LastPass has been a go-to password manager for years, but recent security breaches have some users looking over their shoulders. In this review, we’ll dig into the good, the bad, and the “yikes” moments, while also pointing you toward some solid alternatives that won’t make you sweat.
LastPass is easy to use, packed with handy features, and competitively priced — but with so many password managers out there, does it still deserve a spot on your device? We’ll take a closer look at its pros, cons, and whether it can still hold its own against similarly priced competitors.
On the security front, LastPass checks a lot of boxes: military-grade encryption, a strict “zero-knowledge” policy, two-factor authentication, biometric logins, and regular third-party audits. But past breaches, including the notorious 2015 incident and more recent hacks, have left a few red flags waving.
We’ll explore those breaches in detail, break down LastPass’s history, and give you the full picture — so you can decide if it’s worth sticking with or if it’s time to jump to a safer alternative.
Heads up: After the latest vault-data breach, many users are understandably reconsidering LastPass. For anyone seeking peace of mind, we’ve also included a list of the best secure password managers to explore.
| Website | Lastpass.com |
| Platforms | Windows, macOS, Android, iOS |
| Browser extensions | Chrome, Firefox, Opera, Safari, and Edge |
| Free version | Yes |
| Encryption | AES 256-bit |
| Support | |
| Price | From $3.00/month |
Curious how LastPass really performs? In this review, we’ll dig into its strengths, flaws, and everything in between to help you decide if it’s the right fit.
Let’s start with LastPass’s main strengths and weaknesses:
+ Pros
- 1GB encrypted file storage (with paid plans only)
- 2FA support
- 14-day trial with business and 30-day trial with family packages
- Automatic sync across all your devices
- Built-in, step-by-step guide for new users
- Cross-platform support
- Data is encrypted in transit and at rest
- GDPR compliance
- Individual and multi-user accounts
- Stores and encrypts passwords locally
- There’s a free plan (without no cross-device capabilities though)
- Third-party audits of internal processes conducted
– Cons
- Contacting customer support could be easier
- Collects user data and can be compelled to share some of it
- Slow customer support
- Premium plans are pretty pricey
- The company is based and stores data in the USA
- The free plan is rather limited
LastPass features summary
LastPass packs a lot into both its free and paid plans. To make sense of what’s available, we’ve broken down the core tools for free users first, then the extras you get if you upgrade.
LastPass core features (available for free users)
If you’re planning to make use of LastPass’s free plan, you’ll have access to a somewhat limited set of features. Nevertheless, you’ll still have the ability to:
- Access your vault with LastPass Authenticator
- Automatically sync passwords across all your devices
- Store passwords, secure notes, addresses, credit card info, and bank accounts
- Save and fill passwords
- Security Challenge tool
- Securely share your data with those you trust
- Secure your account with two-factor authentication (2FA)
- Seek customer support from self-service options
- Utilize a strong password generator
- Use a secure password vault
- Login without password
Premium features: What you get if you upgrade
LastPass Free nails the basics. Step up to a paid plan, though, and you’ll unlock features that make a real difference for professionals, families, and teams. Here’s what’s included:
- 1GB encrypted file storage – Store sensitive documents securely within your vault.
- Emergency access – Designate trusted contacts who can access your vault if something happens to you.
- Advanced MFA options – Beyond basic 2FA, premium plans support additional multifactor methods for stronger security.
- LastPass Authenticator integration – Smooth, app-based login approvals for extra convenience.
- Password sharing with multiple users – Share login details securely with family or colleagues.
- Security reports and dark web monitoring – Get insights into weak or compromised credentials and alerts if your details appear in breaches.
- Priority tech support – Faster help compared to free users, including more direct contact options.
- Cross-platform app access – Full support for Windows desktop apps, plus premium-level syncing across mobile and browser extensions.
Solo users will appreciate “Premium”’s extra safety nets like emergency access, while families and businesses get the real win with its sharing and monitoring tools.
