Is LastPass safe? Here's what you need to know

Password managers like LastPass offer to maximize your online security while also making logging into your accounts more convenient. The idea is simple — secure your vault with a single master password and generate complex random passwords for all of your other accounts. As one of the most popular password managers out there, however, is LastPass safe from attacks and should you use it?

In this article, let’s explore how password managers like LastPass work, whether they’re secure, and what it might take for an attacker to get their hands on your online credentials.

Is LastPass safe?

All password managers, including LastPass, generate random and complex passwords and store your credentials in a vault. The idea is to cut down on password reuse. If you use the same username and password across all of your online accounts, an attacker could easily gain access through a single data breach. And with so many security exploits coming to light these days, it’s important to silo your credentials with as little overlap as possible.

Besides password generation, LastPass also offers a host of additional convenience features like cloud backup, smartphone apps, password sharing, and auto-fill. But all of that means little if the vault itself gets compromised, so how secure is the service?

Like any credible password manager, LastPass uses zero-knowledge encryption to keep your passwords safe. The key difference between regular and zero-knowledge encryption is that with the latter, only you have access to the decryption key. LastPass doesn’t ever upload your master password to the cloud either — only a backup of your encrypted vault.

In other words, even if LastPass’ servers were to get hacked, the hacker won’t be able to access your vault’s contents without your master password. This is in contrast to most other online services, including cloud storage services, where a remote security breach could result in hackers gaining access to your files.

That said, LastPass has recently found itself embroiled in controversy over multiple confirmed hacks and breaches. Very few password managers have reported as many successful attacks to date. Luckily, the aforementioned zero-knowledge security model has prevented attackers from accessing passwords.

Related: What is two-factor authentication and why should you use it?

How does LastPass store your passwords?

LastPass saves your usernames and passwords in an encrypted database, which is also commonly referred to as a vault. According to the company’s security disclosure, vaults are secured using 256-bit AES encryption. The key used to decrypt a vault is based on the account’s master password.

See also: What is encryption?

Even with an extremely powerful computer, a hacker would need several years, bordering on centuries, to crack a single AES-256 key. While that could change in the future, AES encryption is used to secure everything from military secrets to bank accounts.

Needless to say, it’s extremely unlikely that an attacker will brute force their way into your LastPass vault.

Does LastPass have access to your master password?

No, LastPass does not have access to your master password. And since the company doesn’t store your master password, no employee or malicious actor can decrypt the contents of your vault either.

When you sign up for an account, the app generates an encrypted vault locally on your device. The vault is then uploaded to LastPass’ servers in this encrypted state, where it’s stored as a backup. Each time you log into your account on a new device, the app fetches this backup and asks you to input your master password to unlock it.

It’s extremely important that you use a secure master password. Moreover, you should never use your LastPass master password anywhere else. Doing so dramatically increases the chances of an attacker gaining access to your password from elsewhere. From there, they can simply use it to unlock your LastPass vault.

Can LastPass be hacked?

LastPass is a frequent target of hackers and malicious attackers. Moreover, the company has a poor track record of warding off such attacks. While user passwords haven’t been compromised to date, the frequency of successful breaches is not a good sign for a security-focused company.

The first time LastPass suffered a breach was in 2011 when attackers transferred a small amount of encrypted data from the company’s servers. At the time, the company’s CEO said that users with strong master passwords protecting their vault didn’t have anything to worry about.

The company has been the subject of controversy nearly every other year since then. Between vulnerabilities found in browser extensions and other infrastructure hacks, LastPass has reported a total of eight security incidents. The latest one, reported in August 2022, notified users of a third-party gaining unauthorized access to a developer account and other portions of LastPass’ internal systems. A few months later, the company revealed that the attackers had managed to copy customer billing data as well as encrypted vault data.

The company’s latest stance is that the attacker was able to copy users’ full names, billing addresses, phone numbers, previous IP addresses, and partial credit card numbers. The leaked data also contained a list of unencrypted site names, but not the corresponding usernames or passwords. While many people will consider this leak harmless, the data could potentially be used to send phishing emails to victims and trick them into revealing their master password.

In conclusion, LastPass has never been compromised in the traditional sense — user passwords remain encrypted and safe on the platform. However, if you care about all-round security, you should definitely look for an alternative. And regardless of which password manager you choose, always enable two-factor authentication for an additional layer of security.

See also: 5 best free LastPass alternatives and how to transfer