Until a few years ago, it was unusual to learn about law enforcement agencies demanding information from technology firms that specialize in providing services such as secure digital storage and password vaults. The most prominent case in this regard involved an iPhone 5C used by a gunman in the December 2015 terrorist attack in San Bernardino; FBI agents and prosecutors ordered Apple to unlock the device, but the company argued that it could not be compelled to provide such assistance on the basis that it would create privacy issues for all iPhone users.
The FBI eventually withdrew the request because agents allegedly retained the services of hackers to break into the device. Since then, numerous law enforcement and prosecutorial demands seeking access to digital information have been presented to tech companies, but the first one involving a major password manager was reported in April 2019.
In late January, a search warrant filed by the United States Drug Enforcement Administration to cloud computing giant LogMeIn, owner of LastPass, demanded the company to turn over username and password credentials of a suspect who allegedly trafficked controlled substances online.
According to a report published by Forbes magazine, DEA agents found out about the existence of a LastPass account after seizing a mobile device from the suspect; they were also able to bypass encryption on a hard drive, where they also found evidence of a LastPass password manager app as well as a browser extension.
As can be expected, the agents were not able to access the LastPass vault because they did not know the master password, which was at the heart of their search warrant.
While the aforementioned search warrant is certainly alarming for individuals concerned about online privacy and security, they should be happy to know that neither LogMeIn nor LastPass furnished the requested passwords; the only information provided was limited to IP addresses, the date when the suspect became a customer, and the last time he used the LastPass service.
The LogMeIn legal team presented valid arguments as to why they could not comply with the terms of the search warrant, particularly with regard to passwords, but there are also technical issues worth mentioning, and they will be discussed later in this LastPass review.
As to whether you should still consider this to be the best password manager in 2020, you will need to evaluate some of the features and functionality of the LastPass service as such. For the time being, however, knowing that LogMeIn attorneys were not intimidated by the DEA search warrant certainly scores points in favor of LastPass.
Even with the IP address information provided by LogMeIn, DEA agents may discover that the suspect was using the best VPN service, thus rendering this information useless.
What Exactly is LastPass and Why Do You Need It?
According to a LastPass research published in 2017, corporate users these days can be expected to manage more than 190 online accounts.
A medium-sized business with 250 employees will experience password usage in excess of 47,000 instances. With such statistics, it is not surprising to learn that more than 80 percent of business data breaches are caused by password issues.
As we become a society that is increasingly reliant on digital services, the number of online accounts that require username/password credentials multiplies. You may remember how a few years ago many websites encouraged you to open new accounts with the login credentials you use for Facebook, Twitter, Gmail, and other major online services; thankfully, this practice has been largely abandoned these days, but only quite a few security incidents illustrated just how unsafe it was. For this reason, the OpenID authentication protocol, which aimed to promote single credential login access across multiple websites, had to redevelop its approach.
In 2017, the Pew Research Center for Internet and Technology conducted longitudinal surveys to determine how Americans perceive password safety and management. Turns out that more than 80 percent choose to memorize them while less than 50 percent opt for the more sensible option of writing them down.
Even if you only manage a handful of online accounts, these two methods are not only unsafe but can also become problematic. About a quarter of those surveyed stored their username and password credentials in hardware devices, particularly laptops and smartphones, thus making them even more vulnerable to potential security issues such as lost and stolen devices.
As of 2017, less than 15 percent of American users used sensible solutions such as the LastPass password manager, and this is a concern for information security researchers. You can browse the internet with the best VPN or even set up an installation for the best home security system, but these measures will stop keeping you safe if their respective passwords become compromised.
LastPass is a password manager developed to increase online safety on a personal and enterprise-level; it does so by providing users with an interface to generate, store and manage their passwords in a secure and efficient manner. Since passwords are the first line of defense in terms of preventing unauthorized use of your online accounts, this is a service that can prove to be useful to just about everyone using personal computing devices. No LastPass review would be complete without a list of advantages and disadvantages, so here they are:
- The free version fits the needs of many users.
- The premium version is very affordable, particularly for business users.
- One master password is all that you need to remember.
- Since coming on the market in 2008, this service has managed to build a strong reputation among users and the information security community.
- Once you start using the service as it is meant to be used, which means letting the automated login process work its magic, you will realize its main benefit, especially if you manage many online accounts.
- If you have chosen to use and reuse the same username and password combination across multiple accounts, LastPass will cure you of this dangerous practice.
- Generating complex passwords is difficult enough; memorizing them is even harder. LastPass automates both of these processes while observing security at all times.
- The friendly user interface makes it easy to understand how the service works.
- In terms of security, this service makes use of Password-Based Key Derivation Function 2, AES-256 bit encryption and salted hashes to keep your credentials safe. Several rounds of PBKDF2 and SHA-256 are applied by LastPass engineers at the server level.
- Two-factor authentication and the use of hardware tokens are supported.
- In the past, the Chrome OS extension has been reported to crash from time to time. Please note that this only applies to Chrome OS and not to the Google Chrome browser.
- You still need to set a master password. Should you resort to using a weak password in this regard, you may compromise the rest of your online accounts.
- The learning curve and getting used to the password manager may seem difficult for some users.
Getting started with the service is easy; the first step is understanding how it works. When you visit the LastPass.com website, you will have a choice to install it as a browser extension and an application, or for mobile devices, as a mobile app.
Most users start off with the browser extension since this is a simple way to become familiar with the service, but you can always install the iOS, Android or Windows Phone app later.
With regard to the Windows Phone operating system, please keep in mind that Microsoft has pretty much stopped providing support for the Windows phone OS, but LastPass will continue supporting the app itself.
