Skip to main content

Using LastPass? You need to switch urgently, says security firm

It’s a good idea to use one of the best password managers to keep your logins safe, but now a security company is warning that one of the most popular password managers in the world is not safe to use.

The extraordinary claim comes from Intego, a firm that specializes in Mac security. Intego made its assertion based on a series of security breaches LastPass has suffered in recent months, the way LastPass has responded to those incidents, and the underlying technology LastPass uses to protect customer accounts.

A dark mystery hand typing on a laptop computer at night.
Andrew Brookes/Getty Images

In its report, Intego outlined the LastPass saga, from its initial disclosure of a breach in August 2022 up to an investigation by rival password manager 1Password in December. That timeline paints a picture of a password manager with questionable practices and technology, Intego states.

In August 2022, LastPass notified users that its development environment had been accessed by an unauthorized third party but that no customer data was taken. Then, LastPass issued a new statement in November stating that hackers had taken “certain elements of … customers’ information.”

Finally, in December, LastPass admitted the data accessed by the hackers was used to trick a company employee into handing over keys to some customer credentials, which were then used to access and decrypt customer data.

Questionable practices

Man using a Macbook Pro at a desk.
Ash Edmonds/Unsplash

However, Intego maintains that third-party analyses of the breach suggest a more troubling scenario. According to security researcher Wladimir Palant, for example, LastPass’s statements were “full of omissions, half-truths, and outright lies.” One of Palant’s allegations is that LastPass’ implementation of a password-strengthening algorithm is not considered strong enough based on industry standards, making users’ vaults far too easy to hack into.

Rival password manager 1Password has added its opinion into the mix, claiming that it would cost a hacker $100 or less to crack the master passwords protecting many LastPass vaults, such is the weakness of LastPass’ hashing methods.

All of that has led Intego to state that, “given what we now know about LastPass — both how the company operates and its technology — we do not recommend using LastPass as a password manager.”

How to keep your passwords safe

password manager lifestyle image

It’s a remarkable statement to make given LastPass’ popularity. LastPass itself claims it has over 33 million users — if the claims about its lax security are correct, that’s a huge number of people whose accounts, passwords and credit card data are all now potentially vulnerable.

Right now, Intego advises LastPass users to immediately begin migrating their accounts to another password manager. Once that’s complete, the company recommends users update all of the passwords that had been stored in LastPass with fresh replacements.

It goes to show that not even the most popular services are immune to hacking attacks and security breaches. Whether you use a password manager or not, you can protect yourself by using strong, unique passwords that are not used on multiple sites. That way, one breach won’t lead to all your other accounts being compromised.

Editors' Recommendations

Alex Blake
In ancient times, people like Alex would have been shunned for their nerdy ways and strange opinions on cheese. Today, he…
Use this trick to make your online accounts super secure
A group of people sitting at a desk looking at 1Password displayed on a screen.

We do just about everything online today, and in the digital age, having good passwords for your accounts isn’t sufficient anymore — and if you’re still using the same login credentials for multiple accounts, then it’s definitely time to upgrade your security setup. An easy way to do that is with a password manager that makes it simple to create and organize secure access codes for all of your accounts, but even that might not be enough to guard your sensitive personal and financial information from prying eyes. Instead, we recommend 1Password, a unique account manager that does more than just organize your logins. It also takes online security to a whole new level by letting you keep all of your accounts completely separate.

Your typical password manager can generate and organize unique credentials for your accounts (sort of like a digital key ring), but 1Password takes things a step further. With 1Password, you get not only a unique, strong passcode for every account, but the app also generates a unique email address as well. When signing up for a new account somewhere or updating some you already have, you simply create a new 1Password-generated email string and password, set up two-factor authentication, and use this new “sock” email and passcode to register. Your real information is kept private, and access codes are securely backed up in your 1Password account, for which you have a master password — the only one you need to remember.

Read more
Best LastPass alternatives for 2021
A digital security lock.

Whether you're security-conscious or have a terrible memory, using a free password manager is a great way to free up brain space and secure your most important information. Unfortunately, LastPass -- one of the best password managers -- has taken steps to sharply limit the features of free accounts, including only being able to use the free version on your PC or mobile devices (no longer both), and users will have three chances to determine which version to keep going forward. Understandably, many free account users are now searching for the best LastPass alternatives. Here are our favorites.
Best LastPass alternatives

Best premium alternative: Dashlane
Best iOS alternative: Apple iCloud Keychain
Best freemium alternative: Bitwarden
Best single-device alternative: NordPass
Best Android alternative: Google Password Manager

Read more
LastPass is scaling back its free tier. Find out if you need to pay

LastPass currently offers a free tier that lets a single user access its password manager service on all their mobile devices and computers. But that’s about to change.

Starting March 16, the company will limit its free tier to only one device type, either mobile or computer. So if you select to keep the free tier for mobile, you’ll be asked to pay a fee to continue using the service on computers, and vice versa.

Read more