الخاص بك: Unknown · حالتك: غير محمي محمي

Is LastPass secure enough? A password manager review

مارس 20, 2019 · 4 min read

Is LastPass secure enough? A password manager review

It’s hard to remember all of the passwords you use to secure your online accounts – especially if you create strong passwords. Password managers offer a solution by securing your passwords, and LastPass is one of the leading apps out there. But is LastPass secure? Is it a good idea to store your passwords with them?

Is LastPass safe?

There are great ways to make memorable and secure passwords, but how can you remember them all? Password managers like LastPass come to the rescue. These encrypted password vaults don’t just free you from scribbling passwords on your notebook (which you should never do), they also:

  • Store your payment details and shipping addresses;
  • Offer browser extensions that automatically fill in your passwords;
  • Can generate strong randomized passwords every time you log into an account that holds sensitive information, like your bank;
  • Notify you if you’ve used the same password for multiple accounts;
  • Store other digital records like your WiFi passwords, insurance numbers, and memberships.

LastPass stores a lot of sensitive passwords in one place, and they say you shouldn’t put all your eggs in one basket. Let's have a look at how LastPass works and what security measures it uses.

Master Password

To create a LastPass account, you’ll have to create a strong master password. It has to be at least 12 digits long and needs to include upper case letters, numbers, and symbols. This password is encrypted when you create it, so if you lose it or forget it, LastPass will not be able to recover it for you. This also means that if any data leaks do happen, your master password won’t be in that database.

LastPass also uses PBKDF2-SHA256 to hash your master password, which significantly slows down brute-force attacks. Normally, if a hacker tries to break into your account with a database of leaked passwords, he can guess billions of passwords a second. With PBKDF2-SHA256 hashing, he can only guess a few thousand per second.

It also offers multi-factor authentication, meaning that you will need to complete an extra verification step to log into your account. This can be a code sent via a text message, a code generated from an app or even your fingerprint. Multi-factor authentication makes it even more difficult for someone to hack your account as they will also need access to your phone.

Encryption

Like any security-focused service, LastPass offers strong end-to-end encryption. This means that your information is encrypted before it leaves your device, in transit, and at rest. LastPass uses industry-standard TLS encryption to transfer your data between your device and their servers, protecting you from man-in-the-middle attacks. And it uses AES encryption with a 256-bit key for your data stored on their servers, the same encryption standard used by banks, the military and NordVPN.

The company also has a zero-knowledge policy, meaning that all information stored on LastPass’ servers is totally encrypted. No one else, not even LastPass employees, can see it.

Extra security measures

To ensure the security of your stored passwords, LastPass also conducts regular audits and penetration tests, releases transparent incident reports, and offers a bug bounty program.

Who owns LastPass and can you trust them?

In 2015 LastPass was bought by LogMeIn for $110 million. Some loyal customers have expressed their concerns about new LastPass owners, however, there’s no evidence that the company has previously used users’ data in any malicious ways. This Boston based company currently manages a number of cybersecurity products, including a remote access and administration software and an online meetings and collaboration software.

Can LastPass be hacked?

LastPass encrypts information client side and has a zero-knowledge policy, so if anyone does hack into LastPass servers, they will only see encrypted information. The only way for anyone to access your sensitive data is to find out your master password, which can be done in many ways. For example, someone could hack into your device, you can forget to log out of your account when using a public computer or they can get it from data leaks, especially if you used the same password on other accounts.

Can Lastpass be hacked?

In fact, LastPass discovered some malicious activity on their servers in 2015, finding that users’ “email addresses, password reminders, server per-user salts, and authentication hashes were compromised.” However, no encrypted data was taken, and there’s no evidence that users’ accounts were accessed. The company was transparent about the issue, immediately contacting their users and prompting them to change their master passwords. You can read more about the Lastpass security breach and new security measures LastPass implemented after this incident in their blog post.

Nothing is 100% secure, but LastPass has taken extensive measures to ensure your information is secure. They are fairly transparent and have responded to security issues quickly. Nevertheless, you are also responsible for keeping your data secure and should take the following precautionary measures:

  • Create a strong password that is not used on any other accounts;
  • If you use the LastPass browser extension, don't stay signed in all the time. If you give your device to someone or it gets stolen and hacked, all of your passwords will be accessible;
  • Remember your data is safe as your device. Update your software, use an antivirus, and protect yourself from hackers with a VPN.

For more tips on how to stay safe online, subscribe to our monthly newsletter below.


Emily Green
Emily Green successVerified author

Emily Green is a content writer who loves to investigate the latest Internet privacy and security news. She thrives on looking for solutions to problems and sharing her knowledge with NordVPN readers and customers.


Subscribe to NordVPN blog