The browser extension will work on:
- Google Chrome
- Apple Safari
- Microsoft Edge
- Mozilla Firefox
Users of less mainstream browsers such as Vivaldi for Windows and Pale Moon for Linux should still be able to install the extension since the service will automatically detect them as Chrome or Firefox derivatives.
Synchronizing LastPass across devices can be accomplished by means of visiting the LastPass.com website and accessing your account. The service is intuitive and welcoming to newcomers; you do not have to worry about messing things up because the workflow will prevent you from skipping steps or creating weak passwords, particularly your master password.
Main LastPass Features
The following list includes features found in the free and premium versions:
- Automatic generation of complex passwords.
- Automated completion of login forms.
- Biometric login integration with fingerprint scanners.
- Multiple security policies.
- Individual and group dashboard complete with reports.
- Digital wallet for electronic documents.
- Mobile app PIN unlocking.
- Emergency access.
- Seamless synchronization across devices.
Security and Encryption
As mentioned at the beginning of this review, there is a technical reason why LastPass attorneys could not fulfill the DEA search warrant looking for a suspect’s passwords, and it has to do with the security and encryption protocols followed by the company. Everything starts with your master password, which is always yours and is never sent over to the company servers.
When you create this password, a hash and decryption key are generated locally; the hash makes it over to the server, and it is verified locally by the decryption key that opens your digital vault, which is protected with 256-bit AES encryption, and this is why DEA agents could not get into the account since they could not get the suspect to cough up the master password.
When it comes to operating the LastPass service, the company considers all parties who are not account holders to be potential attackers, and that includes DEA agents with search warrants.
When your passwords are stored in the LastPass servers, they are salted with PBKDF2-SHA256 rounds; let’s say your Gmail account password is something easy like “ilovecomplexpasswords;” instead of this text string, what is stored would look something like this:
As you can imagine, the characters above will be of no use to DEA agents unless they have the password hash and decryption key generated by a master password. Decrypting such a hash without the right keys would take longer than what humanity has left on this planet even with a supercomputer making thousands of guesses per second. To sum things up, your LastPass data can only be used with your master password because of the strong security measures applied by the service.
Related Read: How to Choose a Strong Password
In terms of customer service reviews verified by Consumer Affairs, LastPass seems to be hit-and-miss, but it should be noted that many complaints are made by users who forgot their master password or who lost the mobile device they used to access their vault.
Most of the billing and technical support is conducted via phone and email. As can be imagined, enterprise users with premium accounts get a superior level of customer support.
As of May 2019, premium individual subscriptions started at $3 per month when paid for an entire year. A better deal is the family plan, which can accommodate up to six users for just $4 per month. There are two subscription levels for business users: Teams and Enterprise. The former costs $4 per user per month, and it is ideal for teams comprised of at least five users but no more than 50.
The Enterprise plan is for at least five users; it starts at $6 per month depending on the level of advanced features and support desired, including API access for companies that wish to develop their own password security solutions.
Short Installation Guide
Once the LastPass browser extension or mobile app is installed, the next step is crucial: creating your master password. This could be your last password created, so you want to make it strong and memorable. One recommendation is to think in mnemonic terms, like the following phrase:
A Small Balloon Flies Over All Alibis Three Times for Three Dollars
If you can remember the above, the password could be:
You will need to remember that the first letter of each word is capitalized and that the “Three Times” should be entered as a number, followed by the dollar amount complete with the currency symbol. Please do not use this exact example.
After setting up your master password, you will be taken to your vault, which will start looking for websites that you visit and prompt you to save them along with the username and password credentials. You can also do this manually if you prefer.
You will probably want to use the built-in password generator to create stronger credentials, and you may also want to enable auto-fill. The mobile app installation process is similar, but it will detect if your smartphone is equipped with a fingerprint scanner.
Q: Can I Trust This Company and Its Service?
A: In 2019, LastPass was selected as the best identity management product by Cyber Defense Magazine. Consumer Reports has given this service high marks, and PC Magazine has previously given it five stars. Even former National Security Agency officials have praised the service for its approach to keeping digital information safe in the cloud.
Q: Has LastPass Ever Been Hacked?
A: While there have been security issues discovered by developers as well as by information security researchers, the truth is that the LastPass service has never been hacked as such. In 2011, engineers detected internet traffic anomalies that suggested a server breach in progress, but they were able to isolate the seemingly compromised devices within their data centers.
A 2015 incident was contained thanks to the strength of PBKDF2 SHA-256 encryption. In 2016, engineers were notified by information security researchers about a potential flaw in the browser extension version of the LastPass Password Manager, and the matter was solved without incident. Similar situations were reported in 2017, but they were patched immediately and without incident because they were detected by information security researchers.
What users should know is that the company enjoys great reputation among the information security community; this gives them an edge in the sense that engineers are routinely notified about any potential issues before malicious third parties can exploit them.
Q: Is There a Free Version of LastPass?
A: Most of the LastPass review writeups you find online are based on the free version. The LastPass service business team has an interesting approach to growth and expansion: by offering a model whereby nearly all features can be enjoyed for free, the company is promoting awareness about the strong need for digital security in the 21st century. The advanced premium features are reasonably affordable and offer many benefits such as emergency access and sharing of services among trusted individuals such as relatives and business associates.
Q: Is LastPass Compatible With YubiKey?
A: As one of the most respected hardware tokens in the market, YubiKey works with many online services, and this includes the LastPass password manager. You will have to upgrade from the free version to a premium, family or enterprise account before you can start using the two-factor authentication functionality of YubiKey.
LastPass is not the only password manager in the market, but it has become the most popular in terms of marketing, ease of use and positive reputation.
here are open source alternatives that keep everything localized so that you do not have to worry about personal information being stored in the cloud, but such solutions generally require a higher level of technical know-how. You really cannot go wrong with LastPass as long as you set a strong master password and take the time to learn the service.