June 20, 2024


Sapiens Digital

LastPass – Review 2020 – PCMag Asia

16 min read

Keeping track of dozens or hundreds of strong, unique passwords just isn’t possible without a password manager. Fortunately, you can get the necessary help without breaking the bank. The free edition of LastPass has plenty of features, more than some of its for-pay competitors, and it syncs across all your Windows, macOS, Android, and iOS devices without any limits on the number of entries you can create. The Premium and Family versions of LastPass add some worthwhile sharing and authentication settings, but many users will be better off sticking with the free offering. LastPass is an Editors’ Choice password manager.

LastPass Free vs. Premium vs. Family

LastPass offers three different plans for consumers: Free, Premium, and Family. The Free edition includes all of the standard password manager capabilities, plus a few features that other services restrict to paid accounts. With LastPass’s free version you get a cross-platform password vault (with no limits on the number of passwords you can create), auto-filling capabilities, a password generator, one-to-one sharing capabilities, secure notes, LastPass’s Security Challenge check, and support for multifactor authentication.

Other free password managers have stringent limitations. Some, like RoboForm and Enpass, put a limit on the number of passwords free users can save. Others, like Dashlane and Keeper, are only free if you use them on a single device. MyKi’s and Bitwarden’s free versions, however, do not impose limitations related to cross-device syncing or total passwords.

LastPass Premium costs $36 per year. In addition to all the free version’s features, you gain one-to-many sharing, advanced multifactor options (such as YubiKey support), Emergency Access features (password inheritance), priority tech support, the LastPass for Applications app, and 1GB encrypted file storage. Previously, Emergency Access tools were available for free users, so this is a step back. We tested LastPass using a Premium account.

The top tier for noncorporate accounts is LastPass Family, which costs $48 per year. LastPass Family subscribers get six LastPass Premium licenses, unlimited shared folders, and access to the LastPass family dashboard.

LastPass’s pricing for its Premium and Family versions are consistent with equivalent versions of competing software. For instance, Keeper Password Manager and Digital Vault’s Personal and Family tiers cost $29.99 and $59.99 per year respectively. Sticky Password Premium is $29.99, while 1Password costs $35.88 per year. Dashlane premium costs $59.99 per year. Bitwarden’s Premium and Family versions are significantly cheaper at only $10 and $12 per year.

Getting Started With LastPass

To sign up for LastPass, you need to enter an email address and create a strong master password. LastPass has tightened up its master password requirements since the time of our last review, which we appreciate. Your master password must now be at least 12 characters, include a number, have both uppercase and lowercase letters, and must not be your email address. Read our tips on how to remember a strong master password for additional help. Amusingly, LastPass does not prevent you from using the example password on that account-creation page. You should also enable two-factor authentication as soon as you create your account, as we discuss in the next section.

After you create your account, LastPass offers to install its browser extension, which is how you log in to the service. If you choose to skip this setup, you can always use the LastPass Universal Windows, macOS, or Linux installers to add the LastPass extension to the browsers on those platforms. LastPass offers browser extensions for Chrome, Firefox, Edge, Safari, and Opera.

Once you log in, LastPass walks you through saving a password for Google, Facebook, PayPal, or Netflix. Pop-up notifications explain that you first log in as usual and then click the Add button when LastPass offers to save it. LastPass also takes you on a quick tour of the Web Vault. Keeper Password Manager & Digital Vault offers a similar onboarding process.

During installation, LastPass used to offer to import passwords from your browsers and turn off password capture in the browsers. This feature is still available; it just doesn’t happen as part of the installation. LastPass also used to offer a one-time password each time you’d install it on a new device. In the event you forgot your master password, you could reset it using the one-time password, much as Keeper uses your security answer for a master password reset. Here again, you can dig in and create one-time passwords, but it’s not part of the installation flow.

LastPass can import from 31 competing products, but some are defunct (McAfee Safekey is now True Key) and others are simply obscure (such as Clipperz, Figaro’s Password manager, and Revelation Password Manager) The import list remains wildly out of date and is missing five out of PCMag’s nine best-rated password managers (excluding LastPass itself).

Multifactor Security

It doesn’t matter how complex your master password is if a thief gets ahold of it. LastPass does require email verification the first time you log in from a new device, which is good. But you can seriously enhance your security by using the available multifactor authentication options. To set up multifactor authentication, head to Account Settings > Multifactor Options tab in the Web Vault.

The available two-factor authentication options depend on your subscription tier. Free users can use an authenticator app such as Duo, Google Authenticator, or Microsoft Authenticator. Setting up an authenticator app just requires snapping a QR code using the app of your choice. Each time you log in you’ll need to supply a time-based one-time password or (TOTP) generated by the app (essentially a six-digit code that typically changes every 30 seconds) in addition to your master password.