Company background: Getting to know LastPass
Launched in August 2008 in Boston (Massachusetts, the US), LastPass has been providing password identity management solutions ever since.
In October 2015, the company was acquired by GoTo (formerly LogMeIn Inc.), one of the leading software as a service (SaaS) companies in the world.
Founded almost two decades ago in Budapest (Hungary), GoTo is now a private company with headquarters in the USA. It was previously listed on the NASDAQ stock exchange with annual revenue of over $1 billion.
So, if you are concerned about trusting your data to a small company with not much revenue and just a couple of employees, that shouldn’t be a concern with GoTo.
Then, in December 2019, then-names-LogMeIn officially announced that it was being acquired by US private equity firms. This is an excerpt from their press release:
“LogMeIn, Inc., a leading provider of cloud-based connectivity, today announced that it has entered into a definitive agreement (or the “Agreement”) to be acquired in a transaction led by affiliates of Francisco Partners, a leading technology-focused global private equity firm, and including Evergreen Coast Capital Corporation (“Evergreen”), the private equity affiliate of Elliott Management Corporation (“Elliott”), for $86.05 per share in cash. The all-cash transaction values LogMeIn at an aggregate equity valuation of approximately $4.3 billion.”
This deal was closed in August 2020 and only time will tell if is it good that LogMeIn has been acquired by US venture capital firms. Nevertheless, this matches up with the trend we've been seeing of privacy services selling out to various entities:
- Private Internet Access was acquired by Kape Technologies
- Startpage accepted a large investment from System1 (an ad-tech company)
- ExpressVPN Acquired by Kape
In a further development, on December 14, 2021, GoTo announced that LastPass would be made into a separate cloud security company and invest even more into its flagship product – yes, it’s the password manager we’ve been talking about.
None of this is surprising as concerns about data protection have been on the rise, as well as identity theft and fraud, and other alarming cybersecurity statistics. People are spending more money on these services, hence the growth.
However, let’s go back to the LastPass review.
LastPass terms of service: Rules, rights, and responsibilities
Since LastPass was purchased by GoTo, the applicable Terms of Service (TOS) is the GoTo document. It is general in that it covers all the many services they offer. It is also pretty dense legalese. Here’s what we got out of it (but we're no lawyers).
The TOS seems pretty standard. There is one point that some people may be leery of. The company states that:
“If necessary and in accordance with applicable law, we will cooperate with local, state, federal and international government authorities with respect to the Services.”
Since the company is based in the USA, which is a Five Eyes surveillance country, this means that your data may be accessible to various US agencies, in accordance with US laws. Since your data is encrypted and LogMeIn doesn’t have the ability to decrypt it, there isn’t much they can hand over.
This isn't anything out of the ordinary, however, as it also affects secure email services. For instance, in our ProtonMail review, we discussed how this company was forced to comply with lawful data requests from a Swiss court.
That said, LastPass is not open-source software, unlike Bitwarden, for example. Therefore, you need to take the company’s word for it that they can’t read your sensitive data and there's nothing shady going on with backdoors or exploits.
LastPass privacy policy: How LastPass handles your data
The LastPass (GoTo) Privacy Policy is separated into three corresponding sections: „GoTo U.S. Privacy Policy“, “GoTo International Privacy Policy“, and “Supplemental California Consumer Privacy Act Disclosures“, where the last one acts as an addition to the “GoTo U.S. Privacy Policy“.
Among other things, it states that the company collects various types of personal information from its users and goes into detail about this data collection, usage, and sharing – if the lack of data privacy is one of your pet peeves, you should surely check this section.
Some of the data collected by GoTo could include:
- The type of your device
- The operating system (OS) and its version
- A unique device identifier (UDID)
- The internet protocol (IP) address you connect from
- Your location information
- Your language settings
- Other diagnostic data collected by the software
They use this data to run their services and may share it with third parties or as required by law. If this data gathering is of concern, we suggest you visit our Privacy Tools page to learn how to better secure your data. Additionally, our guides on secure browsers and the best VPN services are also useful in this case.
