Strong features, but the 2022 breach and trust concerns make alternatives a better choice for most new users in 2025.
LastPass suffered a major security incident in 2022 in which encrypted customer vaults were stolen. This review covers both the features and the post-breach security context honestly. If you're a new user choosing a password manager in 2025, we recommend reading our LastPass alternatives guide alongside this review.
📋 In This Review
LastPass Overview
LastPass was founded in 2008 and was, for most of the 2010s, the world's most popular password manager. Acquired by LogMeIn in 2015 and later spun off as an independent company (LastPass US Holdings) in 2022, it popularized the freemium password manager model and introduced millions of users to the concept. In its prime, LastPass had an excellent feature set, a polished browser extension, and broad platform support.
That legacy is now overshadowed by the 2022 security incident — the most significant breach of a password manager in the industry's history. This review evaluates LastPass fairly, covering both its genuine strengths and the honest assessment of its post-breach trustworthiness.
The 2022 Breach — What Actually Happened
Understanding the LastPass breach is essential context for any honest 2025 review. Here is what happened:
Timeline
- August 2022: Attackers breach LastPass's development environment and steal source code and technical information.
- November 2022: Using credentials from the first breach, attackers access a cloud storage system containing customer vault backups.
- December 2022: LastPass discloses that encrypted customer vaults were exfiltrated — every LastPass customer's password vault, encrypted but stolen.
- 2023: A separate incident: a LastPass senior engineer's home computer is compromised via vulnerable third-party software, exposing additional credentials and a corporate laptop.
What Was Stolen
The attackers obtained encrypted vault blobs for all LastPass customers. Each blob contains:
- Usernames and passwords (encrypted with AES-256)
- Secure notes (encrypted)
- Website URLs — stored unencrypted (a significant design flaw: attackers now know which sites each user has credentials for)
- IP addresses and some billing information (unencrypted)
The Risk Assessment
Your risk depends on your master password strength and your account's PBKDF2 iteration count. LastPass historically set very low default iteration counts — some accounts had as few as 1 iteration (security researchers found accounts dating from 2012–2018 with 1 or 5,000 iterations). The current recommended minimum is 600,000. An account with 1–5,000 iterations is dramatically more vulnerable to brute force than one with 600,000+. Many users never changed this setting.
For users with strong, unique master passwords (15+ truly random characters) and high iteration counts: practical risk is very low. For users with weaker master passwords or low iteration counts: genuine risk of vault decryption by well-resourced attackers. Security researchers linked several cryptocurrency thefts to LastPass breach victims shortly after the disclosure.
LastPass's Response
LastPass's breach disclosure communication was criticized by security professionals for being incomplete, slow to acknowledge the full scope, and initially minimizing the severity. The company has since upgraded its security infrastructure, increased default PBKDF2 iterations, and made organizational changes. Whether this is sufficient to restore trust is ultimately a subjective judgment — and reasonable people disagree.
Current Security Architecture (2025)
Post-breach, LastPass has made documented improvements:
- Default PBKDF2 iterations raised to 600,000 for new accounts and forced upgrades for existing accounts
- Infrastructure separation and architectural hardening
- New CISO and increased security team headcount
- SOC 2 Type 2 certification completed (2023)
What hasn't changed: LastPass remains a closed-source application. Unlike Bitwarden, you cannot independently audit the code to verify the security architecture is implemented correctly. The trust must come from audits and the company's word — which, given the breach history, is a harder case to make than for competitors without breach records.
Features
LastPass has a genuinely strong feature set — this is where the product shines:
Password Management Fundamentals
- Browser extension: Available for Chrome, Firefox, Safari, Edge, Opera. Autofill accuracy is high — one of the smoothest autofill experiences in the category.
- Mobile apps: iOS and Android apps with biometric unlock (Face ID, fingerprint), autofill integration with system keyboard (iOS), and Accessibility Service (Android).
- Vault organization: Folders, favorites, and tags for organizing large vault collections.
- Password generator: Built-in generator with length, character type, and pronounceability settings.
Security Features
- Security Dashboard: Equivalent to competitors' vault health reports — shows weak, reused, old, and compromised passwords with a score.
