Is LastPass secure? A password manager review

LastPass is a generally secure password manager. However, with over 33 million registered users, it is a big target for hackers. You may have seen security reports stretching back to 2011 about LastPass’ data breaches. Still, the company was always transparent, informing customers about leaked data and controlling the damage until recently.

Following a significant data breach in August 2022, LastPass was hit by another cyberattack on December 22, 2022, when criminals accessed the password vaults of millions of users. These attacks were followed by another series of cyberattacks that drew the attention of cybersecurity experts and raised customers’ suspicions about the security of the LastPass system itself. You would think cyberattacks just happen sometimes, but LastPass executives avoided reporting the leaked data and withheld complete information, causing even more distrust among users.

LastPass is a leading password management tool, offering 256-bit AES encryption, promoting zero-knowledge policy, and providing an extra data protection layer with multi-factor authentication (MFA) options. It is designed to store, organize, and autofill passwords on your devices and browsers.

Once you install the LastPass app, you are asked to create a complex and unique master password, your key to your private information vault, which LastPass encrypts using AES-256 bit encryption. As soon as your LastPass account is set up, enter your login credentials for your online accounts to the system. The password manager automatically fills the login fields during subsequent visits.

What’s more, LastPass generates passwords for new online accounts, stores sensitive notes, offers cross-platform synchronization, and lets you securely share passwords with others.

Let’s look at how to create secure master passwords and LastPass’ data encryption more closely.

To create a LastPass account, you must create a strong master password. It must be at least 12 digits long and include uppercase letters, numbers, and symbols. Once you create the password, LastPass uses encryption mechanisms to protect it, making it hard for hackers to access.

LastPass uses PBKDF2-SHA256 to hash your master password, significantly slowing down brute force attacks. With PBKDF2-SHA256 hashing, a hacker running a brute force attack can only try to guess a few thousand instead of billions of user passwords per second.

LastPass also offers multi-factor authentication, meaning you must complete an extra verification step to log in to your account. It can be a text message or biometric authentication, meaning an intruder needs your phone to hack your account.

Like any security-focused service, LastPass offers strong end-to-end encryption. The password manager uses industry-standard TLS encryption to transfer your data between your device and its servers, protecting your data from man-in-the-middle attacks. LastPass uses AES encryption with a 256-bit key for your data stored on its servers, the same encryption standard used by banks, the military, and NordVPN.

The company also has a zero-knowledge policy, meaning that all information stored on LastPass’ servers is encrypted. No one else, not even LastPass employees, can see it.

To ensure the security of your stored passwords, LastPass also conducts regular audits and penetration tests, releases incident reports, and offers a bug bounty program.

The latest series of cybercrimes against LastPass has left cybersecurity experts and LastPass users who have entrusted their passwords to the company unpleasantly surprised. Here’s a brief timeline of the recent data breaches and events that have caused both financial and reputational damage to LastPass:

• August 8, 2022. A hacker compromised a LastPass developer’s corporate computer, managed to gain access to a development environment, and stole source code, some technical documentation, and confidential company information.
• August 12, 2022. A threat actor used the information obtained during the first breach and carried out an even more damaging attack. LastPass CEO Karim Toubba announced that the intruder was inside the development environment for four days but has no evidence of them gaining access to sensitive user data or password vaults. However, the hacker managed to alter the source code. LastPass assured users that the situation was under control and the intruder was no longer causing damage.
• October 26, 2022. LastPass announced that the same hacker was inside their systems for almost three months, performing reconnaissance, enumeration, and exfiltration activities. Security experts didn’t detect any intrusions after October 26, 2022.
• November 30, 2022. For the first time during this series of data breaches, LastPass announced that customer data was compromised by a threat actor using the information obtained in the August 2022 intrusion.
• December 22, 2022. Toubba reported that third parties managed to access customer vault data and stole encrypted passwords, usernames, billing and contact information, and customer IP addresses.
• January 23, 2023. Attackers managed to obtain encrypted backups and an encryption key for LastPass.
• March 1, 2023. After six months of chaos, Toubba released a statement accepting the criticism and frustration from LastPass customers. He confirmed that LastPass never stored master passwords, and hackers didn’t obtain them during the breach. Toubba assured its customers that the LastPass security team has not yet detected any stolen information on the underground market.

In 2015, LogMeIn bought LastPass for $110 million. Some loyal customers have expressed concerns about the new LastPass owners because of their backstory when hackers attempted to exploit stolen credentials to gain unauthorized access to systems using remote access tools. This Boston-based company manages several cybersecurity products, including remote access, administration, online meetings, and collaboration software.

With constant innovations in cybersecurity, password managers have some fierce contenders. An alternative to LastPass is NordPass. It combines powerful encryption with the XChaCha20 algorithm and a strict zero-logs policy, packing a powerful punch. NordPass is regularly audited and verified by third-party auditors.

NordPass has both a free and Premium version. The Premium version starts from as low as $3 per month. Both versions let you sync your passwords across all your devices, but a paid subscription allows you to access your passwords on up to five other active devices and includes Breach Scanner, which informs you if your data has been involved in any data breaches.