Pros & Cons
-
- Easy-to-use apps and browser extensions
- 30-day trials for higher tiers
- Free, continuous dark web monitoring
- Supports smartwatches
-
- Limited free tier
- Complicated passwordless login and MFA setup
LastPass Specs
| Actionable Password Strength Report | |
| Digital Legacy | |
| Fill Web Forms | |
| Import From Browsers | |
| Multiple Form-Filling Identities | |
| Product Category | Password Managers |
| Product Price Type | Direct |
| Secure Password Sharing | |
| Two-Factor Authentication |
LastPass has been in the password management business for a long time, and the company is best known for its easy-to-use apps for everything from your laptop to your smartwatch. Its reputation is well-deserved, as LastPass offers intuitive apps with smooth auto-filling, plus free data breach monitoring at all service levels. Following recent security upgrades—including the addition of dedicated monitoring teams and the full encryption of URL data stored in vaults—we've raised its rating by half a point since our previous review. LastPass is easy to recommend, though Proton Pass remains our Editors' Choice winner for free password management, while NordPass is another top pick thanks to its affordable yet full-featured premium personal and business plans.
How Much Does LastPass Cost?
LastPass offers three different plans for consumers: Free, Premium, and Families. The Free edition is limited to one account on either a computer (a browser running on a desktop or laptop) or mobile devices (includes phones, smartwatches, and tablets). With the free tier, you can share credentials one-on-one and monitor your accounts for dark web activity, but storage is limited to 50MB, and it doesn't include emergency access features.
While LastPass's free plan has limits, you can try the Premium plan for free for up to 30 days. After that, a LastPass Premium subscription costs $36 per year. In addition to the free version's features, you gain access to your vault across all of your devices, one-to-many password sharing, passkey storage, advanced multi-factor options (biometric and YubiKey support), access to the LastPass Authenticator smartwatch app for watchOS or Wear OS, emergency access, priority tech support, and 1GB of encrypted file storage.
The top tier for non-business accounts is LastPass Family ($48 annually). LastPass Family subscribers get six LastPass Premium licenses, unlimited shared folders, authentication via hardware security keys, and access to the LastPass family dashboard.
Unlike other password managers, the personal versions of LastPass do not include an option to generate authentication codes within your LastPass vault. That feature is only for LastPass's business plans, which I cover later in the review.
Getting Started With LastPass
LastPass is available as Android and iOS apps, plus extensions for Chrome, Edge, Firefox, Opera, and Safari. It also offers universal installer apps for Linux, macOS, and Windows that automatically install extensions across all your devices' browsers. As mentioned above, you can access LastPass via the watchOS and Wear OS apps.
(Credit: LastPass/PCMag)To sign up for LastPass, visit the website, enter an email address, and create a strong master password. Only you know your master password, so if you forget it, LastPass cannot help you access your vault.
Once you're in your vault, it's time to tick off items on a to-do list, which is LastPass's version of a tutorial for new customers. If you've never used a password manager before, I recommend using the list to get familiar with the app's functions and practice generating and auto-filling passwords on websites. If you've used a password manager before, you'll want to upload the existing login list that you exported from your old password manager or browser extension to your LastPass vault.
(Credit: LastPass/PCMag)To import your existing passwords, open the web vault in a browser window, and click on Advanced Options at the bottom left of the screen, then click Import. LastPass can import from several competing products, including 1Password, Bitwarden, Dashlane, KeePass, and RoboForm. If your old password manager is not on the list, you can upload your credentials as a CSV file. LastPass also imports passwords from Chrome, Edge, Firefox, Internet Explorer, Opera, and Safari. If you've been saving your passwords in physical notebooks or in a spreadsheet on your computer, LastPass offers instructions for transferring these credentials, too.
I like that LastPass's on-screen instructions guide customers through the setup process in a way that is instructive without being too simplistic. For example, after you've imported a list of passwords, an on-screen prompt offers a good idea: Visit your security dashboard to see if you uploaded any breached, reused, or weak passwords. I'll dig into the password audit system later in the review, but first, we need to look at how LastPass treats customer data.
Data Privacy
Before I review and test a password manager, I ask company representatives about its privacy and security practices. For insight into LastPass's privacy policies, read the company's answers (edited for length) to my questions below.
Has your company ever had a security breach?
Yes.
If so, when? Please provide dates.
2015 (GoTo was breached), 2022.
What was exposed in the breach?
