It’s hard to remember all of the passwords you use to secure your online accounts – especially if you create strong passwords. Password managers offer a solution by securing your passwords, and LastPass is one of the leading apps out there. But is LastPass secure? Is it a good idea to store your passwords with them?
There are great ways to make memorable and secure passwords, but how can you remember them all? Password managers like LastPass come to the rescue. These encrypted password vaults don’t just free you from scribbling passwords on your notebook (which you should never do), they also:
LastPass stores a lot of sensitive passwords in one place, and they say you shouldn’t put all your eggs in one basket. Let's have a look at how LastPass works and what security measures it uses.
To create a LastPass account, you’ll have to create a strong master password. It has to be at least 12 digits long and needs to include upper case letters, numbers, and symbols. This password is encrypted when you create it, so if you lose it or forget it, LastPass will not be able to recover it for you. This also means that if any data leaks do happen, your master password won’t be in that database.
LastPass also uses PBKDF2-SHA256 to hash your master password, which significantly slows down brute-force attacks. Normally, if a hacker tries to break into your account with a database of leaked passwords, he can guess billions of passwords a second. With PBKDF2-SHA256 hashing, he can only guess a few thousand per second.
It also offers multi-factor authentication, meaning that you will need to complete an extra verification step to log into your account. This can be a code sent via a text message, a code generated from an app or even your fingerprint. Multi-factor authentication makes it even more difficult for someone to hack your account as they will also need access to your phone.
Like any security-focused service, LastPass offers strong end-to-end encryption. This means that your information is encrypted before it leaves your device, in transit, and at rest. LastPass uses industry-standard TLS encryption to transfer your data between your device and their servers, protecting you from man-in-the-middle attacks. And it uses AES encryption with a 256-bit key for your data stored on their servers, the same encryption standard used by banks, the military and NordVPN.
The company also has a zero-knowledge policy, meaning that all information stored on LastPass’ servers is totally encrypted. No one else, not even LastPass employees, can see it.
To ensure the security of your stored passwords, LastPass also conducts regular audits and penetration tests, releases transparent incident reports, and offers a bug bounty program.
In 2015 LastPass was bought by LogMeIn for $110 million. Some loyal customers have expressed their concerns about new LastPass owners, however, there’s no evidence that the company has previously used users’ data in any malicious ways. This Boston based company currently manages a number of cybersecurity products, including a remote access and administration software and an online meetings and collaboration software.
LastPass encrypts information client side and has a zero-knowledge policy, so if anyone does hack into LastPass servers, they will only see encrypted information. The only way for anyone to access your sensitive data is to find out your master password, which can be done in many ways. For example, someone could hack into your device, you can forget to log out of your account when using a public computer or they can get it from data leaks, especially if you used the same password on other accounts.
In fact, LastPass discovered some malicious activity on their servers in 2015, finding that users’ “email addresses, password reminders, server per-user salts, and authentication hashes were compromised.” However, no encrypted data was taken, and there’s no evidence that users’ accounts were accessed. The company was transparent about the issue, immediately contacting their users and prompting them to change their master passwords. You can read more about the Lastpass security breach and new security measures LastPass implemented after this incident in their blog post.
Nothing is 100% secure, but LastPass has taken extensive measures to ensure your information is secure. They are fairly transparent and have responded to security issues quickly. Nevertheless, you are also responsible for keeping your data secure and should take the following precautionary measures:
For more tips on how to stay safe online, subscribe to our monthly newsletter below.