LastPass offers authentication through its LastPass Authenticator app too, which lets you accept or reject a login attempt via a push notification, without need to enter the six-digit code. It also lists Toopher (this was acquired by Salesforce and is no longer available) and Transakt (the Android variant was last updated in the fall of 2019). As with the import list, LastPass needs to remove options that are not usable.

Don’t have a smartphone? You can print a wallet-sized authentication grid. For authentication, LastPass requests characters found at specific grid coordinates. Talk about low-tech!

Premium users can use hardware keys (such as a YubiKey) or biometric options as a second authentication option. Note that LastPass does not support the more modern Universal Two-Factor (U2F) FIDO 2 standard, instead relying on a TOTP-based method. In essence, when you tap a Yubikey to log in, the key supplies a string of numbers for authentication. 1Password supports the U2F authentication method. Previously, LastPass allowed you to turn a regular USB stick into a second-factor for authentication via Sesame, but that feature is gone. The methods described above are more intuitive in any case.

Dashlane, Myki, and Keeper include built-in time-based one-time password (TOTPs) generators and effectively replace the need for a third-party authenticator app for logins to other online accounts. LastPass does not have this capability.  

Two-factor authentication can get tedious after a while, so LastPass lets you define specific devices as trusted. When you log in from a trusted device, all you need is the master password. Trust expires every 30 days, and you can delete a lost device from the trusted list. For even more control, you can ban logins from any device that’s not already on the trusted list.

LastPass Web Vault and Browser Extension

LastPass does offer desktop apps for Windows (via the Microsoft Store) and macOS, but you can manage all of your passwords and personal data on the web. LastPass’s Web Vault uses a red, gray, and white color scheme and a straightforward layout. The interface isn’t as elegant as others, but it works fine and we did not encounter any performance issues in testing.

At the top of the interface, there’s a search bar for sifting through all your saved data. A right-hand drop-down menu, lets you access your Account Settings and other help resources. In the Account Settings section, you can define equivalent domains such as youtube.com, google.com, and gmail.com. A password for one is good for all. LastPass comes with dozens of these defined, but we doubt any user edits or adds to the list. The same is true of the list of URL rules, which let you define whether a given URL requires exact Host Matching and Port Matching. Once again, we doubt any user touches this feature. Hiding these features would help streamline the product.

LastPass Web Vault

You navigate the experience via a left-rail menu that includes All Items, Passwords, Notes, Addresses, Payment Cards, and Bank Accounts sections. Secure notes just store and sync sensitive information, optionally with an attachment. Addresses are similar to what previous editions called Form Fills. Payment cards and bank accounts are self-explanatory. If you add one of LastPass’s newer item types such as driver’s licenses, passports, or social security numbers, those categories show up in this menu, too.  We discuss these item types in more detail in the form-filling section. You add entries and folders via the red plus button at the bottom of the page. The left-hand menu also includes the Security Challenge, Sharing Center, Emergency Access, and Account Settings sections.

The middle of the screen is reserved for viewing and editing your stored details. You can view entries in a list or grid view; sort entries and folders alphabetically or by recently used; and switch to a slightly magnified view.

Hovering over a password entry reveals three icons, for editing, sharing, and deleting. We discuss sharing options in a later section. Right-clicking on the item allows you to clone it, copy the username or password, launch the associated site, or move it to a new folder. LastPass supports dragging and dropping items into folders. When you edit an item, you can change its displayed name, add a note, or add it to your favorites. Advanced options let you require reentering the master password for the item, autofill it without waiting, and keep the entry but disable autofill entirely.

LastPass Browser Extension

Although LastPass does offer the ability to organize items into custom folders, it does not support the creation of separate vaults (such as for personal and work passwords), something 1Password does. Like 1Password and Enpass though, LastPass does support nested folder options (the other two services offer the same capability with tags).

We tested the LastPass extension on Firefox. From the extension, you can view recently used passwords, view all items, and generate new secure passwords. The Add Item and Account Options items redirect you to the Web Vault. For specific password entries, you can launch the associated website directly, copy the username or password, and edit them. Annoyingly, there is a persistent ad to the left of the extension menu prompting you to upgrade to LastPass premium.

Password Capture and Replay

When you log in to a secure site, LastPass offers to save your credentials. You can just click Add and continue, or click the pencil icon to edit the entry. You can assign the captured login to a new or existing folder, or tell LastPass you never want to save a password for the site. As with 1U Password Manager, you can’t enter a friendly name directly in the pop-up window, but you can take care of that in the main interface. In testing. LastPass captured logins from both one-and two-page logins without issue.

