• LastPass confirmed a supply chain breach via Klue, where stolen OAuth tokens let attackers access its Salesforce environment
• Customer names, contact details, and CRM data were exposed, but master passwords were not; phishing risk remains high
• Threat actor Icarus claimed responsibility; other firms including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity also impacted

Password manager LastPass confirmed that it lost sensitive customer data in a supply chain attack that struck a third party.

As LastPass explained in a newly released incident report, unnamed threat actors first targeted Klue, a third-party market intelligence platform that integrates with its Salesforce and Gong systems. After obtaining its OAuth tokens, the attackers were able to access LastPass’ Salesforce environment and exfiltrate sensitive data stored there.

“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass said.

Compromising names and emails

"We immediately launched an investigation and learned that, as part of this incident, an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.”

“The threat actor then used these credentials to access LastPass customer data within our Salesforce environment.”

Further in the report, the password manager said the attackers most likely accessed customer names, phone numbers, email addresses, postal addresses, support case information, and sales/CRM-related data.

Passwords, including the master password, were most likely not exposed. However, criminals can use the data they obtained to launch phishing attacks, through which they might trick the victims into sharing those secrets, as well.

LastPass is now urging customers to remain vigilant and be careful with incoming messages, particularly those claiming to come from the company.

According to BleepingComputer, the Klue supply chain attack was claimed by a threat actor called Icarus, which apparently used compromised legacy credentials for an integration service to breach the intelligence platform.

Besides LastPass, a number of other organizations are affected as well, the publication further reported, including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. LastPass has now disabled employee access to Klue.

Via BleepingComputer

• LastPass warns of phishing campaign targeting credentials
• Attackers trick victims with fake support conversations
• Malicious links mimic LastPass login pages

Popular password manager LastPass is warning customers about an ongoing phishing campaign, aimed at obtaining their login credentials.

What makes this campaign unique is that victims are positioned as silent observers to an ongoing attack - being made to believe they’re in a unique position to stop the attack, but only if they act fast.

In a blog post outlining the campaign, LastPass noted the scam was dsigned to, "to draw attention and generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails."

LastPass infrastructure intact

In a “classic” phishing attack, the threat actors would impersonate LastPass, reach out to the targets, and claim their account needs “securing”. In the same email, they would offer a link where they can do that, but the link is malicious and relays the login credentials to the attackers.

In this new campaign, things are a little different. The victim is forwarded an email chain showing a conversation between LastPass customer support and alleged attackers. In the fake conversation, the attacker impersonates the victim and requests either 2FA removed, or a reset to the password, and the customer support complies by sharing a link.

For the trick to work, the victim needs to believe they have the advantage, and that they can forestall the attack by resetting the password via the provided link themselves. But the link leads to a malicious landing page designed to look like the LastPass login site.

In the warning, LastPass says that its infrastructure is intact and that the emails are not coming from the company’s email domain. Instead, the attackers are betting on victims not paying attention to the email address from which the messages are coming.

LastPass also said that the company will never ask its customers for their master password, and that they should never disclose it to anyone, anyway. The company is now working to have the malicious landing pages removed, as soon as possible. Victims who receive the phishing email are urged to reach out to LastPass.

• Vulnerabilities have been discovered in several password managers
• Researchers created theoretical attacks that could steal credentials
• Remediation efforts are underway, with multiple vulnerabilities already patched

27 vulnerabilities across four popular password managers have been discovered by researchers which could allow an attacker to access a victim's password vault to alter and steal credentials

The research from experts at ETH Zurich and the Università della Svizzera italiana (USI) in Switzerland included vulnerabilities in Bitwarden, which was found to be susceptible to 12 attacks, LastPass to seven, Dashlane to six, and 1Password was found to be vulnerable to only two attacks.

In total, these popular password managers cover over 60 million users and almost 125,000 businesses, with the attacks discovered by the researchers focusing on vulnerabilities across four categories - key escrow, vault encryption, sharing, and backwards compatibility.

Key escrow flaws

The key escrow flaws focus on vulnerabilities in account recovery features. The researchers outlined that copies of user’s encryption keys are often stored to assist with account recovery should the user be unable to access their account using their master password.

However, in some cases the keys can be accessed without authentication allowing a hacker to manipulate the recovery process to access the keys and, in turn, a user’s vault. For attacks in this category, Bitwarden was found to be susceptible to three and LastPass to one.

Vault encryption flaws

The second category, vault encryption flaws, focuses on how stored credentials and their associated URL within a user’s vault are encrypted. In several cases, the researchers found that the vault was not encrypted as a single block, but rather each individual item was encrypted separately.

Additionally, other information about the contents of the vault was left unencrypted. LastPass was found to be susceptible to five attacks of this type, Bitwarden to four, and Dashlane to one.

In attacks exploiting this vulnerability, an attacker could theoretically leak information from each credential ‘field’ within the vault to identify its contents. An attacker could also swap items within a field to leak information, or present the URL associated with the credentials in such a way that the password and username could be leaked.

Sharing flaws

Many password managers allow users to share stored credentials and other information as a matter of convenience, such as being able to quickly share the Wi-Fi password with guests.

The researchers found very little user authentication took place when items were shared, allowing several attack vectors that could reveal shared items or enable further attacks. For attacks in this category, Bitwarden was found to be vulnerable to two, with LastPass and Dashlane susceptible to just one.

In one example, an attacker could create an ‘organization’ and add random users using their public key. The password manager would then synchronize the users with the fake organization, making the users appear to belong to the organization. In some cases, the attacker could then add incriminating items to the user’s vault, or the attacker could gain access to all of the stored items within a shared folder.

Backwards compatibility flaws

In order to maintain compatibility between versions, many password managers offer legacy support that enables backwards compatibility with older encryption methods.

This is convenient for organizations and users who need to access credentials encrypted using older methods, but presents several opportunities for attackers to downgrade the encryption used by the client to the older, and therefore weaker, cryptographic algorithms. For attacks in this category, Dashlane was susceptible to four, and Bitwarden to three.

Vulnerabilities addressed and patches released

Ahead of the research being released, the researchers contacted all of the affected password manager providers as part of a 90-day disclosure process. The researchers noted that there is no evidence any of the vulnerabilities have been exploited in the wild, and all of the effected password manager providers have all begun remediation efforts, with several vulnerabilities already patched.

While 1Password was only vulnerable to two attacks, the company responded to the researchers stating that the vulnerabilities are part of architectural limitations, with the vulnerabilities already documented in 1Password’s Security Design Whitepaper.

Speaking to The Hacker News, Jacob DePriest, Chief Information Security Officer and Chief Information Officer at 1Password, said "We are committed to continually strengthening our security architecture and evaluating it against advanced threat models, including malicious-server scenarios like those described in the research, and evolving it over time to maintain the protections our users rely on."

"For example, 1Password uses Secure Remote Password (SRP) to authenticate users without transmitting encryption keys to our servers, helping mitigate entire classes of server-side attacks," DePriest said. "More recently, we introduced a new capability for enterprise-managed credentials, which from the start are created and secured to withstand sophisticated threats."

Bitwarden stated in a blog post that, "All issues identified in the report have been addressed by the Bitwarden team," and thanked the researchers for uncovering the vulnerabilities.

Both Dashlane and LastPass also thanked the researchers, and detailed their own findings of the vulnerabilities and mitigations.

• LastPass CEO Karim Toubba believes the company can still be trusted
• 2022 data breach seriously eroded customer trust
• Four years and millions of dollars later, can that trust be restored?

LastPass CEO Karim Toubba says that it might finally be time for customers to let bygones be bygones and trust the company once again.

Before its infamous 2022 breach, LastPass was one of the best password managers around, touting cost effective pricing and impressive security features.

However, a number of security lapses and a string of bad luck turned the LastPass brand into a lesson in consumer trust - so what has it done to earn back that trust?

The LastPass Lesson

Speaking to ZDNet, Toubba reinforced the same message he told TechRadar three years ago, “We made a multi-year, multi-million-dollar investment, and we went beyond what would normally be expected of a standard security program.”

The changes LastPass have made include limiting employees to highly secure company-provided devices with strict controls over the apps that can be downloaded and run by each employee. The company also moved to encrypt more of its stored data, including the same types of information that was stolen in the breach of ‘22, such as billing addresses and email addresses.

Authentication has also played a serious role in shoring up the company against a repeat incident. YubiKeys are now central to preventing unauthorized access to hardware, which would have stopped the attacker from using the credentials obtained from a senior DevOps engineer’s personal computer to access an internal vault holding keys to the customer data backups that were stolen.

“I would say the new and improved LastPass, if you will, is one that puts security at the very heart of what we do for the consumer," Toubba added.

The case could even be made that LastPass is more secure because of the breach. The company has learned from its failings and used the 2022 incident as “a forcing function to drive a lot of changes,” as Toubba put it, to address the failures that led to the breach.

If lightning were to strike twice, would LastPass make the same recovery it has made over the past four years? Likely no, which is exactly why there is so much investment in making LastPass secure as possible.

• LastPass phishing campaign tricks victims out of their master passwords
• Fake maintenance email warns users to backup their vaults urgently
• "No one at LastPass will ever ask you for your master password"

LastPass has issued a warning about a new phishing campaign looking to trick users into handing over their master passwords and with that, potentially all of their passwords, 2FA codes, payment details and more.

A fake email warning of "scheduled maintenance" encourages users to backup their password manager vaults within 24 hours, only to steal their credentials.

This false sense of urgency is one of the most common ways to trip victims up into sharing credentials, rushing them past some basic checks that would highlight the dodgy activity.

LastPass users warned of January 2026 phishing campaign

"Please be advised that LastPass is NOT asking customers to backup their vaults in the next 24 hours," the company stressed. "Please remember that no one at LastPass will ever ask for your master password."

A genuine-looking email template covers all the essentials – a supposed commitment to security, instructions on how to perform the backup and contact methods for further questions.

However, there are some quick actions users can take before they fall victim. For example, sender addresses for the campaign include support@sr22vegas[.]com, support@lastpass[.]server8, support@lastpass[.]server7 and support@lastpass[.]server3.

LastPass promises to be working with third-party partners to take down the domains it's identified, and it encouraging users to report suspicious emails to abuse@lastpass.com.

• LastPass vaults stolen in the 2022 breach are still being cracked, enabling crypto theft years later
• TRM Labs reports ~$35M stolen, with funds laundered via mixing services
• MetaMask’s earlier findings suggest the true losses may approach $100M, as seed phrases remain prime targets

The data breach incident at LastPass, which happened more than three years ago, is still enabling cryptocurrency theft. In fact, cybercriminals managed to steal approximately $35 million to date by cracking stolen LastPass vaults, researchers said.

In August 2022, LastPass (which was considered one of the best password managers around at the time) suffered a data breach that allowed the attackers to get away with people’s password vaults.

These are essentially encrypted folders where users store their passwords and other secrets, guarded by a master password. Without it, though, it’s impossible to decrypt the folder and access its contents.

Stealing seed phrases

That doesn’t mean that the attackers can’t try and brute-force their way in, using specialized hardware and software. If the master password is relatively weak (a simple combination, for example), they might be able to crack it: "Depending on the length and complexity of your master password and iteration count setting, you may want to reset your master password," LastPass warned at the time of the breach.

Blockchain analysis firm TRM Labs has now published a new report, saying cybercriminals were successful at breaking into many of these vaults that contained seed phrases - strings of 12 or 24 words that allow users to load a cryptocurrency wallet into a new account, and access all of the funds found inside.

"The linkage in the report is not based on direct attribution to individual LastPass accounts, but on correlating downstream on-chain activity with the known impact pattern of the 2022 breach," TRM told BleepingComputer. "That created a scenario in which wallet drains would occur well after the original breach, rather than immediately, and in distinct waves."

