to keep safe copies of critical documents such as passports and membership cards, which can be very useful when booking holidays or purchasing online, rather than looking around the house for your passport or membership number, it’s all securely stored in LastPass!
The premium plan is designed for one user and is priced at €2.82 a month or €33.84 a year. All plans are billed annually, which means there is a bit of an upfront cost involved if you want to upgrade. Personally I would prefer a monthly payment option as it offers more flexibility to LastPass users, but it is not an option in this case. Although the premium plan offers more features, some of which are useful, I don’t believe it is worth €33.84 when the free plan offers so much value.
The final plan is the Families plan and includes all the features listed above, as well as the following:
- Unlimited shared folders
- LastPass offers users the means for creating folders in which to store passwords for specific accounts. If you have numerous Google accounts for example, you can create a folder called Google and store all your account passwords there. This feature allows you to share these folders with as many people as necessary, providing access to all in the family. This is a handy feature as you could create a folder for all your family accounts which you can share and keep separate to your personal accounts.
- 6 Premium licenses
- This feature is worth the money if you want to upgrade your account at all. If you have two or more people who are willing to pay to upgrade, using this option will work out cheaper for each person rather than paying individually for a premium account. You can use this option to invite people to the family using their email addresses, at which point they will be given a premium account. You can easily remove their access too.
- Family manager dashboard
- Each family member has their own personal vault plus the ability to create shared folders across the family.
The Family plan is priced at €3.76 a month or €45.12 a year. It is designed for up to six users. The family plan is worth upgrading to if you have two or more people who are willing to pay to upgrade their account. The ability to have your own personal premium vault makes this worthwhile as it is cheaper to have a few people pay for the six family licences rather than pay for individual premium licences, especially considering that the family plan includes everything in the premium plan with the three extra features listed above.
Plans for Business Use
There are also plans for business which offer the following features:
- Instantly add and remove team members.
- Safely share passwords with others.
- Give each employee their own vault for safeguarding passwords.
- Store digital records: Wi-Fi logins, software licenses, employee IDs, and more.
- Set security controls and restrictions based on your team’s needs.
These features are common among all business plans and these features do seem like they would offer a lot of security features to an organisations arsenal. There are numerous different business plans available for business of all sizes. The plans are called MFA, Teams, Enterprise and Identity.
The MFA plan is the cheapest of the lot starting at €2.90 per month per user while the Identity plan is the most expensive starting at €7.50 per user per month. These plans charge per user and as you can imagine, the cost will definitely add up making LastPass for business infeasible for small businesses. For business who can afford it however, it provides much more control when it comes to enforcing password policies, implementing single sign-on across the network as well as gathering analytics.
After using LastPass myself for a week, I don’t think I will ever go back to remembering passwords for various different accounts. I have numerous accounts for Amazon, YouTube, Google and other services and I try to adhere to good security practices by using different passwords for each of them. I must admit, it was getting increasingly difficult to remember all of them.
With LastPass, this problem is gone and I intend on making use of the password generator in the future to generate super secure passwords which I don’t have to remember. I have all my accounts saved in LastPass and now the only password I have to remember is the Master Password, what a relief! On top of this, I have saved my address and credit card information which is automatically filled in each time I make a purchase.
I can honestly say LastPass is a huge timesaver and they have done a great job making it as user friendly as possible. With a sleek design, easy to navigate menus and secure encryption algorithms, it is my opinion that LastPass is the best password manager on the market at the moment.