Image: Foundry
LastPass is one of the biggest third-party password managers out there and it used to hold that position for a good reason. The free LastPass plan supported multiple types of devices, the paid plan was a worthwhile upgrade for $12 per year, and it was decently straightforward and easy to use. Even when the company suffered from numerous security incidents, its responses seemed to warrant the benefit of the doubt.
But over time, features got cut from the free plan and the price of the paid plan went up. Rival password managers also started pushing more innovative features. And then came the major breach in 2022, one in which data in customers’ vaults were stolen and revealed as not fully encrypted. Oof.
the best password manager you can use
Dashlane
Read our reviewPrice When Reviewed:Free I Advanced: $2.75/mo I Premium: $4.99/mo I Friends & Family: $7.49/moBest Prices Today:$4.99 at Dashlane
A long while back, I started an account with LastPass to maintain the passwords for a loved one and even after last year’s hack, I didn’t leave immediately. (Change is hard for this person). But after some gentle, prolonged coaxing, I got the green light to switch them to another password manager at last, and I’m so glad to finally move on to greener pastures. LastPass’s problems are just too numerous to stick it out…including when you’re actually in the process of leaving.
If you’re still with LastPass and been wondering if you should jump, here’s what tipped me over the edge and why I don’t plan on ever returning.
If you’re looking to pick up a password manager, you should check out PCWorld’s roundup of the best ones available today.
The 2022 security breaches
PCWorld
PCWorld
PCWorld
LastPass’s disclosures about its 2022 security breaches was like watching a train wreck in slow motion. First came the initial announcement in August, which claimed that no customer data was affected—just a developer environment. Then three months later came an update that customer data was affected. Nearly a month after that, the company revealed that customer information and password vaults had been stolen. Not only that, but elements in those vaults (including URLs) had not been encrypted.
As mentioned above, LastPass was no stranger to security incidents before this breach, but none were as shocking as this one. Customers of online password managers generally trust that their service is safeguarded enough that their data—even if encrypted—can’t be accessed by unauthorized parties. Hearing after a breach that vault data was unencrypted was a bit blindsiding.
And perhaps there’s good reason from an engineering perspective for why some details—like URLs, how often you use an entry, when you last updated an entry, etc—would not be encrypted. But that brings us to the second way LastPass skewered my trust in them, which is…
Bad communication
PCWorld
PCWorld
PCWorld
So, obviously, I don’t know what it takes to run a business where you’re not only safeguarding really sensitive info, but you’re actively dealing with threats to that info on a regular basis.
But good communication is pretty basic—immediacy and full transparency go a long way. A healthy dose of preemptive notifications works wonders, too. The way LastPass breaks its news to customers could use a lot of improvement on all three fronts.
Let’s take a recent example. In mid-July, I logged in to make a last check of the account I was abandoning, only to see a message that my password iterations had been raised to 600,000.
Most security-minded password manager
Keeper
Read our reviewPrice When Reviewed:$34.99Best Prices Today:$17.49 at Keeper Security
A higher number of password iterations is in theory a good thing. It’s supposed to help slow down the ability to quickly guess what your password is. Modern cryptography standards recommends 600,000 iterations, which is probably why LastPass chose to boost customers universally to that level.
But this happened in July 2023. That is, six months after the disclosure in December about everyone’s vault data being stolen. A half year passed in which people who did not check that setting back in December (like I did) and increased it (like I also did) were left with much lower iterations (like mine was before I fiddled with it).
It says a lot that my first thought was, “What kind of security issue did they have this time to prompt this?” Also, that my second one was, “Why is this happening now?”
The email explaining this change came several hours after I made a quick online search to figure out just what the heck was going on. Then another copy came in the next day. The contents did not explain the timing nor the motivating reason behind the increase.
The web interface is disappointing
PCWorld
PCWorld
PCWorld
Once upon a time, LastPass’s web interface was reasonably decent. Maybe not the slickest, but it felt modern enough.
Nowadays, it feels much more bare-bones compared to rival password managers. Small changes over time has degraded the web interface, too. My biggest beef is that it relies heavily on persistent cookies to maintain settings. Incognito browsing means that your layout will never remain saved—it always reverts the view to LastPass’s default.
Banner messages appear repeatedly, too. Perhaps this is petty of me, but when a permanent banner message appeared for the browser extension, that was when I finally reached my limit. LastPass has the logs of what devices I’ve used and my consistent, unrelenting use of the web interface for years and years. Being nagged persistently is not going to make me change that habit.
Exporting your vault is a nightmare
PCWorld
PCWorld
PCWorld
This section was filled with far saltier language until I remembered you all (and my editor) would be reading it. Roll up your sleeves, because we’re getting into the dirty details with this one.
You’d think that perhaps, if you were leaving a service, the business would be incentivized to make the process as easy as possible—thereby increasing the chances you might return someday. LastPass tries for this, but it doesn’t do it consistently. And lucky me, I got caught up in whatever development hole that allows for sloppy password exports.
Generally, when you switch password managers, you’ll export your vault data to a CSV or XML file. They’re basic file formats that can be easily read across different programs (in theory, anyway). LastPass only exports to CSV for this purpose and the defining characteristic of the comma separated values format is that (as you’d expect from the name), commas are used to indicate separate data fields.
Note: If exporting all your passwords to an unencrypted format like CSV or XML, saving it to an encrypted folder on your PC will help safeguard them as you transition between LastPass and a new password manager.
I want to be clear—I’m the kind of person that if something goes wonky, I like to understand why. And when my export came out a mess, with a bunch of entries containing orphaned data, I tried to make sense of what I was seeing.
At first, I thought the root cause was commas in the text fields. That perhaps they were causing entries to be split up and read as different entries (with data ending in the wrong fields, to boot). But that didn’t explain why some entries with no commas at all got split up. Or why other entries were just plain missing.
PCWorld
PCWorld
PCWorld
I still had no clear answers by the time I finished manually cross-checking every single entry against the originals in LastPass, a necessary evil because the data was untrustworthy, but importing and cleaning up the mess was still faster than creating all the entries from scratch in the new password manager.
Trying different browsers and methods of export (i.e., initiated through the web interface vs the browser extension) didn’t clear up the confusion. Turns out the web interface does not export all entries (Firefox) or straight up returns a blank CSV file (Chrome), but both Firefox’s web interface export and the Chrome browser extension had the same issues with data integrity. Meanwhile, when I tried exporting on a test account, the data fields for each entry came out perfect (even if some were still missing in the web export).
As best as I can tell, either the age of the account influences how the data is stored and parsed on the servers, or the use of certain special characters in non-password text fields triggers some kind of bug in the export script. Either way, you can’t trust you’re actually getting all your passwords out intact. Hours into the tedious process of salvaging my import, I seriously considered abandoning the process in favor of password resets for every service, and letting the new password manager capture them. I mean, I was going to have to do that anyway as a final precaution given the LastPass security breaches, right?
Never again.
If you’re looking to pick up a password manager, you should check out PCWorld’s roundup of the best ones available today.
Author: Alaina Yee, Senior Editor
Alaina Yee is PCWorld’s resident bargain hunter—when she’s not covering software, PC building, and more, she’s scouring for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.
Recent stories by Alaina Yee:
AVG Internet Security review: Reliable, budget-friendly antivirus softwareBest antivirus software 2024: Keep your PC safe from malware, spyware, and moreNorton 360 Deluxe review: Excellent value and strong protection