TRM Labs also said that crooks stole all kinds of cryptocurrencies, converted them into bitcoin, and then tried to hide their tracks by using mixing services (essentially crypto laundering tools). The researchers concluded that more than $28 million was stolen and laundered this way in late 2024 and early 2025, with an extra $7 million being linked to attacks in September 2025.

It’s also worth mentioning that a separate report, published by wallet makers MetaMask in September 2023, also said the crooks stole $35 million this way, which could mean that the actual figure is now closer to $100 million.

TRM says most of the funds were cashed out using Russian exchanges.

Via BleepingComputer

• The ICO has fined LastPass £1.2 million ($1.6 million)
• Over 1.6 million users had data exposed in a data breach
• The exposed data included names, emails, phone numbers, and URLs

The UK Information Commissioners Office has fined password manager provider LastPass £1.2 million ($1.6 million) for a 2022 data breach that affected 1.6 million users.

According to the ICO, LastPass “failed to implement sufficiently robust technical and security measures,” that resulted in two separate data breach incidents.

Since the data breach, researchers have linked a string of six figure cryptocurrency heists to said LastPass breach.

Businesses take note

The breach began with an attacker obtaining encrypted company credentials after compromising a company laptop which had access to the LastPass development environment

The attacker then gained access to the LastPass backup database by compromising a senior employee’s laptop with a keylogger, and stealing a trusted device authentication cookie.

With access to both the employee’s personal and business accounts, the hacker then stole an Amazon Web Service (AWS) access key and decryption key.

The attacker used the previously acquired keys to extract the contents of the backup database filled with personal information.

LastPass operated using the zero knowledge encryption format, so no stored passwords have ever been confirmed to have been decrypted. The attacker did however exfiltrate customer names, emails, phone numbers, and stored website URLs.

John Edwards, UK Information Commissioner, said, “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.

“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today.

“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”.

A LastPass spokesperson said, “We have been cooperating with the UK ICO since we first reported this incident to them back in 2022. While we are disappointed with the outcome, we are pleased to see that the ICO’s decision has recognized many of the efforts we have already taken to further strengthen our platform and enhance our data security measures. Our focus remains on delivering the best possible service to the 100,000 businesses and millions of individual consumers who continue to rely on LastPass.”

• Phishing emails claim victims are dead to steal LastPass master passwords
• Fake site lastpassrecovery[.]com mimics LastPass to harvest credentials and passkeys
• CryptoChameleon group behind attack; targets include crypto wallets and passwordless logins

Scammers are trying to get LastPass user master passwords with a devious phishing email scheme concerning their deaths.

The password manager has an inheritance feature - so if a person proves the account owner is deceased, and that they are the closest relative (or otherwise deemed to be granted access to the account), LastPass can comply and hand it over.

However in phishing emails, victims are told that someone has uploaded a death certificate confirming they have passed away, and that unless they act fast it will grant them access to their Vault (an encrypted password storage database, essentially).

CryptoChameleon

“Acting fast” means clicking on a link, and logging into the LastPass account. However, those that rush to do it will not notice that the website they are logging in to is not LastPass, but rather - lastpassrecovery[.]com - a fraudulent landing page propped up only to harvest gullible people’s login credentials.

The threat actor behind this morbid campaign is called CryptoChameleon - they are a known hacking collective specializing in crypto theft.

In the past, the group has been seen targeting Binance wallets, Kraken, Gemini, and other platforms, using fake Okta, Gmail, iCloud, and Outlook sign-in landing pages, as well as passkeys.

Passkeys are a passwordless method of authentication that uses public-key cryptography to verify the person’s identity without storing or typing a password. It is generally considered a lot safer than a password, and many of the world’s biggest tech companies have pushed to replace them entirely.

Obviously, the best way to defend against the attack is to think before you click, and be skeptical of any email messages demanding urgent action.

Via BleepingComputer

• Atomic Stealer malware installs silently via fake GitHub Pages targeting Mac users
• Attackers create multiple GitHub accounts to bypass platform takedowns repeatedly
• Users copying commands from unverified websites risk serious system compromise

Cybersecurity researchers are warning Apple Mac users about a campaign using fraudulent GitHub repositories to spread malware and infostealers.

Research from LastPass Threat Intelligence, Mitigation, and Escalation (TIME) analysts found attackers are impersonating well-known companies to convince people to download fake Mac software.

Two fraudulent GitHub pages pretending to offer LastPass for Mac were first spotted on September 16 2025 under the username “modhopmduck476.”

How the attack chain works

While these particular pages have been taken down, the incident suggests a broader pattern that continues to evolve.

The fake GitHub pages included links labeled “Install LastPass on MacBook,” which redirected to hxxps://ahoastock825[.]github[.]io/.github/lastpass.

From there, users were sent to macprograms-pro[.]com/mac-git-2-download.html and told to paste a command into their Mac’s terminal.

That command used a CURL request to fetch a base64-encoded URL that decoded to bonoud[.]com/get3/install.sh.

The script then delivered an “Update” payload that installed Atomic Stealer (AMOS malware) into the Temp directory.

Atomic Stealer, which has been active since April 2023, is a known infostealer used by financially motivated cybercrime groups.

Investigators have linked this campaign to many other fake repositories impersonating companies ranging from financial institutions to productivity apps.

The list of targeted names includes 1Password, Robinhood, Citibank, Docker, Shopify, Basecamp, and numerous others.

Attackers appear to create multiple GitHub usernames to bypass takedowns, using Search Engine Optimization to push their malicious links higher on search results in Google and Bing.

This technique increases the chances that Mac users searching for legitimate downloads will encounter the fraudulent pages first.

LastPass states it is “actively monitoring this campaign” while working on takedowns and sharing indicators of compromise to help others detect threats.

The attackers’ use of GitHub Pages reveals both the convenience and the risks of community platforms.

Fraudulent repositories can be set up quickly, and while GitHub can remove them, attackers often return under new aliases.

This cycle raises questions about how effectively such platforms can protect users.

How to stay safe

• Only download software from verified sources to avoid malware and ransomware risks.
• Avoid copying commands from unfamiliar websites to prevent unauthorized code execution.
• Keep macOS and all installed software up to date to reduce vulnerabilities.
• Use the best antivirus or security software that includes ransomware protection to block threats.
• Enable regular system backups to recover files if ransomware or malware strikes.
• Stay skeptical of unexpected links, emails, and pop-ups to minimize exposure.
• Monitor official advisories from trusted vendors for timely security updates and guidance.
• Configure strong, unique passwords and enable two-factor authentication for important accounts.

You might also like

• These are the best firewall offerings around today
• Common internet scams and how to avoid them
• Backers may have lost a total of more than $170,000 backing an 8-SSD subwoofer-like NAS mini PC

• Millions of dollars worth of crypto is being stolen from wallets
• The victims are being linked to the 2022 LastPass hack
• The hack saw both encrypted and unecrypted data stolen from the password manager provider

The hacker responsible for the huge LastPass breach in 2022 has continued their rampage by using stolen data to take $5.36 million from 40 crypto wallets.

The August 2022 hack saw the attacker gain access to information that allowed them to later successfully breach a cloud-based storage environment which stored customer keys, API tokens, multi-factor authentication (MFA) seeds, and encrypted password vaults.

While the password vaults were encrypted, the master password used to open them could still be brute forced if it was weak, reused, or previously leaked, which may be the reason for a string of crypto thefts against LastPass users since 2022.

The fallout continues

The latest theft is being linked to the LastPass breach by a blockchain expert known as ZachXBT (via The Block). ZachXBT claims in a Telegram post this is just the latest in a long line of crypto thefts affecting victims of the LastPass breach, with $4.4 million being stolen in October 2023, and a further theft of $6.2 in February 2024.

“Stolen funds were swapped for ETH and transferred to various instant exchanges from Ethereum to Bitcoin,” ZachXBT wrote in their Telegram message. “Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately.”

The Verge previously reported between the time of the breach in August and December of 2022, over $35 million was stolen from 150 apparent victims of the LastPass breach.

These subsequent breaches of crypto wallets highlight the importance of using unique passwords for every single account, and ensuring that each password adheres to recommended password security standards by using one of the best password generators.

Even if you have changed your password manager provider since the LastPass breach, any compromised passwords that are still being reused are at risk, as evidenced by these crypto thefts. It is also recommended to use a strong authenticator app that uses biometric verification to secure your accounts even if an attacker knows your username and password.

Christofer Hoff, Chief Secure Technology Officer at LastPass, said, "A year has passed since initial claims surfaced alleging a link between certain cryptocurrency thefts and the 2022 LastPass security incidents. In that time, LastPass has investigated these claims and to date is not aware of any conclusive evidence that directly connects these crypto thefts to LastPass."

"Because we take any claims regarding the security of LastPass and our customers seriously, we continue to invite any security researchers who believe they may have evidence to contact the LastPass Threat Intelligence team at securitydisclosure@lastpass.com," Hoff concluded.

You might also like

• These are the best free password managers on offer today
• Cl0p ransomware group says it was behind Cleo attacks
• Take a look at our guide to the best business password managers

One of the most popular password managers out there, LastPass, is warning its customers not to fall for the latest scam campaign aimed directly at them.

In a blog post, the company explained scammers are targeting users via the Chrome Web Store. In the reviews section for LastPass’ Chrome add-on, the scammers are adding new content that directs the visitors to fake customer support.

Therefore, when victims who are having issues with the add-on visit the page, they might think that other users are helping them reach customer support directly. In reality, dialing the number shared there starts a conversation with the fraudsters, who will try to navigate the victims to a malicious website, and download malware.

Fake customer support

"Individuals calling this fake support number will be greeted by an individual asking what product they are having issues with and then a series of questions regarding whether they are attempting to access LastPass via a computer or a mobile device and what operating system they are using," explained LastPass.

"They will then be directed to the site dghelp[.]top while the threat actor remains on the line and attempts to get the potential victim to engage with the site, exposing their data."

Investigating further, BleepingComputer found the campaign’s goal is to get people to download ConnectWise ScreenConnect, a piece of remote support and access software that grants the attackers full access to the target computer. The publication also found that the phone number associated with this campaign was used in other similar campaigns, where crooks impersonated Amazon, Adobe, Facebook, YouTube TV, and many, many others. In other words, this is a well-organized team that has been impersonating major corporations and defrauding people for a while now.

As usual, the best way to defend against these attacks is to use common sense and double-check every piece of information found online.

More from TechRadar Pro

• Data breached at LA Housing Authority after ransomware attack
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

Cybercriminals have never been as active as they are today, with passwords and sensitive information being their number one targets. Still, many organizations fail to properly secure their digital property, often since the right tools are too expensive for them.

If that is the case with you — you are in luck, since one of the best password managers around has a great discount just for B2B plans.

LastPass is a leading password manager that helps secure and manage passwords by storing them in an encrypted vault and automatically filling them in whenever required. This means you only need to remember one master password, and LastPass takes care of the rest.

For a limited time, LastPass is offering 20% off on its Business & Teams plan. You can learn more by following this link.

How does LastPass work?

To get started, download LastPass for the device of your choosing. The password manager supports major desktop and mobile platforms, as well as most browsers. After creating your account, set up the master password, behind which all other passwords will be stored. Therefore, make sure it’s rock-solid and make sure you memorize it. After that, every time you log into a service or a platform, LastPass will offer to save the password for future use.

To learn more about LastPass, make sure to read our in-depth LastPass review. We found it to be user-friendly, with efficient syncing and seamless operation across multiple devices and browsers. We deemed the tool intuitive, well-designed, and seamless, regardless of the platform in use.

