LastPass Review
LastPass was the default password manager recommendation for most of the 2010s. Two significant security incidents in 2022 and 2023 changed that calculus. This review covers where things stand now: what was actually stolen, what LastPass changed, and whether those changes are enough to justify choosing it over alternatives like Bitwarden, 1Password, or NordPass.
Fast buyer snapshot
Best for
Existing users who already changed their master password and are comfortable staying. Teams already in the LastPass Business ecosystem.
Skip if
You are evaluating from scratch in 2026. The breach history means you start with a trust deficit that competitors don't carry.
See LastPass plans
Open the vendor site to check current pricing and free tier restrictions.
LastPass vs 1Password
See the detailed head-to-head if you're deciding between these two.
The security incidents: what actually happened
In August 2022, attackers accessed LastPass developer systems and stole source code and internal technical information. In November and December 2022, they used that access to breach a third-party cloud storage provider and extract encrypted customer vault data — along with unencrypted metadata including website URLs associated with stored credentials.
The vault contents were encrypted with AES-256 and derived from each user's master password. However, the extracted metadata (which sites you have passwords for) was not encrypted and is now in attacker hands. Accounts with weak or reused master passwords are at higher risk of offline brute-force attacks. A follow-on breach in 2023 exposed employee credentials that led to additional customer data exposure.
LastPass's response included infrastructure changes, mandatory MFA enforcement, and increased PBKDF2 iteration counts. But the encrypted vault data already extracted cannot be un-extracted.
Current security model
- Encryption: AES-256 with zero-knowledge architecture — LastPass cannot see your passwords.
- Key derivation: PBKDF2-SHA256 at 600,000 iterations (raised after incidents; most existing accounts were at much lower counts before).
- MFA support: TOTP apps, hardware keys (Yubikey/FIDO2), and biometric options.
- Dark web monitoring: Included in paid plans.
Free tier (major restriction since 2021)
LastPass restricted its free tier in March 2021 so it works on only one device type — either mobile devices or computers, not both. This was a significant usability reduction that most competitors (especially Bitwarden) have not matched. If you want free password management across phone and laptop, Bitwarden is the better default.
Who it's best for
- Existing satisfied users: If you already changed your master password after the 2022 events and have been using LastPass without issues, the switching cost may outweigh the benefits of moving.
- Teams in LastPass Business: The enterprise tier has mature SSO integrations (SAML, SCIM provisioning) that are genuinely useful for IT teams with existing investments in the platform.
Trade-offs to consider
- The breach history means your metadata (which sites you stored passwords for) is already in attacker hands, regardless of vault password strength.
- Free tier single-device restriction makes it less useful than Bitwarden's free tier for anyone with more than one device type.
- Bitwarden and 1Password match or exceed LastPass's feature set without the trust deficit.
- NordPass offers a cleaner modern alternative at similar price points.