- Dark web monitoring: Monitors email addresses against known breach databases (powered by Have I Been Pwned data). Included in Premium.
- Emergency Access: Designate a trusted person who can request access to your vault after a delay period. Available in Premium.
- Secure sharing: Share specific credentials with other LastPass users without revealing the password.
Premium-Only Features
- Advanced 2FA (YubiKey, fingerprint, smart card)
- 1 GB encrypted file storage
- Priority customer support
- LastPass Authenticator (TOTP) — generates 2FA codes in the app
Usability & Interface
This is where LastPass genuinely excels. The browser extension is polished, autofill detection is accurate, and the vault web interface is clean and navigable. New users can set up LastPass and be saving passwords within 5 minutes — the onboarding is among the best in the category. The mobile apps are well-designed, responsive, and the biometric unlock works reliably.
Form filling (address forms, checkout pages) is not as strong as dedicated form-filling managers like RoboForm, but it covers the basics. The interface has improved significantly over the past two years with a visual redesign.
Pricing
| Plan | Price | Devices | Key Features |
|---|---|---|---|
| Free | $0 | 1 type only | Unlimited passwords, autofill, but desktop OR mobile — not both |
| Premium | $3.00/month | Unlimited | All devices, dark web monitoring, emergency access, 1GB storage, TOTP |
| Families | $4.00/month | 6 users, unlimited | Premium for 6 family members, shared folders |
| Teams | $4.00/user/mo | Unlimited | Admin console, user management, team sharing |
Value comparison: At $3.00/month for Premium, LastPass is priced the same as 1Password ($2.99/month) and more than Bitwarden ($0.83/month Premium, or free). Given the breach history, the value proposition is weaker than competitors at the same or lower price.
Pros & Cons
✅ Pros
- Excellent autofill accuracy across browsers
- Polished, user-friendly interface
- Strong feature set (dark web monitoring, emergency access, secure sharing)
- Good mobile apps with biometric unlock
- Wide browser support (all major browsers)
- Families plan offers good value for 6 users
- LastPass Authenticator integrates 2FA management
❌ Cons
- 2022 breach — encrypted vaults were stolen
- Poor breach disclosure communication — trust damage
- Closed source — security cannot be independently verified
- Free tier restricted to one device type since 2021
- Priced the same as better alternatives (1Password)
- Stored website URLs unencrypted — a design flaw exposed in the breach
- History of security incidents (multiple, not just 2022)
LastPass vs Alternatives
| Manager | Price/mo | Open Source | Breach History | Free Tier | Overall |
|---|---|---|---|---|---|
| LastPass | $3.00 | ✗ | Yes — 2022 | 1 device type | 3.0/5 |
| Bitwarden | Free/$0.83 | ✓ Full | None | Unlimited | 4.8/5 |
| 1Password | $2.99 | ✗ | None | Trial only | 4.7/5 |
| Keeper | $2.92 | ✗ | None | Limited | 4.5/5 |
Verdict — Should You Use LastPass in 2025?
Don't Start with LastPass If You're New
If you're choosing a password manager for the first time in 2025, there is no compelling reason to choose LastPass over Bitwarden or 1Password. Bitwarden is free, open source, unlimited, and has never had a breach. 1Password has a 17-year breach-free record and stronger dual-key encryption. At the same or lower price, both are objectively better choices for new users.
Should Existing LastPass Users Stay?
This is more nuanced. If you've been using LastPass with a strong master password (truly random, 15+ characters, never reused) and have updated your PBKDF2 iterations to 600,000, your current vault risk is manageable. The question becomes: do you trust the company going forward? LastPass has made documented security improvements. If you're satisfied with their post-breach response and don't want to spend time migrating, staying is a defensible choice.
However, given that migration takes 15 minutes and Bitwarden is objectively better and free, most security professionals would recommend switching. We agree: see our LastPass alternatives guide and our migration walkthrough.
Our Rating: 3.0/5
The features deserve 4/5. The trust score earns 2/5. The average reflects a product that is functionally good but has a security incident history that is difficult to overlook when equivalent alternatives without that history are available at the same price or less.