LastPass Password Replay

LastPass no longer immediately fills in your credentials when you revisit a site by default, but you can enable the auto-login option on a per-account basis, Enpass and KeePass are other examples of password managers that require you to manually trigger filling credentials. If you’ve stored more than one set for a site, LastPass adds a small number to the icon it puts inside the username and password fields.

Security Challenge

Getting all your passwords safely stored with LastPass is a good first step, but it’s not enough. Now you need to fix the weak ones and the ones you’ve recycled for use on multiple websites. That’s where the Security Challenge comes in.

Click the Security Challenge icon, reenter your master password, and get ready to see how good (or bad) your passwords are. As part of the analysis, LastPass sifts out the email addresses found among your passwords and offers to check them against known breaches. Naturally, if you find that one of these addresses is associated with a breach, you should change all associated passwords immediately.

At the top of the resulting report, you get an overall percentage score, your standing within the LastPass community, and a score for your master password. The overall score is mostly based on whether your passwords are strong and unique, but it includes other factors as well. For example, you lose 10 percentage points if you haven’t enabled multifactor authentication.

LastPass Security Challenge

Follow t
he prompts to fix four types of problems: compromised passwords, weak passwords, reused passwords, and old passwords. Note that LastPass measures age starting from the first time it encountered the password.

You can scroll down for a full list of all your passwords, along with a password strength rating for each, the time you last changed it, and a button to help you update the password. LastPass no longer builds in an Auto-Change button for offending passwords. Keeper doesn’t attempt fully automate password changes either because doing so would compromise the company’s zero-knowledge policy.

Password Generator

When you sign up for a new account or change your password for an existing account, LastPass offers to generate a secure password. By default, the password generator creates 12-character passwords, the same default as Keeper and Dashlane. LastPass defaults to using all four character sets (upper case letters, lower case letters, numbers, and symbols), which we like. You can select the Easy to Say (omits numbers and symbols) or Easy to Read (avoids ambiguous characters like capital O and digit 0) options, but we recommend you create the strongest possible password by using all four character sets.

LastPass Password Generator

Default settings for password generation vary wildly between programs. At the low end, Ascendo DataVault Password Manager defaults to a password of just eight alphabetic characters. At the other end, Myki’s default settings give you huge 30-character passwords. In between, Password Boss and KeePass create 20-character passwords by default. Since the program remembers it for you, your password might as well be long. We recommend cranking the length up to at least 20 characters and including symbols.

When you change your password, LastPass offers to update the associated entry. This works whether or not you accept the aid of the password generator.

Emergency Access

It’s not the most cheerful thought, but what happens to your passwords if you keel over unexpectedly? How will your heirs access your bank account or let your social media circle know what happened? The Emergency Access feature lets you define one or more contacts who can access your passwords in the event of your untimely demise. This feature is not available to free users.

Emergency Access in LastPass works similarly to Dashlane’s and Keeper’s equivalent features. You enter your recipient’s email address and define a waiting period. Recipients must install LastPass, if they haven’t already, and accept your connection request. Now if something happens to you, the recipient simply requests access to your account. Dashlane does let you pass along just a subset of your saved credentials—for example, you might define a coworker as the recipient of your work-specific passwords. That’s not an option in LastPass. Zoho Vault distinguishes work passwords from personal ones; the administrator can unilaterally take over work passwords for an ex-employee.

Here’s where the waiting period comes in. Suppose your trusted recipient decides to jump the gun and get your passwords before you’ve kicked the bucket. The initial request for access triggers a notification, and you can deny the access request at any time during the waiting period. In a real emergency, your recipient automatically gets access after that time elapses.

Clicking Emergency Access lets you view two pages, People I Trust (your password heirs) and People Who Trust Me (those who’ve made you their emergency access contact). On the People I Trust page you can delete anyone from the list, or change the waiting period. On the People Who Trust Me page, you can bow out of the emergency access role.

Password Sharing

We advise against sharing your passwords promiscuously, but some situations merit sharing. You and your partner may use a joint bank account, for example. If you must share credentials, you should do so safely.

Sharing passwords with other users is a common feature among password managers, though it’s found more in commercial products than free ones. 1U Password Manager limits sharing to its mobile app. Users of the free LogMeOnce can share just five passwords. Free LastPass users can only set up one-to-one sharing, but that’s hardly as restrictive as with the free versions listed above.

LastPass Password Sharing

Premium subscribers can share one item with several other users, and those who pay for a Family account can share an unlimited number of folders. Shared folders used to be a feature of LastPass Premium, but not anymore.