We were also pleased to see that it employs end-to-end encryption using 256-bit AES encryption, as well as advanced Transport Layer Security (TLS) which effectively blocks all in-transit attacks. Ultimately, LastPass will not store master passwords, meaning that even if the company itself is compromised, its users are protected.

• Check out more LastPass coupon codes for June 2026

Alongside a roar of applause for the Calculator app for iPad at Apple’s WWDC 2024 keynote, the crowd seemed pretty happy with the debut of Passwords as well. It’s an aptly named app that takes the popular password manager feature of iCloud Keychain and gives it a home outside of Settings. 

Passwords is a dedicated app for Mac, iPhone, iPad, and Vision Pro that safely stores logins and passwords in an encrypted spot that needs to be authenticated with Face ID, Touch ID, or a password to open. It’s still free to use, and considering it’s a dedicated app, it’s now a true competitor for Lastpass and 1Password.

While some have thought that you might be locked into using it only with Safari – after all, it’s made by Apple, and Safari is Apple’s browser – we have good news. 

A browser extension saves the day

Apple Passwords will work with third-party browsers – Google Chrome and Microsoft Edge – via a browser extension. It’s actually the iCloud Extension, which also currently lets iCloud Keychain users have the autofill experience. This way, even if your browser of preference isn’t Safari, you’ll still be able to use the autofill functionality of Apple Passwords.

In a demo, I got to see the application's interface in action; much like other password managers, you can see a full list alphabetically of all your logins or see it broken up categorically. Once more, Passwords is also home to Wi-Fi networks, which is super handy, and the application supports Passkeys and 2FA codes. For the latter, you can even import a library of 2FA codes from a different service like Google Authenticator.

You can also create a shared group, which could be handy for sharing, let’s say, streaming service logins with the family. Rather than having to be around to copy and paste individually, you can share your collection of logins. It all seems pretty handy, but to make accessing stored passwords even easier, Apple also made a Menu Bar experience for passwords.

Essentially, this lets the app icon – a single key positioned vertically – live at the top of your Mac. When you need an account login or password in a jiffy, click it and authenticate it. You can either scroll or search for a specific login to quickly copy and paste it. Pretty neat. Pulling a login from here or using the autofill functionality happened promptly.

Much like the current experience with iCloud Keychain or another password manager, it will warn you of passwords that have been reused, compromised, or even leaked and suggest changing them.

Maybe best of all is that your logins will sync across your Apple devices via the Passwords app for macOS, iOS, iPadOS, and visionOS, but can also be accessed on Windows via the web. Oh, and of course, when Passwords launches later in 2024, it’ll be free; you’ll just need an Apple Account.

You Might Also Like

• AirPods Pro 2 are getting 5 cool free upgrades in iOS 18 – here are ...
• Apple WWDC keynote as it happened: Apple Intelligence, Siri ...

Are you tired of juggling multiple passwords and constantly resetting them? In that case, we've got a great deal from LastPass Password Manager. Grab the Premium or the Family Plan for 25% off by simply clicking on this link.

LastPass is a leading password manager that helps you secure and manage your passwords by storing them in an encrypted vault and automatically filling them in whenever required. This means you only need to remember one master password, and LastPass takes care of the rest.

• Check out more LastPass coupon codes for June 2026

How does LastPass work?

Start by downloading LastPass on your preferred device. It's available for desktop, mobile, and browser extensions. Once you've created an account, you need to set a strong master password which will be the only password you'll need to remember. As you log in to your online accounts, LastPass will prompt you to save the passwords to your vault.

When we wrote our LastPass review we found the interface to be user-friendly with efficient syncing and seamless operation across multiple devices and browsers. The interface is intuitive and aesthetically pleasing, providing a smooth user experience on Windows 10 and 11, macOS, iOS, and Android.

Security policies can make or break a password management provider, and LastPass stands out as one of the most secure options available. The platform employs end-to-end encryption using 256-bit AES encryption and advanced Transport Layer Security (TLS) to prevent in-transit attacks. Importantly, LastPass does not store users' master passwords or authentication keys locally or on its servers, ensuring that no one, including LastPass, can access a user's encrypted data remotely.

Popular password manager LastPass has revealed what it believes caused a 12-hour outage which frustrated many users and even prompted some to consider switching to other providers.

Simply put, it seems that a recent update for the LastPass Chrome extension triggered a denial of service on the company servers.

“LastPass customers may be experiencing login issues and product latency due to an update to our Chrome browser extension earlier today which inadvertently caused load issues on our backend infrastructure,” the announcement read. “The LastPass engineering team is actively working diligently to resolve these issues as quickly as possible. Customers can visit the LastPass Status Page for updates and details on product components that are experiencing login and latency issues.”

404 Not Found

As reported by BleepingComputer, users who tried to access their password vaults, or log into their accounts last week were met with the “404 Not Found” message, which usually indicates that the website does not exist.

While LastPass said its services were reestablished, some people were still reporting downtime: "Won't work in Chrome since the last update. I can access my vault, but cannot launch any of the sites I have in it. Clicking the "Launch" button does nothing!!," a fresh review on the Chrome web store reads.

Others on the store were also complaining about the drop in quality after performing well for “ages”.

At press time, the LastPass Status Page was showing all systems stable. The latest update was posted on Friday evening, stating “LastPass performance continues to be stable and fully operational. We will continue to actively monitor the service throughout the weekend before setting this incident to 'resolved' status.”

In recent times, cybersecurity researchers have been urging users to create strong passwords and store them in password managers. This resulted in many users not even knowing many of their passwords, but just relying on the managers for safekeeping. With the LastPass outage, many people were unable to log into many of their favorite apps and services.

More from TechRadar Pro

• LastPass officially splits from former parent GoTo
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

Top password manager LastPass has said it will soon start encrypting URLs stored in the vaults to act as an additional layer of protection against hacker incursions.

Every LastPass user creates a “vault”, which is essentially a database of passwords and other sensitive information. This vault remains password-protected, but it also keeps track of all the websites the user opens, and cross-references them with the ones it has stored.

If it finds a match, it will try to automatically add the username and password information to the corresponding fields, for a more seamless experience.

Microsoft's safeguards

In the early days of LastPass (since 2008, essentially), this URL information could not be encrypted because it taxed the CPU too much, slowing the browser down, and wasting too much battery. So, the developers decided to leave the URLs unencrypted.

Today, with CPUs being a lot more efficient and not as power-hungry, the developers decided it was a good time to re-introduce the feature. We’re not sure if this has anything to do with the fact that most OEMs just introduced new ARM-based Windows PCs. ARM, according to early benchmarks, seems to be significantly more powerful, and power-efficient, compared to x86 architecture. Apple already made the jump a few generations back with its M series of silicon. 

Encrypting URLs in people’s vaults is not an easy task, and it will have to be rolled out slowly. So far, the process is progressing as planned, the company allegedly said. 

The process will come in two phases, with the first phase kicking off in June, and the second one sometime in the second half of the year. 

Users are not expected to have to take any action, but in case anything changes, LastPass will send out appropriate notifications, it confirmed. 

Via BleepingComputer

More from TechRadar Pro

• Microsoft announces new Surface lineup with Qualcomm Snapdragon X chips
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

LastPass has now officially severed ties with its former parent company, GoTo, which was formerly known as LogMeIn.

The separation, initially announced in December 2021, marks a pivotal moment for the password manager company as it begins a journey on its own.

The move comes in the wake of a series of high-profile attacks, with the new company committing to bolstering security measures across the board in order to improve resistance.

LastPass splits from parent company

In the months that followed the attacks on LastPass, which revolved around the theft of source code and certain customer information, the company started introducing stricter measures, such as the enforcement of a 12-character minimum for passwords.

The then CEO, Karim Toubba, continues the role of heading up the newly diverged company despite criticism over the attacks.

Toubba commented on the split: “Together, we are all committed to delivering solutions that never compromise on security, quality, or performance – helping to set new standards in the cybersecurity landscape on behalf of our valued customers, dedicated employees, and the industry for years to come.”

LastPass has also invested in establishing its own dedicated threat intelligence team, comprising workers who collectively helped drive a 98% decrease in credentials offered for sale by infostealing malware in 2023.

In its announcement, LastPass also asserted that the company “stands on solid financial ground,” alluding to upcoming investment in technology and R&D. LastPass is now owned by private equity sponsors Francisco Partners and Elliott Management.

Toubba added: “Our journey forward as an independent company is filled with excitement and gratitude.”

The company remains in Boston, where former parent company GoTo is headquartered, but it will reside in its own property. 

More from TechRadar Pro

• Downloaded something dodgy? Here’s the best malware removal
• LastPass is forcing its users to make longer, tougher passwords
• Check out the best anonymous browsers and privacy tools

LastPass users are being targeted with a sophisticated phishing campaign that sees hackers looking to steal master passwords, which would grant the attackers access to all other passwords stored in the LastPass vaults.

The password management company has said it had investigated reports of a new phishing campaign and discovered that it was added to the CryptoChameleon phishing kit. 

A phishing kit is a set of tools that helps cybercriminals create a phishing campaign: it usually includes a landing page builder, an email crafting tool, means of email distribution, tracking, and more. 

URL shorteners and other red flags

In this particular campaign, LastPass users would first receive an automated phone call, stating that there was an unrecognized login to the user’s account, and asking them to either allow or block the access. 

If the user decides to block the access, they would get a follow-up call from someone impersonating a LastPass employee. This person would then send a phishing email, with a link to the fake LastPass site. There, the victim would enter their master password, which would be relayed to the attackers. Moments later, the victims would get locked out of their accounts, losing access to all other passwords.

LastPass users are advised to be wary of phone calls, messages, or emails claiming to come from LastPass, especially if they carry a sense of urgency and require the user to do something immediately. Those are, almost always, malicious. 

Some of the phishing emails that were making rounds had “We’re here for you” in their subject lines, and used a URL shortening service for links in the message, to conceal the actual address the victims were being redirected to. Such emails should be reported to abuse@lastpass.com, the company said.

As a general rule of thumb, the master password should not be shared with anyone, including LastPass employees.

Via BleepingComputer

More from TechRadar Pro

• Watch out - there's a fake version of LastPass on the Apple App Store
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

People worry, and I know I've written about how Apple allowing side-loaded apps, as it's about to do in Europe with iOS 17.4, could lead to dangerous malware-filled apps arriving on your best iPhone. But it turns out that Apple's ironclad App Store checks and balances aren't entirely perfect either.

Earlier this week we learned from the popular password management system LastPass that there was a fraudulent app impersonating its own app in Apple's App Store. The developer, listed as Harry Potter character Parvati Patel, wasn't exactly subtle. A search for 'Lastpass Password Manager' would return, along with the legitimate app, Patel's app with a logo that, while different, could easily be mistaken for LatPass's real one. It also used a collection of screenshots that looked a lot like LastPass's mobile password management system.

LastPass alerted customers to the fake app in a February 7 blog post, and promised to "continue to monitor for fraudulent clones of our applications and/or infringements upon our intellectual property."

At the time of this writing the apps had disappeared from the App Store. I also searched in Google Play, and fortunately I couldn't find a similar fraudulent LastPass app.

App apparates

As a longtime LastPass customer, I was appalled. This wasn't just a fake Slot Machine or news app; LastPass manages all of my passwords (and the passwords of millions of other customers), which means, in my life at least, that it has the keys to the kingdom. I have no idea how the fake LastPass worked, or didn't, but if someone downloaded and started using it as if it was the real thing, they could at the very least be giving away their LastPass Master Password to a criminal enterprise.

This app wouldn't just rope in unsuspecting new LastPass customers but existing ones as well. Let's say you get a new iPhone and have to reinstall all your core apps. If you're not paying close attention – something 'Parvati Patel' was depending on – you could have downloaded and started using the fake app, likely with disastrous results.