2015 - Before being acquired by LogMeIn, Inc. (now known as GoTo), GoTo experienced an incident in 2015 where a hard drive was stolen from one of their data centers. This drive did not include users’ vaults but did include unencrypted data related to their accounts. LastPass was a product under the company GoTo in 2015 therefore LastPass, the company, didn’t experience a security breach in 2015.
2022 - LastPass disclosed that a threat actor had gained access to a cloud storage environment used for backups and exfiltrated both encrypted and unencrypted customer data.
What unencrypted information does the password manager store in customer vaults?
Encryption and decryption are ONLY performed on the end-user’s device. LastPass does not have access to or store the master password which derives the encryption key used to encrypt/decrypt customer data. This is aligned to our Zero-knowledge principles.
LastPass customer vault data is encrypted using AES-256 on a per-user basis (meaning every user’s encryption keys are unique). Encrypted fields within the vault include usernames, passwords, website names, notes, payment cards, addresses, bank accounts, item and folder names, secure notes, etc.
As of June 2024, all newly created and any customer modified URLs stored within the primary URL field have been encrypted in all customer vaults. As of September 2025, LastPass completed the initiative to encrypt URL and URL related fields, marking another important step forward in strengthening vault security. In this phase, LastPass expanded encryption to include URL-adjacent fields used by autofill—such as URL rules, equivalent domains, and never-URL lists, removing another meaningful set of metadata from plaintext. With this completed, LastPass has delivered on our commitment to encrypt URL-related data and will continue advancing security through transparency, ongoing investment, and steady architectural improvements.
What is the company's policy regarding selling or sharing customer data with third parties?
At LastPass, we always strive to limit the types and categories of data that is collected from, and processed on behalf of, our users to include only data which is necessary to achieve the purpose(s) for which it was collected - in other words, we have measures and policies in place designed to ensure that we only collect and process data that we believe is necessary to provide our users with a world-class service.
LastPass does not sell end user data to third parties – including any vault data. Under some US state data protection laws, our use of third-party cookies for advertising purposes may constitute a “sale”. We specifically inform visitors of the use of those technologies and the specific cookies that may be deployed within our cookie banner, and, depending on the visitor’s location, cookies are only deployed after a visitor opts-in to their use. Furthermore, we afford individuals to manage their privacy rights by changing opting-out of the sale or sharing of their personal data through the cookie banner, the Cookie Preferences link present at the bottom of our webpage, or submitting a request through our Individual Rights Management Portal.
How does your company respond to requests for customer information from governments and law enforcement?
LastPass will not disclose customer information to governments or law enforcement unless presented with a valid warrant, subpoena, court order, or equivalent legal process. Each request is considered on a case-by-case basis, and LastPass is committed to responsibly balancing our legal and regulatory obligations with the commitments to promote public safety and user privacy, which may include attempting to narrow requests that it deems excessively broad, request further clarification if the nature of the investigation is ambiguous, or contest the request for other reasons.
Further, due to our zero-knowledge security model, we do not possess, and cannot obtain, the master password needed to be able to decrypt any encrypted customer vault data. Therefore, we cannot provide such information in response to a government request.
The LastPass spokesperson told me that the company invested in significant security enhancements, including new management, modernized cloud-based systems and tools, a dedicated Trust and Security team, and a new team that handles threat intelligence, mitigation, and escalation, known as TIME. The spokesperson said that the final group's role is to analyze and mitigate threats targeting LastPass customers.
Similar Products
Our Current Picks for The Best Password Managers for 2026
I appreciate the thorough answers, and I'm happy to see that LastPass has taken significant steps to improve its product security. I'm also encouraged by the investment in modernization and security teams after the data breaches. Overall, LastPass’s answers indicate steps in the right direction, security-wise, and match the company's privacy policy. Always review the privacy policies of all apps to learn how companies collect, sell, or store your data.
Authentication and Security
(Credit: LastPass/PCMag)Premium and Families account holders may be able to forgo entering a master password every time they login by setting up a passwordless entry method, such as a code from the LastPass authenticator app, biometrics from Windows Hello, or a FIDO2-certified hardware security key. Head over to your account settings menu to enable passwordless logins. LastPass will ask for your phone number to verify your identity via SMS. I chose not to provide a phone number for this evaluation and opted to use a Yubico Security Key C NFC as my primary login method. I was able to attach my security key to the account, but I needed to add another authentication factor to complete the setup. I attempted to use Apple Passwords and Google Authenticator for this step, but LastPass did not acknowledge these commonly used apps. Instead, I was prompted to download another app, the LastPass Authenticator, to complete this task. It shouldn't be necessary to download an additional app from the company and keep it on my phone to keep logging into my account without a password, so I can't recommend this login method.