Sharing a password is easy. Just select an item in the vault, click the sharing icon, and enter the recipient’s email address. Recipients who already use LastPass will see a notification that a new share has arrived; others will get an email message explaining how to create an account and accept the share. The recipient can use the shared item to log in. As with LogMeOnce, you choose whether to make the password visible.

Other products take sharing even further. With Keeper, you control whether the recipient can edit the login or share it with others; you can even make the recipient the owner. Dashlane lets you make the recipient a co-owner.

The Sharing Center within the Web Vault lets you easily manage your shared items. As with emergency access, you can relinquish access to credentials that others have shared with you, or cut off others with whom you’ve shared passwords.

Filling Web Forms

When you’ve got a product that can automatically fill in login credentials, it’s just a short step to making it fill personal data into web forms. Other free password managers with this feature include LogMeOnce, Enpass, and Norton Password Manager.

You can store multiple Addresses, Payment Cards, and Bank Accounts in LastPass, each with a variety of personal and contact information. RoboForm Everywhere lets you create multiple instances of any form-fill field, while Dashlane stores the various components of personal data (phone numbers, emails, and so on) separately.

LastPass Addresses

LastPass can store many other types of personal data, too, including driver’s licenses, passports, insurance policy, and Social Security Number. However, these options are a bit hidden in the interface (go to All Items, hit the Add button in the bottom-right, and click the More Items drop-down menu) and some of the categories are obscure.

To fill a form on the web using LastPass, click the icon LastPass adds to one of the fields on the page and select a profile. LastPass fills every field for which you have saved data. You can right-click any field, click LastPass in the context menu, and select an item to autofill.

In testing, we found the autofill handling to be inconsistent. LastPass didn’t offer to fill every type of saved data—for example, driver’s license and passport information didn’t appear, though address, bank card, and social security number did. In addition, many of the item types store duplicate data. For example, a driver’s license entry includes full snail-mail address info,
also found in the Address type.

Secure Notes and Online Storage

Secure notes are just another way to store information in your LastPass account, that doesn’t fit into any of the other categories. The notes only support unformatted text. 1Password allows you to use markdown formatting for notes with some of its apps and we’d like to see this added.

Only Premium LastPass subscribers get online storage, but total space is limited to 1GB (free users get 50MB). You can’t upgrade this storage. To store an attachment with LastPass, you must attach it to an item

Keeper’s Family Plan includes 10GB of storage space by comparison. Kaspersky Password Manager does not place restrictions on attachment storage and includes a scanning feature that helps you find and organize attachments.

LastPass for Mobile

We tested LastPass on a Google Pixel 3 running Android 10 and had no issues logging in to our test account. LastPass does a great job of keeping the user experience the same across different platforms. Both the Android and iOS edition have all of LastPass’s features, including password generator, emergency access, sharing center, and security challenges sections. LastPass’s iOS app does organize elements a bit differently; you navigate the experience via four icons across the bottom: Sites, Browser, Security, and Settings. Android and iOS’s built-in auto-filling capabilities have vastly improved over the years and LastPass relies on the built-in options for filling credentials on sites and apps.

LastPass Mobile App

In addition to app-based authentication options, you can configure LastPass to authenticate using your device’s biometric login options. LastPass supports both face- and fingerprint-based authentication methods on both Android and iOS devices. Yubikey authentication requires a Yubikey model that supports authentication via NFC (Near Field Communication) or your phone’s connection type (such as USB-C or Lightning port).

LastPass Free Steals the Show

LastPass’s free version packs more features than almost any other free password manager. Secure sharing, an actionable password strength report, and no limitations on the number of entries you can create are uncommon offerings. LastPass’s free edition also lets you sync your data across an unlimited number of devices. LastPass Premium and Family plans add notable sharing and authentication features, but many users may not find those reasons compelling enough to start paying. One trend we’ve noticed is that some features continue to move to more-expensive tiers. For instance, Emergency Access features are no longer available in the free version and folder sharing has moved to the Family Plan.

Still, LastPass earns an Editors’ Choice award, based on the merits of its free version and a premium tier that includes features consistent with other top password managers. Keeper Password Manager & Digital Vault, Dashlane, and MyKi our our other Editors’ Choices for password managers. All those services have extensive features and are easy to use.

LastPass Specs

Import From Browsers Yes
Two-Factor Authentication Yes
Fill Web Forms Yes
Multiple Form-Filling Identities Yes
Actionable Password Strength Report Yes
Application Passwords Yes
Digital Legacy Yes
Secure Password Sharing Yes

Best Password Manager Picks

Further Reading

Source Article

Copyright © All rights reserved. | Newsphere by AF themes.