Apps like this getting through Apple's layers of security is not supposed to happen. My understanding of Apple's App verification process is that it's a closed loop with significant checks. Registered iOS developers provide Apple with, according to its Developer Program support page: "information associated with your Apple ID, including your name, email address, age, phone number, preferred language, and country or region, to create and maintain your developer account and provide you with features of the Apple Developer Program."

What did Patel provide – an owl gram from Hogwarts?

The whole point of not allowing side-loading apps is that fake and dangerous apps couldn't make their way all the way to end users, especially apps that are so blatantly impersonating legitimate apps – at least I thought that was the point. Couldn't Apple have performed a simple name check before making the fake LastPass public? Surely, the system would've noticed the discrepancy.

Apple's protego spell

I asked Apple how such an imposter app got through its developer and app verification system. Apple confirmed that it had removed the app and, yes, 'Parvati Patel' is being removed from its Apple Developer Program. Of course, since that's almost certainly not the developer's real name, I have to assume that Patel will soon pop up as a new developer named 'Ludo Bagman.'

Apple is well within its right to remove the app and Patel because, as Apple noted, it's against the rules to impersonate other apps.

It seems, though, that if Apple's vetting system fails, it may be up to companies like LastPass (owned by developer LogMeIn) to log a dispute with Apple's content dispute process. LastPass reported doing so on February 7.

Apple never explained why its system failed, but it did point to its efforts to make the App Store a safe space for developers and consumers. That highly lucrative space, though, is clearly under constant attack, and it's a wonder we don't see a lot more fake apps in the App Store.

The company reports stopping at least $2 billion in fraudulent App Store transactions in 2022, and, even though LastPass slipped through, Apple has so far rejected almost two million apps because they didn't meet Apple's safety and quality standards.

Apple also reports swatting away 153,000 app submissions that were spammy, misleading, or, of course, copycat apps. That kind of activity has led to the termination of almost half a million developer accounts.

The point is that Apple is doing the work. Is it enough? For anyone who did manage to download and use that fake LastPass app before LastPass and Apple noticed it, probably not.

While the fake LastPass app episode is disheartening, the amount of work Apple does to stop even more app fraud further cements my belief that fully open iPhone app sideloading would be an unmitigated disaster. So there's that.

You might also like

• The App Store generated nearly half a trillion dollars last year
• These are the best bots in the ChatGPT 'app store'
• Here's what alternative iPhone app stores will look like
• 7 things you need to know about Apple's App Store and iOS changes 

LastPass has warned that there is a fake version of its app on the Apple App Store, called "LassPass Password Manager [sic.]." 

The password manager vendor explained that the developer of the fake app is listed as Parvati Patel, and copies the firms' branding and user interface. The real developer of the legitimate app is "LogMeIn Inc.", the parent company of LastPass.

LastPass says that it "is actively working to get this application taken down as soon as possible, and will continue to monitor for fraudulent clones of our applications and/or infringements upon our intellectual property."

More trouble

This is not the first security incident to affect LastPass. In October 2022, it infamously suffered a series of breaches which resulted in users' password vaults being stolen by threat actors. However, the vaults remained encrypted, so the hackers could only access the stored credentials if they guessed or cracked the master passwords securing the vaults.  

There was still some fallout linked to the breaches, however, including a crypto-stealing scam that was thought to have made use of stolen LastPass accounts. The hackers in this case may have been able to crack the master passwords securing users' vaults, especially if the passwords were weak and easy to guess, or had been reused from other accounts that were found in previous data breaches. 

It is not often fraudulent apps of such a high profile are found in Apple's app store, given the stringent controls the tech giant places on it. Google's Play Store, on the other hand, frequently sees fake and malicious apps uploaded to its platform.

Recently, six malicious Android apps were found on the store that were pretending to be chat apps, but actually contained info-stealing malware that could swipe contacts, call logs, and SMS messages.

On its blog post, LastPass has provided the URLs for both the fake and legitimate versions of the app on the App Store, "so that customers can verify they are downloading the correct LastPass application for themselves until the fraudulent app is taken down."

MORE FROM TECHRADAR PRO

• Here are the best identity theft protection services around
• Apple says it blocked nearly two million malicious or insecure iOS apps last year
• Cybercriminals can pay $20k to spread malware on the Google Play store

LastPass is forcing customers to set up 12-character master passwords, if they haven’t already, in an effort to improve security following a major incident in 2022.

While this has been a default option since 2018, LastPass customers have been able to evade the 12-character recommendation, which will now soon be mandatory.

On its website, the password manager said the new requirement surpasses the current National Institute of Standards and Technology (NIST) guidelines which state that human-generated passwords should be at least eight characters long.

LastPass security boost

In a company blog post, LastPass Senior Principal Intelligence Analyst Mike Kosak said the password length requirement is part of a progressive set of initiatives that the company is rolling out in order to protect customer accounts, thus minimizing the likelihood of any successful attacks.

In an email to customers seen by TechRadar Pro, LastPass said in response to why it was making the change: “We’re committed to meeting the latest industry security standards and best practices to protect against external threats.”

There’s also the fact that the company suffered a “security incident” in 2022, which saw an unauthorized party gain access to some of the company’s data.

From January 2024, LastPass users’ master password should include at least 12 upper case, lower case, numeric, and special characters.

Free, Premium, and Family customers are among the first to be notified about the change, and Teams and Business customers are expected to receive a warning by the end of January.

From February, new and reset master passwords will also be cross-referenced in real-time against a list of exposed credentials on the dark web. Users will receive a security warning if the password they choose has been previously leaked. 

Customers who fail to meet the deadline will be logged out and forced to create a new master password, helping LastPass to ensure that all customers have taken the necessary steps.

A LastPass spokesperson confirmed in an email to TechRadar Pro that a phased rollout begins on January 8 for business customers.

More from TechRadar Pro

• Worried about your online safety? These are the best privacy tools and anonymous browsers
• Millions in crypto has been stolen following LastPass breach
• Protect your online activity by using one of the best VPNs

The LastPass data breach incident that happened last year resulted in dozens of victims having cryptocurrency stolen, new research has claimed.

Cryptocurrency analyst ZachXBT (Twitter alias) and MetaMask developer Taylor Monahan, who’ve been tracking the attacks, believe the attackers managed to steal $4.4 million from more than two dozen victims:

"We regularly have people reach out via DM who have had their crypto assets stolen. We also approach victims we discover on-chain," ZachXBT told BleepingComputer. "We ask potential LastPass victims multiple questions and typically have found one commonality between them all being LastPass."

Brute-forcing the vaults

In August 2022, LastPass suffered a data breach that allowed the attackers to get away with people’s password vaults. You can think of those as encrypted folders where all the passwords are stored. Without the master password, however, it’s impossible to decrypt the folder and access its contents - passwords to other services.

That doesn’t mean that the attackers can’t try and brute-force their way in, using specialized hardware and software. If the master password is relatively weak (a simple combination, for example), they might be able to crack it. 

"Depending on the length and complexity of your master password and iteration count setting, you may want to reset your master password," LastPass warned at the time of the breach.

And that’s exactly what the researchers suspect the attackers did. The idea is that in some of the vaults, people kept their seed phrases - long passwords (12 to 24 words) that allowed the attackers to load the wallets onto their own devices and subsequently drain the funds. 

When it comes to keeping your cryptocurrencies safe, it’s best to follow industry best practices, which include getting a cold wallet (an offline device), and not storing the seed phrase digitally, but rather printing it out on a piece of paper and storing it somewhere safe (preferably on multiple locations).

Via BleepingComputer

More from TechRadar Pro

• LastPass security breach linked to a string of crypto heists
• Here's a list of the best firewalls today
• These are the best malware removal tools around

ITV has announced the upcoming launch of their new show ‘Password’: a word association game which consists of teams receiving one-word clues to guess a mystery “password”. But what is the reality behind having your password cracked?

In real life, cybercriminals aren’t gifted with one-word clues and encouraged by flashing lights and comical noises, yet the ease and ability remain the same. Adversaries don’t have to “crack” passwords anymore, they just steal them when they are unencrypted. So gameshow or otherwise - no matter how ‘long’ or ‘strong’ passwords appear to be they are fundamentally flawed authentication methods. Therefore, companies continued heavy reliance on passwords as a means of validating user identities has left them open for attack.

Representing the weakest link in an organization's security chain, passwords can be easily guessed, obtained through clever social engineering tactics, or stolen while they unencrypted - for example when a user is typing a password into a web form. Despite attempts to implement more secure authentication methods, even first-generation MFA (Multi-Factor Authentication) solutions that combine passwords with an additional factor like one-time passwords via SMS/email or push notifications are now frequently circumvented, even by inexperienced attackers.

This situation poses a significant risk to organizations. According to the Verizon Data Breach Report of 2022, credentials were the most common type of data compromised in both the US (66%) and EMEA (67%), and more than 80% of data breaches directly result from password-related issues. Consequently, improving authentication and security measures remains a top priority for business leaders worldwide.

Just how easy is it to crack a password?

Unfortunately, there is no such thing as a 'strong’ or ‘secure’ password. The length and complexity of a password only become significant if attackers employ brute force tactics, attempting millions of combinations of characters and numbers until they find the right match. For example, it is often suggested that a 12-character password with a mix of upper and lower-case characters, numbers, and special characters would take billions of years to crack through brute force. However, this method is not how adversaries typically gain access to passwords.

In reality, attackers rely on social engineering techniques to trick users into providing their passwords directly. They may also infect endpoints with credential theft malware or employ attacker-in-the-middle (AitM) techniques to intercept passwords as they cross the network in the clear. In these cases, the length of a password becomes irrelevant, as malware can steal a lengthy password just as easily as a short one consisting of only four letters or numbers. Therefore, the focus should not solely be on creating ‘"strong’ passwords but on implementing additional security measures to counteract these tactics.

Poor password habits

Recently, we have seen the growing popularity of password managers with Google and other applications saving users’ passwords and providing a randomized password to ensure ‘greater protection’. While it ensures some degree of security - given it prevents attackers from using one set of stolen credentials for multiple accounts - several issues still remain.

Even the best password manager has limitations when it comes to stopping attackers at the endpoint or in the middle of login flow processes. While these tools may enhance security by generating complex and unique passwords for users, they don't fundamentally alter the login procedure. The password manager merely handles the password generator, with the user's login experience remaining unchanged. Additionally, they don't provide full protection against social engineering attacks, as unsuspecting users may still be manipulated into revealing relevant information to attackers, bypassing the Password Manager's safeguards.

Another significant drawback of password managers is that they centralize the risk for users and create an enticing target for hackers. If attackers manage to steal the main password from the password manager vendor, they potentially gain access to all customer credentials in one go. This concentration of sensitive information can lead to severe consequences in case of a successful breach. A real-life example of this risk materialized in December 2022 when LastPass disclosed an incident where hackers gained access to backups of their customers' data. Such incidents highlight the vulnerabilities associated with relying heavily on password managers as the sole defence against security threats.

The solution? Passwordless authentication

Organizations now have the opportunity to transition towards a modern and highly secure passwordless, Multi-Factor Authentication (MFA) system that effectively resists phishing attempts. This advanced approach makes use of biometrics and passkeys, following the standards set by the Fast Identity Online (FIDO) Alliance. This industry association operates openly, with the primary goal of reducing the world's dependence on passwords by establishing robust authentication standards.

The FIDO Alliance's mission involves promoting and supporting the development, usage, and adherence to authentication and device attestation standards. Its efforts aim to revolutionize authentication by offering open standards that surpass the security provided by passwords, while simultaneously being more user-friendly for consumers and easier for service providers to implement and manage.