(Credit: LastPass/PCMag)You should still use multi-factor authentication to secure your vault, though. That way, anyone who guesses or steals your master password won't be able to get to your credentials without you or your device present. Each time you log in, you'll need to supply a time-based one-time password (TOTP) generated by the app (essentially a six-digit code that typically changes every 30 seconds) in addition to your master password. You can designate your phone or desktop computer as a Trusted Device in the Account Settings menu, which keeps you from needing to authenticate your identity on those devices for 30 days.
Unfortunately, LastPass's MFA setup isn't super user-friendly, either. First, head over to Account Settings > Multi-Factor Options in the Web Vault. The available authentication methods depend on your subscription tier. Free subscribers can use Duo Security, Google Authenticator, Microsoft Authenticator, older YubiKeys that support Yubico OTP, or the aforementioned LastPass Authenticator app. Families plan subscribers can use a newer hardware security key as an MFA method.
Choose your authentication method, tap Edit, then choose "yes" to enable it. Next, connect your app to your LastPass account by scanning a QR code. Choose "bar code" within the Edit menu to access the QR code. Choose "private key" to manually enter a token in your authenticator app. Other password managers offer streamlined, straightforward MFA enrollment systems, so this is an area where LastPass could improve.
Security Dashboard
(Credit: LastPass/PCMag)The LastPass Security Dashboard calculates a score based on the strength of your passwords and whether you have multi-factor authentication enabled. Click on the View button to see a list of all the passwords in your vault. LastPass rates each password's strength and identifies potential risks. The password audit tool identified reused and missing passwords in my vault and recommended changing those credentials. However, LastPass did not flag short (under 10 characters) or easily guessable passwords, which isn't great.
Data Breach Monitoring
While Keeper offers data breach monitoring as a paid add-on and NordPass limits it to paid subscribers, LastPass offers it at all service levels. Free customers can monitor up to 10 email addresses, while paid subscribers can monitor 200 email addresses. You can turn data breach monitoring on or off at any time from the Security Center window.
Hands On With LastPass
(Credit: LastPass/PCMag)I tested LastPass using the web vault, iOS app, and Chrome browser extension. The LastPass web vault was easy to navigate, and you can change the default view to display website icons or a list of your credentials.
Credential Capture and Replay
(Credit: LastPass/PCMag)Replaying passwords stored in the LastPass vault worked as expected. I also didn't have any trouble creating new credentials and saving them in my LastPass vault. I was able to save passkeys in my LastPass vault with just a click, too. Remember that passkeys are device-specific, so if you save a passkey for an account using the browser extension or web vault, you'll need to create a different passkey for that website when you try to sign in using your phone.
If you have problems while autofilling your logins or saving new ones, go to Autofill Settings in the Advanced Options section of the web vault to see whether the domain you're on is on your "Never" save list. If you're unable to autofill your logins using the mobile app, scroll down the Mobile Apps section of this review to learn how to turn on autofilling for your device.
Password Generator
(Credit: LastPass/PCMag)All LastPass password generators create 16-character-long credentials by default. I recommend changing the settings to create long, strong passwords of at least 20 characters.
Password Sharing
Free LastPass customers can set up one-to-one sharing, but Premium and Family subscribers can share one item with several others. Those who pay for a Family account can share an unlimited number of folders. To share a password, click the sharing icon and enter the recipient's email address. Recipients who already use LastPass will receive a notification that a new share has arrived; others will get an email explaining how to create an account and accept the share. The recipient can use the shared item to log in. The person sharing the password can manage the recipient's access to the credential via the Sharing Center in the web vault. You can manage whether the recipient can view the password while they have access to it, and also relinquish access to credentials others have shared with you, or cut off others with whom you've shared passwords.
Form Filling and Storage
(Credit: LastPass/PCMag)You can store multiple addresses, bank account details, and payment card numbers in your vault, along with personal and contact information. I was able to use LastPass to fill in web form data on a few websites, and was impressed by the warning that appears when you opt to fill in forms using data from your LastPass vault. LastPass reminds you that you are sharing sensitive data with a third party, which may be enough to make you stop, reflect, and consider whether you are being phished or otherwise scammed.
Secure notes are a way to store data in your LastPass account that doesn’t fit into any other categories, such as text notes and file attachments. Premium LastPass subscribers get 1 GB of online storage; free customers are limited to 50 MB. Other password managers have beefed up file storage options in an effort to become "everything managers". For example, Proton Pass Plus subscribers can store up to 10 GB in vaults, and that storage increases to 500 GB with a Proton Unlimited subscription.
