LastPass Premium review
The password manager LastPass is without doubt one of the most popular online password management solutions. A core reason for that is that it is available as a free version that offers functionality that some competing password managers don't offer in this form.
The free version of Last Pass supports all the features that you would come to expect from a password manager; this includes browser extensions for all popular browsers, an online database of account information that get synchronized across browsers if you want, automatic form filling, one-click login to websites, mobile application support, and the ability to store secure notes in your vault which can be an excellent way of storing important documents and data in the cloud.
The vault can be accessed from any web browser, even if an extension or plugin is not installed. This is great if you often work on public computer systems.
LastPass is compatible with major browsers and there are app versions available for mobile devices to use it on these as well. The service does not restrict free users in terms of the number of passwords that they can store or the number of devices they may install the password manager on.
A universal installer is available on the LastPass website that you can download and run to install the password manager in all web browsers running on your system at once. Well, not in all, but the major browsers are all supported: Internet Explorer, Microsoft Edge, Firefox, Chrome, Safari and Opera. You can select the browsers that you want it installed in as well, or download individual extensions if you prefer that.
LastPass supports an universal installer which you can download from the official project website to install the extension in all supported browsers at once. There are two exceptions though: LastPass for Microsoft Edge is only available on the Microsoft Store and the standalone Mac version of LastPass is only available on the App Store.
If you do not have an account yet you need to create one during installation which is a seamless operation that should not take longer than a minute to complete. The password that you set up for the account is the master password. You should make sure that it is very secure meaning that it needs to be unique, as long as possible, and that it is comprised of letters, numbers, and special characters.
Also, it is a good idea to set up two-factor authentication to improve security further.
LastPass' master password rules are not what I'd call rules that ensure that users pick secure passwords. The master password needs to be 12 characters or longer, include at least one number, uppercase and lowercase letter, and can't be your email.
Considering that the master password grants access to your entire password and notes storage, it is better if you make it longer and add special characters to it as well.
What I like is the option to scan the browsers for stored items which means that you can basically import all of the passwords and login related information into the password manager. That's great if you have been using a browser's built-in password manager.
Note that LastPass used to prompt for the import of passwords stored by the browser it was installed in but that this is no longer the case in new versions. You can still import passwords but it is no longer part of the installation.
It is also necessary to install LastPass in any browser that you use to import passwords stored by that browser. It is not possible to import Chrome passwords using LastPass for Firefox and vice versa.
LastPass supports imports from a good two dozen password managers as well as imports of passwords from generic CSV files. Supported password managers include Dashlane, 1Password, KeePass, Roboform, or Sticky Passwords.
If the import does not work automatically, open the LastPass Vault in your browser and select More Options > Advanced > Import to start the process.
You can check out this support guide on running imports after installation of LastPass.
LastPass displays explanations on using the password manager on first run and displays "getting started" instructions.
The password manager picks up new logins automatically and displays prompts to add them to its database. You may also add logins manually or use the import options if you prefer that.
There used to be an edit option but it is not available anymore. You can edit passwords in the Vault at any time though.
It is probably a good idea to use the built-in password manager when you create new accounts. Just select Last Pass > Generate Secure Password to generate a new unique password.
You can change the rules for the password right in the prompt. It is possible to change the character length, add special characters to it, and set the minimum number of numbers there as well.
The password rules are not as sophisticated as those provided by KeePass but they cover the most important parameters.
Once you have installed LastPass in your web browsers you will notice the new icon that is placed in the main toolbar of the browser.
A click on the icon provides you with options to open your vault on the Last Pass website to manage all of your passwords, access recently used sites, generate secure passwords, or manage other data right from the menu.
Login related information for the site you are on is directly displayed in the menu. Here you see if auto-login is configured and get options to copy your username, password or saved url which may be useful if you need to enter the data into another program or prefer to paste it manually instead of relying on LastPass' automatic filling of login fields (or if that does not work properly).
LastPass attempts to fill login information automatically when you visit a matching site and it may even log you in automatically on some.
While you can run some operations directly from the menu, it is the Vault that provides you with access to most options.
You manage sites, secure notes, and form fills in the Vault. LastPass sorts logins into folders automatically. If you sign-up for Reddit or Facebook, the login is moved to the Social folder. You can create custom folders and move passwords to it if you prefer to use a different structure for your logins.
Sites can be added manually in the vault. You need to fill out core information, the site URL, username, password, and name, and may add other information such as notes, the folder you want the login information saved to as well here.
Advanced Setting provide you with options to enable auto-login, disable auto-fill, and to enable the password reprompt requirement.
When you open an existing password, you get the "auto change password" option which, when activated, triggers LastPass' one-click change option for stored passwords.
The service tries to change the stored password automatically on the site and will load the site in a new tab to perform the operation. The procedure works on many sites, especially those that do not use custom login prompts.
The operation may fail, however, and if that is the case requires that you change the password manually instead.
The listing of passwords uses big icons by default. While that is great visually, it means that you don't see a lot of passwords on a single page without scrolling. You may want to switch to compact mode in the interface to display more logins on a single page.
LastPass displays options to launch, edit, share, or delete account information when you hover over a site in the listing. The actions menu lists clone as another option when you use checkmarks to select one or multiple sites.