LastPass audits: Insights into safety and data protection
It’s no secret that LastPass and other GoTo products and services have been subjected to several types of third-party audits. On the contrary, the company has been boastfully listing them among its top features.
The series of LastPass audits were conducted between September 2020 and August 2021 by Tevora Business Solutions.
This audit, titled, “SOC 3® – Reporting on System and Organization Controls” was designed to determine whether the company’s internal controls meet specified Trust Service Principles (TSP) as defined by the American Institute of Certified Public Accountants (AICPA).
The report is meant to show that the security, availability, processing integrity, confidentiality, and privacy controls at LogMeIn meet those principles. The results of the audit were that in the opinion of the auditors, the controls within LogMeIn’s Identity and Access Management System were:
“…were effective throughout the period September 1, 2020, to August 31, 2021, to provide reasonable assurance that LogMeIn’s service commitments and system requirements were achieved based on the trust services criteria relevant to security, availability, and confidentiality…”
This is important information, as it tells us that a third-party auditor feels that LogMeIn (now GoTo) has good internal procedures. However, it is important to realize that this is a very different type of audit than the type conducted for products like Bitwarden.
The Bitwarden audit, conducted by security firm Cure53, involved white box penetration testing, source code auditing, and a cryptographic analysis of Bitwarden’s code and security against attacks. This type of security audit is the gold standard, as Cure53 has also audited VPN services, such as ExpressVPN.
Ideally, a company should conduct regular audits against both internal and external threats. Realistically, however, any audit is better than nothing, although it would be good to see the bar raised in this area.
LastPass apps: Desktop, mobile, and browser tools
LastPass offers a wide variety of apps (clients) and browser extensions for you to use. These include apps and extensions for:
- Desktop apps for Windows, Mac OS, and Linux
- Mobile apps for Android and iOS (iPhones and iPads)
- Browser extensions for Chrome, Firefox, Safari, Internet Explorer, Opera, Microsoft Edge, and Chromium browsers (including Brave)
Putting LastPass free plan to the test
True to the subheading, we gave LastPass’s free plan a spin for this review — it’s likely enough for most users. Let’s kick things off by checking out the installation and testing the browser extension on Brave.
Installing the LastPass extension and setting up an account
You can install LastPass like any other browser extension, through the web store. Once you have the LastPass extension installed, clicking it opens a window, like the one below, and start creating your account.
Click the “Create an account” link at the bottom of the window and LastPass will guide you through the signup process. To complete the account creation process, you’ll be asked to enter a valid email address.
LastPass will send a confirmation message to that address and as soon you verify it – you’re ready to go.
Adding login credentials to LastPass
One of the finest features of LastPass is the step-by-step walkthrough aimed at new users.
You’ll encounter it right after you get LastPass set up. It’ll offer to help you store your first set of login credentials, and also allows you to log in through a third-party account.
It takes just a moment, and by the time you are done, you'll be ready to enter passwords yourself.
With the LastPass extension installed and active, you can log into sites normally. If the site credentials are not already stored in LastPass, a box similar to the one below will pop up and allow you to add the site's credentials to the vault with just one click.
And what if you are switching from a different password manager, and aren’t excited about the idea of manually reentering all the passwords you have stored in another product?
Fortunately, LastPass can import data from many other password managers. However, the process can be a bit complicated. So, if you are considering switching to LastPass from another password manager, you can visit this page and see what’s involved in your particular case.
Working with your passwords
Once you add some login credentials, your LastPass vault should look something like this:
When you hover the mouse over one of these items, LastPass will display your options for that item. This makes for a clean and simple-to-understand view of your vault’s contents.
While LastPass is primarily used for passwords, it can handle far more than just login credentials. It also supports these types of data:
- Passwords
- Personal notes
- Addresses
- Payment cards
- Bank accounts
- Wi-Fi passwords
The entry into the vault for each type is structured to have fields for all the relevant data. For instance, here is what the “Add bank account” form looks like.