By embracing these innovative passwordless technologies, enterprises can significantly raise the bar for adversaries attempting to hack into their systems. Additionally, it liberates users from the burden of managing passwords, which is a responsibility they are eager to be free from. The adoption of FIDO-based authentication systems represents a crucial step forward in enhancing overall security and user convenience for organizations worldwide.

Given passwords remain a key feature for many businesses and even new gameshows, adopting a passwordless approach might appear a lengthy task for an organisation’s cybersecurity team. However, adopting the passwordless authentication approach is crucial for any company that seeks to have full protection through a robust security strategy. Remove passwords and you remove the weak link in your defense.

We've listed the best identity management software.

Six-figure cryptocurrency heists have reportedly been taking place on a monthly basis since late last year, with experts now attributing the action to the December 2022 LastPass breach.

LastPass CEO Karim Toubba has already disclosed and actioned plans to reduce the likelihood of future attacks, but for some high-net-worth individuals who trusted the platform, it could be too late.

The news comes from software cryptocurrency wallet MetaMask’s lead product manager Taylor Monahan, who noted a connection between the victims of both the LastPass breach and the crypto heists.

Is LastPass to blame for crypto theft?

Monahan and other researchers have identified clues dating back to December 2022 when the breach occurred, linking the more than 150 crypto heist victims to the LastPass incident. The total value of cryptocurrency stolen reportedly stands at more than $35 million.

Given how much money the victims had put aside in cryptocurrency, it’s unsurprising that Monahan noted their healthy account security. However, that was not enough to deter criminals who seem to have gotten their hands on the seed phrases used to unlock accounts, which were stored in the popular password manager.

According to the research put together by cybersecurity blogger Brian Krebs, between two and five “high-dollar heists” have occurred each month since the breach.

Krebs added: “LastPass declined to answer questions about the research highlighted in this story, citing an ongoing law enforcement investigation and pending litigation against the company in response to its 2022 data breach.”

Karim Toubba added: "Since last year’s attack on LastPass, we have remained in contact with law enforcement and continue to do so. We have shared various technical information, Indicators of Compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs) with our law enforcement contacts as well as our internal and external threat intelligence and forensic partners in an effort to try and help identify the parties responsible. Last year’s incident remains the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation. In the meantime, we encourage any security researchers to share any useful information they believe they may have with our Threat Intelligence team by contacting securitydisclosure@lastpass.com."

Those concerned about account security should consider setting up additional protective measures like two-factor authentication, as well as refraining from storing all account information in one place. 

Finally, all Internet users should be cautious of phishing scams: if in doubt, revisit the webpage from a genuine URL rather than following a link in an email.

More from TechRadar Pro

• Crypto wallets are being hit by a new Mac infostealer
• Boost your cybersecurity with the best endpoint protection software
• Concerned that you may have been caught up in a data breach? Consider the best identity theft protection tools to keep yourself safe

It's been over half a year since LastPass suffered its catastrophic breach, but still the memory lingers, and for good reason. Despite handling the most sensitive of user information, the company succumbed to the worst possible fate for such a service: backups of users' entire vaults stolen from right under the company's nose. 

The saving grace is that fortunately, users' passwords remained encrypted, and there has been no evidence so far to suggest the thief has managed to crack them. However, other personal data, such as billing addresses and email addresses, were not encrypted by LastPass, so are out in the open.

Again, though, no one appears to have leaked this data on the dark web or used it against the victims in identity theft attacks. But despite the lack of material damage, many are still reluctant to trust LastPass again.  

CEO Karim Toubba hopes to change that, as he told us how LastPass has taken certain steps and put in place various policies to prevent lightning striking twice. 

The breach

In his own words, Toubba explains the central cause of the data theft:

"The ultimate compromise that led to the encrypted data and the specific user information [being stolen] was a direct result of an attack that was manifested on a senior DevOps engineer’s laptop." This information was then used to access backups of users' vaults, stored within an AWS S3 bucket instance.

"There were a bunch of security controls In place at the time - it's actually how we ultimately determined the details with the data - but the real weakness ultimately was driven by the fact that the attacker was able to get legitimate credentials to the AWS [S3] bucket as we described in a lot of detail within the blog that ultimately led to the compromise of the encrypted data."

Toubba also says that there was nothing unusual about the activity that would have alerted LastPass or their AWS client to the fact that a threat actor was accessing and copying data within the S3 bucket:

"It was the credentials ultimately that were compromised that enabled access, and those credentials, coupled with the key that was taken from the first incident, effectively mimicked legitimate access, and so as a result, while we were able to ultimately put the pieces together as part of the investigation, there was really nothing at that particular moment in time that would have led to information that told us it was unauthorized access."  

Toubba was keen to point out, though, that, "we do employ a zero knowledge model, which effectively means that the encryption keys that are used to access the information such as usernames and passwords that are stored - the mass of which is effectively the cryptographic elements - are never stored on any device or in our infrastructure. They're derived from the master password and the master password, of course, is never kept within our infrastructure."

As aforementioned, Toubba notes that LastPass hasn't seen any activity on the dark web to suggest the the threat actor managed to crack any of the users' master passwords:

"We had a bunch of dark web monitoring in place [and] we've expanded that… we built out a pretty advanced threat intelligence team that we leveraged in addition to third-parties that we brought in, such as Mandiant, to help us with the investigation and the forensics, and we've seen no data that suggests any of the vaults were compromised."

Changes

In trying to ensure that this breach doesn't happen again, Toubba says that, "we've reevaluated policy, infrastructure and procedures. I’ll direct you back to the blog - there's a number of things that we've made from a change perspective and additional capabilities that we've deployed."

Since it was a personal computer belonging to the DevOps engineer that was compromised - via a malicious media player that they had downloaded - Toubba mentions that one of the changes is that employees are only allowed to use LastPass provided computers now for their work.

LastPass is also making changes to what information it encrypts. Since unencrypted customer data was stolen - although, as mentioned, it doesn't appear to have been exploited by the threat actor - Toubba said that, "while we are not yet complete with this end-to-end transformation work, we are still actively working towards our goal of expanding the use of encryption across both our production and backup environments."

He also mentions the importance of communicating thoroughly with users on the steps LastPass has taken, again referring to the blog post:

"The blog is about four or five pages and then there's an additional 19 to 20 pages of details behind that because we wanted to be very detailed and thorough and transparent about the information we shared."

When it comes to technology, Toubba says that LastPass takes a thoughtful approach:

"I've been in cyber the better part of 25 years - it's a constantly evolving category… in cyber, you're never done, you're always evaluating policy changes based on what you see, you're always evaluating adoption of new technologies that you believe will make you more secure and drive more efficacy."

"We're still using [the buckets] - there's nothing inherently insecure about AWS buckets. It's a matter of making sure that you have the right technologies, policies and enforcement in place."

"We, like many others, have a strong degree of confidence in leveraging the cloud to provide not only scalable services but scalable services securely. I think that model is very proven."

"Companies like ours… are going to have a perpetual target on our backs by virtue of the fact that we store sensitive information, so whether it's LastPass or potentially others… we think that security is a critical part of our offering, not just to our customers but securing the data itself and that requires not just the investments that we've been making over the course of the last 12 months but investments that will continue to the future." 

"It’s clearly important, even this incident aside, to make sure organizations like us have a significant and sustained investment in security, which as I mentioned earlier, is a space that continuously evolves, both on the attacker and the protection side." 

Winning back trust

In terms of winning back trust from customers, Toubba outlined the company's strategy:

"There's a number of things that we've done. Obviously, it started with the blog around posting a lot of the technical details and information of the incident itself… secondly, how we responded to the incident, what we did, and what the timeline looks like. And then thirdly, what the roadmap, if you will, is to the future, both in terms of ensuring the product is secure, but also the infrastructure and the associated policies. 

"We we also posted a lot of information on lastpass.com trust center, which is the place where we put information about our policies, the work that we're doing in security, any changes that we made and any incremental investment that we make within security." 

"We've also spent a fair bit of time doing customer outreach, having conversations with customers, spending a fair bit of time with them, reevaluating and ensuring that the configuration of the platform meets both our and their security standards and policies." 

"And then lastly, the other way obviously to gain confidence is to lean back forward into making a series of investments in the platform itself, not just from a security perspective but from functionality perspective."

"So, developing new capabilities and features, in addition to the investments were making security, are both critical parts of signaling to the broader market but also to our existing customer base about the investment that we're making in the future of the company and for them." 

"There's [also] a number of things that we will be announcing through the balance of the year."

Lessons learnt

It seems that for Toubba, one of the most regrettable aspects of the incident was the way in which LastPass handled its communication with both its customers and the media:

"In the moment, we really sort of focused on the incident itself and the technicalities of the incident and ensuring that we could quickly respond." 

"I think in retrospect, one of the things we didn't do a good job at was consistent communications; we waited quite a while - I've had many conversations and probably spent time speaking to well over 200 customers by now - and I heard directly from customers that they would have liked to have seen more consistent updates, even if the update was, ‘we don't have an update right now’, just to stay in touch with the market, so that's certainly less to learnt." 

"I've talked to others in the press much like yourselves and and I know at the moment in time we were not ready to have any comments… it may have been perceived a particular way - it was not a disrespect at the time; we were really focused largely on not just the technicalities of the incident, but really maniacally focused on one thing and one thing only, and that's: ‘how do we ensure that we communicate both internally and to our customers?’" 

"And so [the] press was not a priority for us at the time; candidly, it’s one of the reasons we're doing outreach now to ensure that we give [the press] the opportunity to ask questions."

"We… made some changes to the communication structure and the communication leadership within the team, brought in people to the organization that were better prepared, generally speaking, relative to how we do communication strategy at scale." 

• Here are the best business password manager options for your firm

A number of LastPass users have reported struggling to access their accounts due to security upgrades from the company.

The issues began in May 2023, when the password manager announced some upcoming changes and warned users that they would have to log back into their accounts and reset their multi-factor authentication (MFA).

However, many users have reported being locked out of their accounts even after resetting their codes on their authenticator apps, such as Google Authenticator or even LastPass' very own.

Lock-out

To make matters worse, affected users can't even access LastPass support, since this requires logging in too. Instead, they are prompted to reset their authentication app over and over in the client, as the system fails to recognize the new codes users have set up as instructed. 

As expected, users have been taking to Twitter and the LastPass community forum to vent their frustrations. 

LastPass said that in-app messages and emails were sent out notifying customers to reset their MFA well in advance of the actual announcement to the security upgrades.

The company has since clarified what the security upgrades actually entail. It has now strengthened its Password-Based Key Derivation Function (PBKDF2), an algorithm "that makes it difficult for a computer to check that any 1 password is the correct master password during a compromising attack."

The default minimum number of passwords iterations post-upgrade is now 600,000. In order to carry out this upgrade, LastPass says it was necessary to log users out of their accounts and require them to reset their MFA.

"You must log in to the LastPass website in your browser and re-enroll your MFA application before you can access LastPass on your mobile device again. You cannot re-enroll using the LastPass browser extension or the LastPass Password Manager app," it further added.

LastPass was previously featured on our list of the best password manager solutions, but since users' vaults were stolen via a series of breaches at the company, we took the decision to remove it. 

The vaults were encrypted, and there was no indication that the threat actors managed to crack them - only if they managed to guess your master password could they gain access. However, other personal data that were stolen from customers, such as contact and billing information, were not encrypted.  

• Here are the best business password managers

Password managers remain popular. One of the most used, the multi-platform LastPass, offers many great features and tools. However, recent security leaks might have you looking for another solution. 

Currently, LastPass is used by 100,000 businesses and 33 million individuals to safeguard their passwords. Nevertheless, it is crucial to acknowledge that all password managers are susceptible to security risks.

Regrettably, LastPass has been linked to several breaches in recent years. The latest occurred in November 2022 and involved the leaking of various forms of user data, including billing information. 

