Is LastPass safe?

There are great ways to make memorable and secure passwords, but how can you remember them all? This is where password managers like LastPass come to the rescue. These encrypted password vaults not only protect you from scribbling passwords on your notebook (which you should never do), they also:

• Store your payment details and shipping addresses;
• Offer browser extensions that automatically fill in your passwords;
• Can generate strong randomized passwords every time you log into an account that holds sensitive information, like your bank;
• Notify you if you’ve used the same password for multiple accounts;
• Store other digital records like your WiFi passwords, insurance numbers, and memberships.

LastPass stores a lot of sensitive passwords in one place, and they say you shouldn’t put all your eggs in one basket. Let's have a look at how LastPass works and what security measures it uses.

Master Password

To create a LastPass account, you’ll have to create a strong master password. It has to be at least 12 digits long and needs to include upper case letters, numbers, and symbols. This password is encrypted when you create it, so if you lose it or forget it, LastPass will not be able to recover it for you. This also means that if any data leaks do happen, your master password won’t be in that database.

LastPass also uses PBKDF2-SHA256 to hash your master password, which significantly slows down brute-force attacks. Normally, if a hacker tries to break into your account with a database of leaked passwords, he can guess billions of passwords a second. With PBKDF2-SHA256 hashing, he can only guess a few thousand per second.

It also offers multi-factor authentication, meaning that you will need to complete an extra verification step to log into your account. This can be a code sent via a text message, a code generated from an app or even your fingerprint. Multi-factor authentication makes it even more difficult for someone to hack your account as they will also need access to your phone.

Encryption

Like any security-focused service, LastPass offers strong end-to-end encryption. This means that your information is encrypted before it leaves your device, in transit, and at rest. LastPass uses industry-standard TLS encryption to transfer your data between your device and their servers, protecting you from man-in-the-middle attacks. And it uses AES encryption with a 256-bit key for your data stored on their servers, the same encryption standard used by banks, the military and NordVPN.

The company also has a zero-knowledge policy, meaning that all information stored on LastPass’ servers is totally encrypted. No one else, not even LastPass employees, can see it.

Extra security measures

To ensure the security of your stored passwords, LastPass also conducts regular audits and penetration tests, releases transparent incident reports, and offers a bug bounty program.

Who owns LastPass and can you trust them?

In 2015 LastPass was bought by LogMeIn for $110 million. Some loyal customers have expressed their concerns about new LastPass owners, however, there’s no evidence that the company has previously used users’ data in any malicious ways. This Boston based company currently manages a number of cybersecurity products, including a remote access and administration software and an online meetings and collaboration software.

Can LastPass be hacked?

LastPass encrypts information client side and has a zero-knowledge policy, so if anyone does hack into LastPass servers, they will only see encrypted information. The only way for anyone to access your sensitive data is to find out your master password, which can be done in many ways. For example, someone could hack into your device, you can forget to log out of your account when using a public computer or they can get it from data leaks, especially if you used the same password on other accounts.

In fact, LastPass discovered some malicious activity on their servers in 2015, finding that users’ “email addresses, password reminders, server per-user salts, and authentication hashes were compromised.” However, no encrypted data was taken, and there’s no evidence that users’ accounts were accessed. The company was transparent about the issue, immediately contacting their users and prompting them to change their master passwords. You can read more about the Lastpass security breach and new security measures LastPass implemented after this incident in their blog post

Take control of your security

Nothing is 100% secure, but LastPass has taken extensive measures to ensure your information is secure. They are fairly transparent and have responded to security issues quickly. Nevertheless, you are also responsible for keeping your data secure and should take the following precautionary measures:

• Create a strong password that is not used on any other accounts;
• If you use the LastPass browser extension, don't stay signed in all the time. If you give your device to someone or it gets stolen and hacked, all of your passwords will be accessible;
• Remember your data is as safe as your device. Update your software, use an antivirus, and protect yourself from hackers with a VPN.

Explore alternatives

With constant innovations in cybersecurity, LastPass has some fierce contenders among newer password managers like NordPass. So, it's always a good idea to explore your options. From the cybersecurity experts behind NordVPN, NordPass throws powerful encryption together with the XChaCha20 algorithm and a strict zero-logs policy, packing a powerful punch. NordPass is regularly audited and verified by third-party auditors, and even features an inbuilt health tool.

NordPass has a free and premium version, which starts from as low as $3 per month. Both versions let you sync your passwords across all of your devices, but a paid subscription allows you to access your passwords on up to 5 other active devices, and includes a Breach Scanner, which informs you if you’ve been involved in any data breaches. With that in mind, we're sure you'll do your own research to find the best password manager for you.

You can get NordPass for free here and start syncing your passwords straight away.