Reviews for LastPass Password Manager
LastPass Password Manager by LastPass
Review by Firefox user 15238324
Rated 3 out of 5
by Firefox user 15238324, 5 years agoUPDATE. DO NOT USE YUBIKEY FOR TWO FACTOR AUTHENTICATION - UNFORTUNATELY LASTPASS DOES NOT USE FIDO2 AS THE AUTHENTICATION MECHANISM AND INSTEAD USES THE YUBIKEY PSEUDORANDOM KEY GENERATOR THAT BECAUSE OF POOR IMPLEMENTATION BY LASTPASS MEANS IT REMAINS SUSEPTIBLE TO ATTACK AND LEAVES YOUR ENTIRE VAULT OPEN TO THIEVES. THIS IS A KNOWN SECURITY ISSUE AND IRONICALLY ONLY APPLIES TO PAYING CUSTOMERS. SINCE LASTPASS HAVE BEEN INFORMED OF THIS ISSUE, NO ATTEMPT TO RESOLVE THE PROBLEM HAS BEEN MADE. THIS TOGETHER WITH A LACK OF TRANSPARENCY IN THEIR ISSUE MANAGEMENT RATES THIS AS 3 STARS AT BEST. THE remainder of the review relates to usability and is based on Lastpass's own publicity which given some of their representations at the time of this review regarding Yubikey being false, should be taken with that fact in mind.
Lastpass is probably one of the more intuitive password managers on the market at the time of writing with integration into the widest number of websites and available on the widest number of platforms of all the consumer focussed password / identity management solutions. Security applications have for the most part been devoid of interfaces that make it simple for the end-user to use, or for the most part even understand, so in many ways LastPass's user interface is the main reason for its awards and subsequent user base. Functionally the range of features that come with Lastpass are impressive, if a little daunting for someone who has not seen its evolution as a piece of software and it can feel as though if you used all the features and functionality it contains – it can be used to keep secure notes and has multiple templates for recording other types of sensitive data besides passwords for websites – then you would be relying on a basket that would be holding a lot of heavy eggs. Templates include SSNs, WiFi Passwords, Bank accounts, payment cards, Insurance Details etc. and has the funtionality for creating your own templates (I created one for storing GPG Keys and another phone IMEIs among other things), that it really can feel that you could be left very exposed to identity theft if an exploitable security hole went unpatched. There is, as with all password managers, an issue that is core to single password information vaults. Your LastPass password may the the last password you'll ever need but it's also the only password you must never ever forget. Or divulge. And it needs to be good enough that it's not easily guessable. For all these reasons I believe it's critical that some form of two factor authentication is used in addition to a strong password. The second authenticator can be hardware, e.g. software like Google Authenticator which generates a pseudo-random number generator app creates a new 6 digit authorisation code every 30 seconds. (Lastpass offer their own app for generating these numbers). It's why we all should have at least two front door keys (and not keep one under the flowerpot!) However the Achilles heel that all Vault based security apps struggle with: To ensure that only you can access your data also means that as there is no means of opening the vault if you forget your LastPass password, or lose the only source of authenticating you as the authorised user. LastPass have attempted to resolve this problem with a form of escrow that grants user nominated individuals access to the Vault in the event that the primary user is unable to input their password. I understand it is there primarily to help the family in circumstances where they need to take over management of the user's affairs. but the solution has a "tacked on" feel to it. Lastpass has made a strong commitment to ensuring their offering is secure which can be found on their website. Of all the password managers on the market I have found it to be the best and rate it highly, recommending it frequently. That said there are parts of the functionality which novice users and those who aren't IT literate do find it frustrating to use. I do think perseverence in learning is rewarded - there are substantial set of FAQs, active user forums, instructional videos, user support and guides which can be easily accessed. Overall a very useful and powerful extension which provides a huge amount of tools to make your online life far more secure.
Lastpass is probably one of the more intuitive password managers on the market at the time of writing with integration into the widest number of websites and available on the widest number of platforms of all the consumer focussed password / identity management solutions. Security applications have for the most part been devoid of interfaces that make it simple for the end-user to use, or for the most part even understand, so in many ways LastPass's user interface is the main reason for its awards and subsequent user base. Functionally the range of features that come with Lastpass are impressive, if a little daunting for someone who has not seen its evolution as a piece of software and it can feel as though if you used all the features and functionality it contains – it can be used to keep secure notes and has multiple templates for recording other types of sensitive data besides passwords for websites – then you would be relying on a basket that would be holding a lot of heavy eggs. Templates include SSNs, WiFi Passwords, Bank accounts, payment cards, Insurance Details etc. and has the funtionality for creating your own templates (I created one for storing GPG Keys and another phone IMEIs among other things), that it really can feel that you could be left very exposed to identity theft if an exploitable security hole went unpatched. There is, as with all password managers, an issue that is core to single password information vaults. Your LastPass password may the the last password you'll ever need but it's also the only password you must never ever forget. Or divulge. And it needs to be good enough that it's not easily guessable. For all these reasons I believe it's critical that some form of two factor authentication is used in addition to a strong password. The second authenticator can be hardware, e.g. software like Google Authenticator which generates a pseudo-random number generator app creates a new 6 digit authorisation code every 30 seconds. (Lastpass offer their own app for generating these numbers). It's why we all should have at least two front door keys (and not keep one under the flowerpot!) However the Achilles heel that all Vault based security apps struggle with: To ensure that only you can access your data also means that as there is no means of opening the vault if you forget your LastPass password, or lose the only source of authenticating you as the authorised user. LastPass have attempted to resolve this problem with a form of escrow that grants user nominated individuals access to the Vault in the event that the primary user is unable to input their password. I understand it is there primarily to help the family in circumstances where they need to take over management of the user's affairs. but the solution has a "tacked on" feel to it. Lastpass has made a strong commitment to ensuring their offering is secure which can be found on their website. Of all the password managers on the market I have found it to be the best and rate it highly, recommending it frequently. That said there are parts of the functionality which novice users and those who aren't IT literate do find it frustrating to use. I do think perseverence in learning is rewarded - there are substantial set of FAQs, active user forums, instructional videos, user support and guides which can be easily accessed. Overall a very useful and powerful extension which provides a huge amount of tools to make your online life far more secure.