Emergency Access
The Emergency Access feature lets you designate one or more contacts who can access your passwords in the event of your untimely demise. This feature is only for paid accounts.
Emergency Access in LastPass works similarly to the equivalent features in Dashlane, Keeper, and Proton Pass. You enter your recipient's email address and define a waiting period. Recipients must install LastPass and accept your connection request. Now, if something happens to you, the recipient simply requests access to your account.
Here's where the waiting period comes in. Suppose your trusted recipient decides to jump the gun and get your passwords before you've kicked the bucket. The initial request for access triggers a notification, and you can deny it at any time during the waiting period. In a real emergency, your recipient automatically gets access after that time elapses.
Clicking Emergency Access lets you view two pages, People I Trust (your password heirs) and People Who Trust Me (those who've made you their emergency access contact). You can delete anyone from the list or change the waiting period on the People I Trust page. You can bow out of the emergency access role on the People Who Trust Me page.
Mobile Apps
(Credit: LastPass/PCMag)The Android and iOS editions include all of LastPass’s web features, including a password generator, emergency access, a security dashboard, and a sharing center. The mobile app includes another "to-do list" tutorial, but you can dismiss or mute it with a single tap. You may need to designate LastPass as your primary password manager within your device's settings menu to get auto-filling to work. To do this on Android, go to Settings > Privacy. If you have an Apple device, go to Settings > General > Autofill and Passwords. These menu paths will differ depending on whether you're using older or newer versions of the operating system. Overall, I didn't have any problems capturing new passwords or replaying old ones using the LastPass app for iOS.
The Security section of the app provides access to a unique password hygiene tool: a Password Challenge, which scans your vault for reused or weak passwords. As mentioned, I keep a few insecure credentials in my test vault, but the challenge tool did not flag the passwords.
Business Plans
(Credit: LastPass/PCMag)LastPass for Business has three service tiers, each priced per employee: Teams costs $51 annually, Business costs $84 annually, and Business Max costs $108 annually. A Teams account is best for small teams or lean startups, and includes employee management via the admin console, shared folders, TOTP passcode generation, and limited security policies.
Small businesses with several employees or medium-sized businesses may want to upgrade to a LastPass Business account, which includes free Families accounts for employees, Group management tools, SSO integration for up to three apps, an SSO portal for employees, and additional customizable security policies.
A Business Max account includes tools for blocking and tracking employees' access to apps and software using work accounts, advanced MFA options, unlimited SSO integrations, organization-wide SaaS protection and visibility, and passwordless authentication across all endpoints.
LastPass makes it easy for administrators to see who is following password policies on the job and who is not. For example, the admin dashboard shows the company’s enrollment rate with the password manager, employee activity, and average password security score.
Employees receive a vault to store their work-related credentials. An administrator can see all employees invited to use the password manager, when each employee last used the software, whether each employee enabled multi-factor authentication (MFA) for their account, password security scores, and other options.
Admins can integrate SSO, MFA, and password-less apps from the Applications section of the Admin console. The app also supports federation with ADFS, Azure AD, Google Workspace, and Okta, so employees can access LastPass using their existing corporate credentials in their current workspaces. Eliminating the need to remember another password could make password manager adoption more attractive to employees.
As mentioned above, LastPass's business plans include a free Families account for every employee to encourage vigilant password practices at home. The LastPass Families plan data is separate from the Business data. LastPass has a zero-knowledge security model, so only the employees know their passwords. If an employee leaves the company, their Families account unlinks from the Business account. The former employee can buy a Families plan or let the account become a Free account.
Customer Support
(Credit: LastPass/PCMag)Free account holders can troubleshoot their tech issues via the LastPass self-service website. From there, you can fill out a form to be contacted by a support agent. LastPass also has a chatbot on its support website. Business, Family, and Premium personal account customers can request phone support from a LastPass support agent. Business and Business Max accounts can get an account customer success manager.
Is Deleting Your LastPass Account Easy?
(Credit: LastPass/PCMag)Deleting the account I created to test LastPass apps was uncomplicated. In a web browser, I navigated to the Account page and chose the Delete option. After clicking through several pop-ups to confirm I really wanted to delete the account and its associated vaults, I was able to do so.
Final Thoughts
(Credit: LastPass)
LastPass
LastPass is an easy-to-use password manager that offers well-designed apps for every device you own and even keeps tabs on dark web activity for free.