Now, let's see how to modify the data you've stored in the vault.
Editing personal data
LastPass stores an encrypted copy of the vault on each of your devices, in addition to the copy that is stored on their servers. This allows you to view your vault whether you’re online or not. However, when you’re offline, you can only view the local copy of the vault – you can't edit it.
If you want to edit the data in your vault (and are online), you can simply click “Open My Vault” in the LastPass extension. This will open your vault in a new tab of your browser.
LastPass password manager in action: A hands-on look
LastPass tries to make using your stored passwords as simple as it gets. Once you get to the login page of a site that LastPass knows, it will insert itself into the relevant fields, just like this::
Clicking the awkwardly circled icon in the image above will make LastPass display a box with the credentials it has for the page involved. Tap on the icon to tell LastPass to enter that data into the fields it knows it has data for.
Can you see the tiny number in the bottom-right corner of the LastPass icon? It indicates the number of entries LastPass has for this page. If a number greater than one appears here, LastPass will display a list of all the relevant logins so you can choose from them.
How to generate strong Passwords with LastPass
With a secure password manager to remember things for you, you can start creating those long, complex, impossible-to-remember passwords everyone’s been talking about.
LastPass comes with a superb password generator that can come up with those hard-to-crack passwords for everything you want. To utilize it, click on the extension and select the “Generate Secure Password” option.
The password generator should look like this:
While it will create strong passwords by default, we suggest you change the password length to 16 characters at least – for more security of course.
Boosting your LastPass security
Even the free version of LastPass gives you a couple of handy tools to keep your sensitive data safer.
First up is multi-factor authentication (MFA). LastPass supports a wide range of hardware and software authenticators — you can see all your options right here.
Then there’s the Security Challenge, which scans your vault for weak, reused, or outdated passwords and flags any email addresses linked to hacked websites. It’s a quick and easy way to tighten up your security, and you can access it via the “Account Options” menu in the browser extension.
Sharing passwords with others (and other data)
LastPass allows you to securely share data with the people you trust. However, the free edition supports sharing with one other person only. The LastPass “Sharing Center” is the place where you can manage all your shared items and here you can find out how it works.
Additional LastPass features: What’s beyond the basics
We’ve covered the free features, but if you want more, here’s a quick look at the extra perks paid plans bring.
Emergency access
Emergency Access lets you designate a trusted person to access your LastPass vault in case of an emergency. You can set a waiting period, so your account isn’t opened immediately, giving you control while ensuring your important data is accessible when truly needed. It’s a practical way to protect your digital life and your family.
LastPass for applications
LastApp is a Windows desktop tool that can automatically log you into your apps using credentials stored in your vault. It’s especially useful if you regularly switch between multiple desktop applications, saving time and reducing the hassle of repeated manual logins.
1 GB of encrypted file storage
Upgrading to a paid plan expands your vault’s secure storage from 50 MB to 1 GB. This gives you plenty of room to store sensitive files, from important PDFs to personal documents, all protected with strong encryption and accessible across your devices.
Family manager dashboard
The Family Manager Dashboard is the central hub for the LastPass Families plan, which supports up to six users. From here, you can add or remove family members, manage shared folders, and keep track of everyone’s accounts. Each member still has their own private vault, so personal data remains secure while family logins stay organized.
Team features
LastPass Teams provides tools for managing up to 50 users. Admins can enforce security policies, manage shared folders, and monitor user activity, while team members can safely share credentials and collaborate without compromising security. It’s a streamlined solution for small businesses or group projects.
Enterprise features
For larger organizations, LastPass Enterprise offers comprehensive management and security tools. Admins can control user access, enforce advanced security policies, integrate with corporate directories, monitor SaaS usage, and implement Single Sign-On and adaptive MFA. It’s designed to protect both company data and employee accounts at scale.
You can check the complete breakdown here.
LastPass support: Is it helpful or a hassle?