Since the breach, many security experts have suggested users look into alternative solutions.

Luckily, there are a lot of LastPass alternatives on the market, and each is one of the best password managers of the year. Better still, a few of these are the best free password managers.

You might also be interested in the best antivirus software and best internet security suites.

The best LastPass alternative of 2026 in full:

Best password manager overall

Dashlane is a comprehensive password manager that offers top-notch features. It also functions as a digital wallet and is compatible with various platforms such as Windows, macOS, iOS, and Android. Unlike many password managers, Dashlane is available at various pricing tiers (for businesses and personal use), including a free version with limited tools.  Each new account comes with a free 30-day premium subscription. 

Although no password manager is 100% secure, it's important to note Dashlane has never been breached. Additionally, Dashlane is the only US-patented password manager, using military-grade AES 256-bit encryption and its patented technology.

Dashlane features include: 

• Password generator: This tool lets you quickly create strong, random passwords for your accounts. You can request passwords based on website guidelines. For example, certain websites want numbers, letters, and symbols, while others only allow letters and numbers. 
• Two-factor authentication: This form of authentication adds another layer of security and has become an important tool for many. When activated, you must use two login options before using the software on a new device. 
• VPN: With a Virtual Private Network, you can better protect yourself online by encrypting your internet traffic through an external server. 
• Password sharing: You can easily share your username/password information with others. 
• Dark web monitoring: You can add up to five emails for Dashlane to monitor whether your information is on the dark web. 

As a product, Dashlane has few equals. Pricing is the one negative that might hold you back. Especially on the business side, subscriptions can be expensive. 

Read our full DashLane review.

• ^ Back to the top

Best password manager for security

Perhaps not as well known as the company's NordVPN offering, the NordPass password manager is still an excellent option. It is compatible with all major platforms and allows for storing, organizing, and managing your passwords securely.

Catering to personal and business needs, its subscription plans include free and paid options. Our thorough review of NordPass noted that its interface is intuitive, and its security features are top-notch.

Like Dashlane, NordPass includes two-factor authentication, a password generator and autofill, data breach monitoring, and more. And yes, you can add a NordPass subscription to one for NordVPN. 

The widely respected XChaCha20 encryption algorithm is utilized, and it is a preferred choice for reputable companies such as Google and Cloudflare. It offers up to 256-bit encryption and is considered by some as a more future-proof solution than the commonly used AES-256 encryption in other applications.

Read our full NordPass review.

• ^ Back to the top

Best password manager for SMEs

Keeper is an excellent choice if you're searching for a reliable password manager that works on multiple platforms. It offers top-notch security protocols, mainstream features, and an advanced and user-friendly design. Although personal and family subscriptions are available, Keeper primarily focuses on serving the needs of businesses.

This product boasts impressive security credentials, including a zero-knowledge design, top-notch security auditing, cutting-edge encryption, and many other features. It also provides powerful admin tools, convenient sharing options, and remote access. You can also enjoy features like dark web monitoring, breached password alerts, shared folders, and password sharing.

However, Keeper doesn't have a free option. Despite this, its pricing is still competitive and often offers additional discounts.

Encryption is done on the fly and at the device level, with AES 256-bit and PBKDF2 encryption, so no readable information is ever kept on Keeper’s servers.

Read our full Keeper review.

• ^ Back to the top

Best password manager for features

Are you familiar with the LogMeOnce password manager? It's a top-notch choice for personal and business purposes, with impressive cross-platform compatibility, advanced security features, and login methods. Moreover, its free version is highly practical, offering comparable features to those that other companies typically charge for, such as unlimited passwords and device sync. However, the free version does include ads.

According to TechRadar, LogMeOnce is among the best password management programs available. It's reasonably priced, packed with advanced tools for business users, and supported by a range of powerful features. It also boasts a tidy user interface and works seamlessly with various web browsers, devices, and operating systems.

LogMeOnce offers top-notch security features, such as AES-256-bit encryption that complies with NIST guidelines and secure communication with the LogMeOnce server via SSL/TSL encrypted tunnel communication. What sets LogMeOnce apart is its collection of patented and copyrighted tools that provide added protection for your confidential information.

Read our full LogMeOnce review.

• ^ Back to the top

Best password manager for families

If you're looking for reliable password protection, 1Password is one of the best choices. It's known for its reasonable pricing, user-friendly interface, and extensive features. So whether you need it for personal or business use, 1Password covers you. It even offers family packages, one of the first in the market. 

With 1Password, you can easily sync your data across various platforms, such as Windows, macOS, Linux, Android, and iOS. There's even a version for Chrome OS. Plus, with a subscription, you get 1 GB of document storage and the peace of mind that deleted passwords are retrievable for up to a year.

To enhance security, 1Password has incorporated Authy and Microsoft Authenticator for two-factor authentication. These are two of the best authenticator apps. Additionally, passwords are safeguarded with Secure Remote Password (SRP) and encrypted with AES 256-bit encryption, providing extra layers of credential authentication.

Read our full 1Password review.

• ^ Back to the top

Best free password manager

If you’re searching for a password manager that’s open-source, Bitwarden is worth considering. This freemium manager enables you to securely store confidential data in an encrypted vault, which is accessible across various platforms, including Windows, macOS, and Linux. Additionally, Bitwarden extensions are available on all major browsers, including Chrome, Firefox, Safari, Edge, and more.

Bitwarden is a great option for both individuals and businesses, as it offers many of the same features mentioned above. These include autofill, end-to-end encryption with AES-256 bit security, monitoring of vault health reports, syncing, and more.

Read our full Bitwarden review.

• ^ Back to the top

Get in touch

• Want to find out about commercial or marketing opportunities? Click here
• Out of date info, errors, complaints or broken links? Give us a nudge
• Got a suggestion for a product or service provider? Message us directly

• You've reached the end of the page. Jump back up to the top ^

LastPass is a widely used password manager relied on by 100,000 businesses and 33 million individuals to secure their passwords. While password managers offer convenience, they also come with security risks and it's crucial to carefully consider the benefits and risks before adopting them in an organization. Poor password policies, lack of control, or even a single user error can result in disastrous consequences. However, in some cases, the very thing people fear most can occur – the password manager itself can be compromised.

The recent LastPass data breach is a cause for huge concern for organizations and individuals who have utilized this password manager. On December 22nd, LastPass revealed that a security incident that they had previously reported on November 30th was actually a massive data breach. The attackers are believed to have used information obtained from an August attack on the company to carry out another attack in November.

Unfortunately, it's not the first time this has happened; on June 15, 2015, LastPass announced that its network had been breached, compromising data such as email addresses, password reminders, and password hashes.

The most recent breach allowed an unauthorized party to access sensitive user account information, including personal information such as usernames, email addresses, phone numbers, names, billing addresses, and IP addresses. Additionally, the breach exposed stored website URLs, which could be used to launch phishing attacks, and stole vault data, including usernames, passwords, secure notes, and form-filled fields. Although this data remains encrypted, if an attacker cracks the master password, they would be able to access all the information stored in the vault. Changing the master password now would not solve the issue, as hackers have a copy of the vault.

For businesses that require employees to use LastPass as part of their official password policy, the risk is obvious. If an attacker cracks or steals an employee's LastPass master password, they will have unrestricted access to the company's most sensitive data.

Overall, this breach highlights several related issues that, when combined, can cause devastating consequences:

• A lack of password best practices: Many end users do not maintain good password hygiene, including password reuse and weak passwords. Unfortunately, 53% of people reuse passwords for both corporate and personal accounts, which means that even if different password managers are used for work and personal purposes, a breach can cause major damage 
• Uncontrolled use of password managers: While not all companies use LastPass, many employees install browser extensions themselves and use password managers for both work and personal credentials. In this case, system administrators cannot enforce password best practices or manage password manager software. In fact, some data shows that 97% of the cloud apps used in the enterprise are cloud shadow IT.

This puts both personal and corporate-managed users at risk, as the breach demonstrates the vulnerability of even well-established password managers. 

What can we do now?

To mitigate the risk posed by the LastPass breach, all users are advised to reset their passwords site-by-site, as simply changing the master password now would not solve the issue. They should also follow best practices for passwords and enable multi-factor authentication (MFA) where possible.

For sysadmins, the following recommendations should be considered:

• Monitor your managed devices for installed plugins, as not all users follow cybersecurity news and may be unaware of the problem.
• Pay particular attention to identifying LastPass installations installed as browser extensions, since they are not detected by most remote monitoring and management (RMM) and endpoint management systems by default. However, it is possible to automate LastPass extensions discovery through scripting, which saves time and effort.
• Adopt a risk-based approach to determine whether LastPass is the best password manager for the organization, or if a different solution is more suitable.
• Implement a password manager that is centrally managed and controlled by the IT team, to enforce strong password policies and prevent password reuse.
• Urge users to turn on multi-factor authentication (MFA) for all of their accounts, including those managed by LastPass, to add an extra layer of security. Ideally, use hardware token-based MFA if the service supports it, or at least app-based MFA, such as Google Authenticator. Avoid SMS-based MFA, as it is less secure and vulnerable to cell phone number hijacking.
• Conduct regular cybersecurity training and awareness campaigns for employees on the importance of using strong passwords and the dangers of reused passwords. If you’ve identified users relying on LastPass outside of the IT control, work with them directly, and articulate the dangers of this practice.
• Emphasize user education on recognizing social engineering attacks. Users need to be aware of the sophisticated methods used by threat actors to steal their master password. Attackers may pose as LastPass, regulatory bodies, or other organizations and deceive users into revealing their credentials. Users should also be mindful that phishing has evolved beyond simple emails and can involve multiple communication channels, including phone calls, SMS, messaging apps, and others
• Collaborate with users to develop good password policies, regularly review and update them to align with current security best practices. 

Conclusion

The LastPass data breach is significant in several ways. First, it serves as a valuable reminder for all of us to rethink password security practices. Second, it shows that even if an attacker initially gains access to a non-sensitive aspect of a company's infrastructure, they can still exploit security vulnerabilities and obtain sensitive customer data that resides in a different but interconnected environment over time. This reminds organizations on the importance of thoroughly examining security weaknesses if a successful attack occurs, in order to prevent future hacks, including taking prompt action to investigate any security incidents and identifying and remediating any security vulnerabilities. 

We've ranked the best business password managers.

LastPass has shared more details about the December data breach that shook the industry, with the attack sounding like it came straight out of a spy movie.

In a security advisory, the password manager said two incidents, seemingly unrelated, which were actually part of a larger campaign. It also said that the threat actors specifically targeted one of four DevOps engineers, further highlighting the sophistication of the entire campaign.

The LastPass investigation concluded that there were two incidents - one that was spotted in August 2022, and one that was spotted in December.

Accessing S3 buckets

The threat actors used the information obtained in the first attack, as well as information from an entirely separate cybersecurity incident, to identify the company's encrypted cloud storage Amazon S3 buckets.

But to access the buckets, they needed decryption keys, which only four LastPass DevOps engineers possessed. So, they targeted one of them, going after a remote code execution vulnerability found in a third-party media software package installed on their private computer. This allowed them to install a keylogger which helped bypass security protections, and then some.

"The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault," the company explained.

"The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups."

As the attackers were using valid login information, the company’s cybersecurity team did not identify the activity as malicious. Consequently, the threat actor was lurking in the company’s storage servers for two months. 

Now, post-festum, LastPass said it updated its security posture, and started rotating sensitive credentials and authentication keys and tokens. Furthermore, it regularly revokes certificates, requires extra logging and alerting, and started enforcing tougher security policies.

• These are the best password generators out there

Via: BleepingComputer

Update: Bitwarden recently got in touch with us to share the following: “We always remind users looking for Bitwarden not to rely on search engines when looking for the Bitwarden log in page, but to start with Bitwarden.com. A useful tip for users of the web vault is to bookmark http://vault.bitwarden.com. This eliminates the chances of an imposter site grabbing your attention, which can happen when using a search engine.