The sidebar menu lists the main entry points sites, secure notes, form fills, sharing center, security challenge, emergency access, account settings, and more options.
Sites, Secure Notes, and Form Fills work pretty much identical. You get a listing of data that is stored already, may add new sets of data to the account, and edit or delete existing entries.
Notes support plain text and attachments. You could use them to save important documents, bank statements, transactions, or important files using LastPass.
Emergency Access is only available for premium customers. It is designed to give trusted contacts access to the vault after a wait period.
Say you have an accident and have to stay in bed or in hospital for a period of time or, god beware, you die. Without Emergency Access or written access instructions, no one is able to access the LastPass Vault.
With the feature enabled, trusted contacts may access it by requesting it at any time after the initial setup. The wait period is designed to give you options to decline the request if trusted contacts try to access the vault even though that is not wanted.
You can set the wait time between "immediately" and 30 days, and contacts that you invite need to install LastPass and create their own account using the email address you specify.
LastPass supports password sharing which works similarly but for individual passwords. To share a password select it in the vault, activate the sharing option, and enter the recipients email address. The recipient needs to have a LastPass account or create one for it to work, though.
LastPass supports form filling to fill out web forms automatically. LastPass supports multiple data sets that you can store and select between when it comes to filling forms on the web.
Each set supports personal, address, contact, credit card, bank account, and custom fields, and you may fill them out in the Vault to get started.
The password manager adds little icons to fields to fill them out automatically using saved data.
The Security Challenge scans the entire password database and computes an overall score. It highlights weak, reused, old, and even compromised passwords to you so that you may react immediately and modify those to protect the accounts.
The challenge redirects you to the LastPass website and requires that you enter the account master password to get started.
The service displays password strength ratings for each password in the account and may even change passwords automatically to speed things up.
LastPass offers lots of options to improve the password manager's usability and security. I'd like to mention some of them which I consider to be important for the majority of users:
- Hotkeys are available in the preferences. You can for instance open the password generator with Alt-G or configure a hotkey to log off.
- You can configure the password manager to warn you if you are filling out insecure forms under Advanced in the options.
- You can limit log ins to your Last Pass account to select countries, and prevent logins from the TOR network.
- An automatic log off can be configured so that you are automatically logged off after a set period of time (from 5 minutes to 2 weeks).
- Last Pass supports Google Authenticator and Yubikey for two-factor authentications. This improves the security by requiring you to enter a second code that is generated in real-time during log in to your vault.
- You can attach files to your secure notes which is great for adding documents, scanned passports and the like to the vault so that you can access them wherever you are (provide you have Internet and your LastPass login at hand).
- Since it is cloud based, all data syncs across all browsers that support LastPass.
- You can make use of one-time passwords to access you vault, which is excellent if you need to log in on a public computer or a computer that you do not have full control over.
- LastPass can check all of your passwords to assess their security so that you know exactly where to change passwords to improve login security.
- Disable the sending of anonymous error reports under LastPass Vault > Settings > Advanced Settings > Privacy.
- Options to define equivalent domains so that passwords for a site like google.com works on other company sites such as youtube.com automatically.
How is LastPass generating revenue you may ask, and one of the answers is premium accounts (another is Enterprise). LastPass Premium is available for $24 a year, and if you subscribe, you get the following additional features on top of all the features that the regular version of LastPass offers:
- Mobile device support. You get access to LastPass on Android, iPhone, Windows Phone, Blackberry and other mobile devices.
- Yubikey support to enable multi-factor authentication.
- LastPass Sesame for multi-factor authentication using an USB Flash drive.
- IE Anywhere to use LastPass without installing a plugin in the browser.
- No advertisement.
- 1 Gigabyte of online storage for data.
- Password sharing.
- Emergency access.
- Email and phone priority support.
Upgrading your account to premium makes sense if you often use mobile devices and want direct access to your LastPass vault on those devices, or if you want to use another feature that is only available for premium users.
Back when I was using LastPass as my main password manager I subscribed to premium just to give the company something back for their awesome product. I switched to KeePass in the meantime as I prefer local storage over cloud-based storage.
What is not so good?
LastPass was involved in two security incidents in the past. The first happened in 2011 and LastPass was unable to determine at that time whether an attacker managed to breach the network of the service.
I switched to the local password manager KeePass as a consequence and never looked back.
The company revealed in 2015 that it "detected and blocked suspicious activity on the company network" and confirmed that "account email addresses, password reminders, sever per user salts and authentication hashes" were compromised.
Functionality-wise, LastPass has some issues as well. The tool to change passwords automatically for the user can do so one site at a time only which may take a considerable amount of time. Dashlane, another password manager that offers the functionality, may change multiple passwords at a time which speeds up the process significantly.
Recent versions of LastPass added new functionality to the core password manager.
- LastPass warns you now when you are using duplicate or weak password
- Option to change passwords automatically for select sites and services.
- Unlimited device synchronization for free users.
- Removal of Emergency Access and Unlimited Sharing from Free version.
Here is a video of LastPass that gives you a good overview of its functionality
LastPass is not just a password manager. What sets it apart is the functionality that the developers have build around it. You get much needed extra security in the form of multi-factor authentication, options to store documents securely in your vault, and protection against attacks coming from countries that you never went to, if you want.