LastPass offers a range of support options, but getting direct help can sometimes feel like a bit of a treasure hunt. Most issues can be solved through their comprehensive Support Center, packed with guides, FAQs, and troubleshooting steps — perfect if you like figuring things out on your own.
There’s also a community forum, where users and staff chime in with tips and solutions, and a 24/7 automated chatbot that handles common questions. For real-time updates, LastPass maintains a support account on X (@LastPassHelp).
If you’re a paid subscriber (Premium, Families, Teams, or Business), you get access to faster, more personalized support. This includes submitting web-based support tickets, requesting callback phone support, or using the account recovery form if you’re locked out.
For business and enterprise users, LastPass provides dedicated support lines and account managers via the Admin Console. Interested in a business plan? You can reach the sales team directly at +1-833-854-6520.
That said, many users report that live support can be tricky to reach, and response times aren’t always lightning fast. While we’ve personally had no major issues, it’s worth keeping in mind that navigating the support system can sometimes require patience.
LastPass security (Still trustworthy after several hacks?)
Although LastPass encrypts your data on your device using 256-bit AES encryption with PBKDF2 SHA-256 and salted hashes, it still managed to get hacked.
History of hacks and vulnerabilities
In June 2015, LastPass admitted that hackers were able to steal account email addresses, password reminders, server per-user salts, and authentication hashes. The company found no evidence that vault data (including form-fill profiles, secure notes, site usernames, and passwords) were taken. The company took immediate steps to improve its security after this.
According to this HackRead story, LastPass was also hacked at least twice in 2016. In both cases, the attackers were white hat hackers who reported the issues to LastPass.
In 2017, Darknet.org.uk reported that the LastPass Firefox and Chrome extensions had both been made to leak all your LastPass passphrases simply by browsing a malicious website. Reportedly, the problem could also allow a malicious site to run commands on the user’s computer. Once again, the LastPass engineers took action to solve this problem.
In August 2022, cybercriminals managed to hack their way into the company's systems for four days before they were found and removed. According to LastPass's most recent security notice (which was delayed for two weeks), some of its source code and technical information were taken, but the culprit couldn’t access customer data or encrypted password vaults, which is of some comfort.
Much like many times before, LastPass’s security team took critical steps to enhance their existing source code and deploy enhanced security controls, extra endpoint security included.
Different ways to view LastPass security
While seeing hacks and leaks is never pleasant, there are a few ways to look at this.
- The critical approach. Go after LastPass for the number of problems that have turned up and perhaps move to a different password manager.
- The philosophical approach. With so many users and so much notoriety, LastPass is likely attacked more than other password managers. At the same time, there are probably more white hat hackers and other “good guys” looking for problems with LastPass than there are for less popular products.
- The optimistic approach. You could also see this as a positive. Realistically, any moderately complex piece of software has bugs and vulnerabilities. People are finding and fixing the problems in LastPass. Over time, that makes the product safer and more secure (at least in theory).
Now, we’ll leave it up to you to decide how you want to respond to the number of hacks and leaks that have been discovered in the LastPass code.
LastPass privacy: What you should know
As we discussed when looking through their Privacy Policy, LastPass does collect some personal information and may share it with partners and law enforcement. They collect more information than I would like, but at least the data you store in the vault is safe – or is it?
This 2017 post on Hackernoon.com suggests that some of your private data may be exposed by LastPass. The author showed that the URLs of the sites you store in LastPass are not encrypted. If they were, there would be no way for LastPass to be able to display the logos of the sites in the LastPass Vault.
Instead of encrypting the URLs like the rest of the data, LastPass simply stores them as hexadecimal strings that can easily be decoded. Even worse, sometimes URLs contain sensitive information.
For example, there are ways to embed login credentials in a URL. In scenarios like this, you could be sending private information to LastPass in an unencrypted form – but most websites should NOT be doing this.
This is potentially a big privacy problem, but only under the right circumstances. It appears that the only way someone can exploit this problem is if they have access to your vault data. That would mean either hacking into your computer or getting access to your data on the LogMeIn servers.