“Fortunately, the webpages posing as Bitwarden listed in this article are no longer live, but we take this as an opportunity to further remind our users to always exhibit caution and check hyperlinks carefully when entering their credentials.”

A number of prominent password managers have been spoofed in a new phishing campaigns, with the likes of Bitwarden among those affected, experts have warned.

A very convincing fake of the real Bitwarden website, with the url 'bitwardenlogin.com', appeared as a Google Ads search result, pushing it right to the top when users searched with the phrase 'bitwarden password manager'. 

The domain on the ad was 'appbitwarden.com', which now thankfully appears to have disappeared from Google's results and the site now seemingly shut down. 

Google Ads phishing

Users reported the having come across the phishing ad earlier this week on Reddit and the official Bitwarden forums, voicing their concerns over how similar the fake page and url looked to the real one.

One user even noted that a Secure Sockets Layer (SSL) certificate was present on the fake website, which allows for an encrypted connection and is usually taken as a sign of a safe and legitimate website.

Bleeping Computer tried to test the fake page by inputting fake Bitwarden account credentials to see what would happen, and found that "the phishing page will accept credentials and, once submitted, redirect users to the legitimate Bitwarden login page."

However, the phishing site was shut down before it was unable to confirm what would have happened with real credentials - specifically whether it would "attempt to steal MFA-backed session cookies (authentication tokens) like many advanced phishing pages."

It is referring to adversary-in-the-middle (AiTM) phishing attacks, which use proxies to deliver the MFA prompt to the real website, which sends it back to the phishing site, which then proxies this to the user. The process is then repeated again for the actual input of the MFA code, with neither party non the wiser that the authentication process is being intercepted by a bad actor.

The real site then stores a cookie that contains the authentication information for that session. This cookie is stolen by the threat actor so that it can trick the victim again without needing to go through another MFA request. 

Other password managers were also found to be caught up in Google Ads phishing campaigns recently. Security researcher MalwareHunterTeam found the same tactic used to spoof 1Password, another very popular choice of manager. 

Google Ads has been hijacked for various malicious ends aside from phishing scams. Recent stories have found it being used as a launching pad for stealing credentials and breaching business networks via identity theft.

The news follows a recent spate of password manager attacks, most notably LastPass, one of the biggest password managers around, where user vaults were stolen, and the keys used to encrypt them were not guaranteed to be safe either, meaning hackers could potentially see all their passwords. 

Norton LifeLock users also had their password vaults compromised in a credential stuffing attack, and Passwordstate also suffered a security breach.

The best way to protect your password vaults, aside from being cautious of any phishing websites, is to have MFA set up, and to use a strong password. Since this password will have to be committed to memory, as it can't be stored in the vault itself, it is best to use a random string of words that you can remember easily and yet will be too long and lacking significance to be easily cracked by hackers. 

• Here is the best endpoint protection to keep you safe

Another update on the recent LastPass data breach has revealed even more potentially bad news for users of the password manager.

Paddy Srinivasan, CEO of LastPass parent company GoTo revealed in a blog post that the attackers who targeted third-party cloud storage service shared by both firms managed to exfiltrate encrypted backups related to a number of products.

These products include Central, Pro, join.me, Hamachi, and RemotelyAnywhere. 

Encryption key taken 

Besides encrypted backups, the attackers also exfiltrated an encryption key for “a portion” of the encrypted backups, Srinivasan added. 

The data that is now at risk includes account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, and some product settings and licensing information. Credit card or banking details were not affected. Birth dates, home addresses, and Social Security numbers, were also said to be secure, as GoTo doesn’t store any of these. 

Furthermore, a “small subset” of Rescue and GoToMyPC users have had their MFA settings impacted. Encrypted databases, however, were said to not have been taken.

While all of the account passwords were salted and hashed “in accordance with best practices”, GoTo still reset the passwords of affected users, and had them reauthorize MFA settings, where possible. The CEO also said the company is migrating affected accounts onto an enhanced Identity Management Platform to provide additional security and more robust authentication and login-based security options.

The affected customers are being reached out to directly, Srinivasan confirmed. 

LastPass first reported suffering a data breach in November 2022. An initial investigation determined that the hackers managed to steal customer vaults, essentially databases containing all of their passwords. The vaults themselves are encrypted, however, meaning the crooks will not have such an easy time reading their contents. 

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” LastPass CEO Karim Toubba had said. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

• Check out our list of the best ID theft protection solutions right now

You will probably have a situation where you will have to switch password managers, whether for security issues (LastPass), or other reasons. When the time comes, you will probably wonder whether you will have to manually enter all of your passwords or is there an easier way to import all of your data from one password manager to the next? Fortunately for you and all of us, most modern password managers allow you to download your password vault, which you can upload to a new system and be set. 

There is, however, also the need to get acquainted with the new password manager to which you’re looking to switch to. This can be somewhat challenging if you spent a lot of time with your previous password manager. Moreover, it is important to consider the functionality of a new password manager such as 2FA, password generation, and secure sharing of details with colleagues or family members.

Luckily, Keeper, a password manager that we’re considering, has been around for some time, providing all of the necessary features, without compromising on security. And best of all it has not suffered a recent hacking incident which further bolsters its credibility.

Thanks to this step-by-step guide, you’ll find out how to migrate all your data (including passwords, folders, and secure notes) from LastPass to Keeper in just a couple of clicks. 

Now, let’s get things started by exporting your passwords and other data from LastPass.

Export your passwords from LastPass

Although you might be in the mood for deleting your old LastPass account, don’t do it until you’ve exported your LastPass passwords to your new password manager. If you delete your LastPass account before exporting a CSV file with all your vault data, you run the risk of being locked out of your account and your vault data being wiped out with it. 

Next, make sure that you’re using a secure personal computer. After all, you’ll be exporting/importing your sensitive data via CSV file, and not using a secure device could compromise your security and leave your data unprotected against cyber-criminals. 

Also, if you’re using any backup software, turn it off until the exporting/importing processes are complete. If you don’t, your unencrypted export file will get backed up.

Before we start we should mention that there are two ways in which you can export your passwords from LastPass: via the browser extension and LastPass web vault. However, the latter method is more straightforward, so we’re going to take advantage of it.

1. Log in to your LastPass account

If you’re doing this via the preferred method - the LastPass web vault - go straight to the official website and log in to your LastPass account. For this, you’ll be asked to surrender your email address and your master password. Once it’s done, tap on the “Log in” button and you’re in. 

At the same time, if you want to do this via the LastPass browser extension go right to your browser and tap on the “Extensions” button - the one on the top right that looks like a puzzle piece. Then, once the dropdown menu appears, select LastPass from the list, and that’s it for now. 

Also, if you’ve enabled multi-factor authentication (MFA) on your account, you’ll have to verify your identity before going any further.

2. Click on “Advanced Options” on the sidebar, then choose “Export”

When you find yourself on your LastPass dashboard, take a look to the left and find “Advanced Options” on the left sidebar - now, click on it. 

Once other options appear to the right, choose the “Export” button and hit it.

3. Enter your master password and download a CSV file with your vault data to your computer

That’s it, you’ve successfully exported your passwords and other data from LastPass

After clicking on the “Export” button, you’ll be taken to another page where you’ll be prompted to enter your master password. Once you do, click on the “Continue” button.

The CSV file titled “lastpass_export.csv” with all your vault data will be automatically saved to your computer, so go and check where it is. Also, make sure the file has the correct CSV extension since it can’t be used without one.

Import your passwords to Keeper

Before importing your passwords via the CSV file, you’ll first want to make sure the latest version of Keeper is downloaded and installed on your computer.

1. Log in to your Keeper account

To do this, you’ll be asked to supply your email address and your master password. Once you do, click on the “Login” button and wait for a second before you reach Keeper’s dashboard.  

Right off the bat, you’ll be asked to move all your existing passwords into Keeper, and this can be done via Keeper Importing Tool - you’ll have to download it though. However, while this method will capture most of your existing passwords and move them to Keeper in less than a minute, it’s not what we had in mind. 

It’s more convenient and less chaotic to do it stage by stage via a CSV file, so that’s how we’ll do it.

2. Click on your email address and select “Settings”

Once you arrive at your dashboard, click on your email address in the top right corner and select “Settings” on the dropdown menu.

3. Click on the “Import” button and select “LastPass” from the list

First, click on the “Import” button in the bottom left corner, just below the “Export” button. After this, a list of supported web browsers and password managers will appear, so go ahead and select “LastPass”.

4. Drag and drop/browse your CSV file, click on the “Next” and then on the “Import” button

Before importing the CSV file you exported from LastPass moments ago, it’s smart to check if everything looks alright. 

Also, if you want to import your passwords and other vault data into the shared folder, you can checkmark that option in the bottom left corner. Then, click on the “Import” button and wrap everything up.

As soon as the importing process is complete, you’ll receive the message above.

At last, let’s delete your LastPass account and any installed apps

Then, click on yet another “Delete Account” button, enter your master password, confirm your choice, and wave goodbye to your old LastPass account. After this, locate all LastPass apps you’ve installed, and do the same with them.

To do this, go back to your LastPass dashboard, and select “Account Settings”. Once a new window pops up, choose “My Account” and then opt for the “Delete or Reset Account” option. 

• Check out our list for the best password managers

If you’ve been losing sleep over the security of your passwords and other sensitive data with LastPass, it’s time to leave it for a more secure password manager like LogMeOnce. After all, when it comes to choosing a password manager, security should be your top concern.

Unlike LastPass, LogMeOnce has never been hacked and has a solid security track record clean from serious security vulnerabilities. What’s more, LogMeOnce’s vulnerability disclosure policy provides users who find security weaknesses in its password manager with a modest monetary reward.

Besides being superbly secure, LogMeOnce is one of the best password managers in terms of additional and advanced features. With it, you’ll be able to use QR code logins, biometric authentication, cloud storage encryption, a strong password generator, a dark web scanner, and much more. 

Alright, now that we know why you should leave LastPass behind and move your passwords to LogMeOnce, let’s find out what’s the simplest and most secure way to do it. 

Since adding your passwords one by one would take ages, the smartest strategy is to shift all your passwords at once by utilizing LogMeOnce’s importing capabilities. So, here’s a step-by-step guide you’ve been waiting for. 

First, you’ll want to export your passwords and other vault data from LastPass.

Export your passwords from LastPass

Before you export your passwords from LastPass, there are a few things you should take care of first. 

For the sake of your online security, make sure that you’re using a secure personal computer. Remember, you’ll be exporting and then importing your sensitive data via CSV file, so using an unsecured device could weaken your security and leave your data vulnerable.

If you’re currently using any backup software, switch it off until the whole process is complete. Otherwise, an unencrypted export file with all your vault data will get backed up.

 As for the exporting itself, there are two main methods you can use - via the LastPass browser extension or LastPass’ official website. However, since the latter one is less complicated, we’re going to utilize that one - and we suggest you use the same method.

1. Log in to your LastPass account

To log in to your LastPass account you’ll be asked to supply your email address and your master password. Once you do, tap on the “Log in” button and prepare for the next step. 

However, if you insist on using the LastPass browser extension, go back to your web browser and click on the “Extensions” button at the top right - it has the look of a puzzle piece. Then, pick out LastPass on the dropdown menu, and that’s it. 

If you’ve enabled multi-factor authentication (MFA) for your LastPass account, you’ll be asked to verify your identity before you can continue. This also applies to your LogMeOnce account.

2. Click on “Advanced Options” on the sidebar, then choose “Export”

As soon as you log in to your LastPass, you’ll be brought to your dashboard. Here, take a look at the left sidebar and select “Advanced Options” on it. Once other options show up, click on the “Export” button.

