LastPass

LastPass is no longer the champion of free password managers due to device restrictions, but it remains great for secure password sharing and has feature-packed paid subscription tiers.

Introduction

LastPass was the first password manager to gain mass appeal, and although its free tier is more restricted than it once was, it’s still an excellent choice if you primarily store passwords for use on the web.

Paying subscribers receive a great range of features, including one of the best secure password sharing features around.

Pricing

A LastPass Premium account costs £31.20 per year, while a Families subscription gets you six accounts, plus admin tools that can help you reset any family member’s lost master password for £40.80 a year.

LastPass was once famous for having a free tier that was virtually indistinguishable from its paid offerings. That’s no longer the case; but free users still get unlimited password storage, accessed from as many devices as they like. But all of those devices have to be of the same type. Essentially, that means free account holders have to choose between accessing LassPass via browser extensions on a computer, or via one of its mobile apps on a smartphone or tablet.

Free users are also limited in that they only have one-to-one (rather than one-to-many) password sharing. There’s also no emergency access, password security assessment service or dark web breach monitoring.

Paying users get 1GB of encrypted attachment or secure file storage, where free users do not. Paying customers also get extra multi-factor authentication options, including FIDO (Fast IDentity Online) security keys, fingerprint scanners and smart card readers, as well as the push notifications to phone, TOTP (Time-Based One Time Password) authenticator and printable code grid that all users can use as their second factor when signing into LastPass.

Features

• Superb for password sharing
• Wide range of recovery options
• Lacks a desktop app

LastPass is genuinely great at sharing, allowing every password to be shared with at least one other LastPass user, and more if you have a paid account. Although LastPass never knows your master password, the service has an unusually wide range of recovery options in case you forget it.

A recovery one-time password is automatically created by every LastPass app or extension. Other options include mobile account recovery, user-generated One-Time Passwords, SMS account recovery, and master password reversion to the previous password within 30 days of a password change, with the caveat that all new vault entries since the change will be deleted.

LastPass lacks a desktop app at a time when most of its rivals have embraced cross-platform, standalone clients to make it easier to fill and store passwords in places other than the browser. It’s a relatively minor inconvenience – all you have to do is open your web vault in your browser and copy passwords from there. Nevertheless, it falls short of the smooth experience of using dedicated apps such as those provided by Bitwarden or KeePass.

As well as storing passwords and payment cards, LastPass can also hold and fill a range of other information, including bank details, identity documents, software licenses and addresses. This has recently been upgraded with a smarter form fill capture to record new data as you add it.

The Vault interface hides some of these data types when you’re creating an entry, hiding useful content behind extra pull-downs. Similarly hidden is the ability to create separate “identities”, which can be used to replicate 1Password’s famous Travel mode, as only passwords associated with your currently selected identity will be available in your active vault and therefore subject to inspection by security officials. The feature also allows you to keep home and work passwords well separated from each other.

Its default security behaviour is clearly aimed at users who value convenience over security or only use a personal, secure desktop device that no-one else has access to. Once logged in, the LastPass browser has no default logout period set for either inactivity or browser restart, while the LastPass Vault’s default log-out period is two weeks.

This is frustratingly insecure, but at least you can change it via LastPass’s highly configurable range of logout options in both the Vault and the browser extension. There are some very handy options, including requiring a master password on attempt to access specific identities in the Vault, or on a range of other behaviour, including in-browser autofilling. If you use 2FA, specific devices can be set to trusted, requiring multifactor re-authentication only every 30 days.

LastPass supports passwordless logins including biometric unlock on both browsers and mobile devices and a master password unlock via prompt from the LastPass mobile app. While LastPass’s enterprise subscriptions now offer an integrated TOTP authenticator in the password manager itself (as opposed to a separate LastPass Authenticator app), this hasn’t yet rolled out to personal users.

Latest deals