And as we saw earlier, the third-party auditor says that LogMeIn has systems in place to prevent unauthorized access to your data. So once again it comes down to whether you feel this situation is an unacceptable risk in your particular circumstances.
LastPass prices and subscription plans
What LastPass will cost you depends on your needs. For most users, the Free plan should suffice. However, as you can see in the image below, the Premium and Families plans offer some sweet additional benefits for paid users.
Let’s take a closer look at what LastPass costs and what you get with each plan:
| LastPass plans | Price (billed annually) | Core features |
| Premium | $3.00/month | All core features plus 1 GB file storage, dark web monitoring, and Emergency Access |
| Families | $4.00/month | All “Premium” features, plus 6 vaults, shared folders, Family Manager, and family-wide emergency access |
| Teams | $4.25/user/month | “Premium” features plus Admin Console, shared folders, security dashboard, up to 25 policies, and group management tools |
| Business | $7.00/user/month | “Teams” features plus unlimited users, 100+ policies, advanced reporting, directory integration, and SSO for 3 apps |
| Business Max | $9.00/user/month | “Business” features plus SaaS monitoring, unlimited SSO, advanced MFA, and passwordless login. |
While some password managers focus on individual users and small groups, LastPass also has a comprehensive tier of business-focused plans, with features to fit many types of organizations.
LastPass alternatives worth considering
Looking for a password manager that might suit you better than LastPass? Here are some top contenders.
Bitwarden is perfect for individuals or small teams who want serious security without breaking the bank. Its free plan covers unlimited passwords and devices, while premium and family plans add two-step login options, vault health reports, and even self-hosting. Being open-source and regularly audited, it’s a trustworthy, breach-free option.
Meanwhile, 1Password blends strong security with ease of use, making it great for families or business teams. Features like Watchtower for weak passwords, Travel Mode for border-crossing privacy, and passkey support stand out. Shared vaults and admin controls make family and team management simple, with plans starting at $2.99/month.
NordPass, from the team behind NordVPN, offers modern encryption and a zero-knowledge architecture. Premium tools include email masking, password health reports, and a dark web scanner. You can even bundle it with NordVPN for extra security. It’s simple, secure, and has never been hacked.
Last but not least, Dashlane focuses on user-friendly security with extras like a built-in VPN, dark web monitoring, and passwordless login via passkeys. Its premium and family plans cater to individuals and teams alike, providing convenience alongside strong protection.
LastPass review conclusion
So, is LastPass worth checking out?
If you’re searching for a simple, beginner-friendly solution that will keep you from forgetting your passwords then the answer is “yes”. If you need a family-friendly password manager or something that will fit your business team or even an entire enterprise – it’s still a strong “yes”.
On the other hand, if you feel strongly about security and privacy, you might want to consider some other solutions (such as Bitwarden) first. While LastPass is still one of the most user-friendly and feature-rich password managers around, any breaking news about data breaches might make you lose sleep – although your sensitive data is probably safe and sound.
To find additional alternatives to LastPass and learn a bit about password managers in general, check out our main guide.
Here are other password manager reviews you may want to check out as well:
- Bitwarden Review
- KeePass Review
- NordPass Review
- Dashlane Review
- 1Password Review
- Best Password Managers
Yes, it was hacked multiple times before with the latest cyber attack striking LastPass a couple of days ago. Fortunately, no user data was compromised due to the attack. However, back in 2015, LastPass suffered its most severe security breach which compromised users' email addresses, authentication hashes, password reminders, and other personal information.
Despite the infamous 2015 data breach, LastPass is still considered one of the most secure password managers around – plus, it’s simple to use. It utilizes military-grade 256-bit AES encryption with PBKDF2 SHA-256 and salted hashes to make sure all passwords are stored safely.
Whether you’re making use of a 14-day or a 30-day free trial of LastPass plans, after it comes to an end your account will simply be converted to its standard free version. This means you won’t be able to use any premium features anymore. Nevertheless, you won’t lose any of your data.
Leave a Reply