3. Enter your master password and download a new CSV file to your computer

Tapping the “Export” button will take you to another page where you’ll be prompted to re-enter your master password. Once you do, click on the “Continue” button.

A new CSV file with all your vault data will be automatically saved to your computer - it should be titled “lastpass_export.csv”, so check it out and make sure it has the correct extension.   

That’s it, your passwords and other vault data have been securely exported from LastPass.

Now, let’s see how you can import it to your new password manager.

Import your passwords to LogMeOnce

Before making any moves, make sure you have the latest version of LogMeOnce installed on your computer and that it works as it should.

1. Log in to your LogMeOnce account

First, log in to your LogMeOnce account. Like with LastPass, you’ll be asked to provide your email address and your master password. 

However, unlike LastPass and other popular password managers, LogMeOnce doesn’t require its users to rely on a master password to access their accounts. Instead, they can utilize one of the available MFA methods including selfie-2FA, QR login, and fingerprint login. 

Now, let’s continue with the next step.

2. Select “Password Manager” on the left sidebar and then click on the “Import Passwords” button

Once you arrive at your LogMeOnce dashboard, search for the “Password Manager” option on the left sidebar menu and click on it. This will cause two new options to crop up in the center of the screen - “Add App” and “Import Passwords” - so, click on the second one.

3. Select “LastPass” from the list of supported platforms

Now, you’ll be asked to select a source from which you’ll be importing your passwords and other data. So, go ahead and pick out “LastPass” from the rather lengthy list.

4. Open the CSV file exported from LastPass and click on the “Import Apps” button

While you’ll be offered two importing methods, let’s stick with the one including a CSV file for the sake of simplicity. So, click on the “Click to Open” button and open the CSV file you exported from LastPass minutes ago. 

Then, confirm your choice by clicking on the “Import Apps” button. Before doing so, you can uncheck any password you don’t want to import.

Alternatively, you can directly import your passwords from LastPass to LogMeOnce by providing your LastPass username and master password, and then clicking on the “Connect to LastPass” button. However, if you’ve already deleted your LastPass account, this method won’t be available. 

It’s as simple as that, you’ve successfully exported your LastPass passwords to LogMeOnce.

Now, it’s time to delete your LastPass account

If you haven’t deleted your old LastPass account already, it’s about time to do so. So, go back to your LastPass dashboard and go to “Account Settings”. Once a new window pops up, select “My Account” and then opt for the “Delete or Reset Account” option.

This will open yet another window with yet another “Delete Account” button, so go ahead and click on it. After this, enter your master password, confirm your choice, and say goodbye to your old LastPass account. 

To tie up loose ends, uninstall any LastPass apps you have installed - desktop apps and web browser extensions alike.

• Check out our list for the best password managers

LastPass, with its user base of over 10 million, faced a setback following the 2023 security breaches where encrypted password vaults were compromised. This incident likely led many users to consider switching to a different password manager. Transitioning from LastPass to another service is a standardized process, regardless of the quantity of passwords, forms, secure notes, or other data stored. Fortunately, this process isn't complicated. While the idea of switching password managers might initially seem daunting, in reality, it's quite straightforward.

Bitwarden emerges as a possible substitute for LastPass, as it offers a user-friendly solution for teams and enterprises to securely share passwords among colleagues. It helps in mitigating cybersecurity risks through the enforcement of robust password policies across the workforce, complemented by activity tracking via audit logs. The platform integrates smoothly with your current security setup, including support for SSO and directory services. Moreover, Bitwarden is constantly audited to ensure that it keeps improving and safeguarding your data. Equally important, no recent hacks or breaches that involve Bitwarden were reported.

And if you’re working on a tight budget, Bitwarden is a more budget-friendly option than LastPass too.

So, if you’re sure you want to switch to Bitwarden, here’s how you can securely transfer your LastPass passwords to it.

Export your passwords from LastPass

For this to work, you’ll want to make sure to have accounts for both LastPass and Bitwarden - however, installing the apps themselves isn’t essential. After all, you can export your data directly via web versions of these tools. 

However, before you tackle password exporting, ensure that the computer you’ll be using is secure enough. The safest strategy is to utilize your personal computer since you’ll be exporting (and later importing) your sensitive data via CSV file. If not, you could seriously compromise your online security and let your data fall into the hands of cybercriminals. 

Also, if you’re using any backup software, switch it off straight away. Of course, once the exporting/importing process is complete, you can switch it on again - just don’t forget to delete the CSV file from your computer before that. 

While you can export your passwords via both LastPass browser extensions and LastPass’ official website, we’ll apply the latter approach since it’s somewhat simpler.

1. Log in to your LastPass account

For starters, log in to your LastPass account - you can’t do anything without it. If you’re using LastPass’ official website, you’ll be asked to provide your email address and your master password. After this, tap on the “Log in” button - like many times before. 

However, if you want to do this via the LastPass browser extension, go straight to your browser and click on the button that looks like a puzzle piece. Once the dropdown menu appears, pick LastPass from the list, and that’s it.

2. Click on “Advanced Options” on the sidebar, then choose “Export”

Take a look at the left side of LastPass dashboard and select the “Advanced Options”  button on it. As suggested, this will open a few more options, so go ahead and click on the “Export” button - there’s no way to miss it.

3. Enter your master password and download a new CSV file to your computer

After tapping the “Export” button, you’ll be prompted to enter your master password, so go ahead and do it. Once you’re done, click on the “Continue” button.

Automatically, a CSV file titled “lastpass_export.csv” with all your data will be saved to your computer - take note of where it is since you’ll need to use it soon enough. 

That’s it, your passwords and other data have been securely exported from LastPass.

Import your passwords to Bitwarden

While there are two main methods you can use to import your passwords to Bitwarden - standard import via CSV file and importing via a command-line interface (CLI), we’ll cover the former in detail as it’s something all users can utilize.

As for all tech-savvy users out there, you can use the following command:

 “bw import ”

After this, since “bw import” requires a format (you can use “bw import --formats” to get a list of formats), and a path, you’ll want to do something like this:

“bw import lastpasscsv/Users/myaccount/Documents/mydata.csv”

Also, don’t forget to delete the CSV file from your computer after you’re done.

1. Sign in / log in to your Bitwarden account

As expected, you’ll be asked to provide your email address and master password to access your Bitwarden account. If you’ve enabled a master password hint, here’s where you’ll get it.  

Before being allowed to access Bitwarden’s dashboard, you’ll have to prove you’re not a robot (even if you are), and you’ll do this by check-marking the statement that says so and verifying your email address.  

After this, you’ll end up at Bitwarden’s old-fashioned yet fairly intuitive dashboard.

2. Select “Tools” on the top menu, then click on “Import Data”

First, find “Tools” on the top menu - click on it - and then choose “Import Data” from the left sidebar menu - it stands between the password generator and the option to export your vault data.

3. Pick out “LastPass (CSV)” from the list of supported file formats

While the list of supported platforms is pretty lengthy, you’ll see LastPass among the top ten password managers, so go on and select it.

4. Select the “lastpass_export.csv” file you’ve exported earlier and hit the “Import data” button

Although you can do this in two ways, the one illustrated above is more advisable. Alternatively, you could copy/paste the content of the CSV file, and then hit the “Import data” button. 

If everything went well, you’ll soon see the list of imported items on your dashboard, in the “Vault items” section. Here, you can add attachments to items, clone them, move them, or delete them from your vault.

Also, Bitwarden won’t let you know if you’ve successfully imported your passwords - only if something went wrong - so, it’s smart to check out your items before deleting the CVS file, just to be on the safe side.

Since Bitwarden isn’t as polished as other popular password managers, two types of error might occur in the middle of the import - a length-related import error and a so-called maximum collections error. 

If you’re one of the unlucky few, go straight to Bitwarden’s knowledgebase as there are some solid step-by-step guides on solving these errors.

Now, delete your old LastPass account and all app you’ve installed

To do this, return to your LastPass dashboard, and go to “Account Settings”. Once a new window pops up, select “My Account” and then opt for the “Delete or Reset Account” option. 

This will cause yet another window to pop up and it contains yet another “Delete Account” button - so, click on it. 

Now, enter your master password, confirm your choice, and say goodbye to LastPass. After this, go ahead and delete all LastPass apps you’ve installed.

• Check out our list for the best password managers

Switching password managers often comes about when users want enhanced security features or a better pricing option. Meanwhile, as digital security becomes increasingly more important in our lives, users flock to user-friendly tools that help them protect their sensitive information.

Password managers, serving as digital vaults for passwords and other sensitive data have evolved rapidly, offering a diverse feature set from two-factor authentication to password sharing, and more. This rapid evolution leads users to often reevaluate their choices while searching for optimal protection, reliability, integrity and advanced features. 

The process of migrating to a new password manager however can be a daunting task. It involves exposing your encrypted passwords and importing them into another program.  Understanding the intricacies of this process is essential, not only to ensure a smooth transition but also to ensure that no data is lost or compromised during the transfer.

So, if you want to try out RoboForm, here’s how you can securely export your LastPass passwords and other data to it.

Export your passwords from LastPass

To shift your passwords from LastPass to your new password manager, you’ll have to export them first. Fortunately, LastPass makes this process as simple as it can be - that is if you’re using a computer. Doing it via smartphone or tablet is not as simple, but still very workable.

In either case, make sure that you’re using a secure personal computer or mobile device. You’ll be exporting and importing your sensitive data via CSV file and you wouldn’t want to compromise your online security and leave your sensitive data vulnerable.

To stay extra safe, if you’re using any backup software, turn it off until this process is complete. If you don’t, your unencrypted export file could get backed up.

We should also note that LastPass doesn’t support exporting time-based one-time password (TOTP) codes.

1. Log in to your LastPass account

For logging in to your LastPass account via the official site you’ll be asked to supply your email address and your master password. Once you’re done, tap on the “Log in” button and that’s it.

However, if you want to do this via the browser extension, go back to your browser and click on the “Extensions” button at the top right - the one that resembles a puzzle piece. This will trigger the dropdown menu, so pick out LastPass from the list.

If you’ve allowed multifactor authentication (MFA) for your account, you’ll have to verify your identity before going any further.

2. Click on “Advanced Options” on the sidebar, then choose “Export”

Once you’re signed in, you should find yourself on the LastPass dashboard in a matter of seconds. So, take a look at the left sidebar and select “Advanced Options” on it. 

Then shift your gaze to the “Export” button to the right, and click right on it.

3. Enter your master password and download a CSV file with your data to your computer

After clicking on the “Export” button, you’ll be prompted to enter your master password. Do this, and then click on the “Continue” button.

A CSV file called “lastpass_export.csv” containing all your vault data will be automatically saved to your computer, so go ahead and check where it is. You’ll want to use it shortly.

Also, make sure the file has the CSV extension since you can’t use it without one.

Import your passwords to RoboForm

Before importing your passwords from the CSV file, you’ll first want to make sure you have the up-to-date version of RoboForm downloaded and installed on your computer.

1. Log in to your RoboForm account

Like the other password managers, RoboForm will ask you to supply your email address and your master password to log in. Once you’re done, click on the “Log in” button.

2. Click on your account's email at the top right, then select “Import” from the dropdown menu

To kick things off, find your account's email in the top-right corner, click on it, and then choose the “Import” option. This will open another window.

3. Choose LastPass from the list of supported imports

After choosing the “Import” option, you’ll get to select where you want to import your data from, so pick out LastPass from the list.

4. Click on the “Import from File” button, then open your CSV file

Now, RoboForm will provide you with a short step-by-step guide on exporting and importing CSV files - you can skip it since you’re using a superior, more in-depth guide. So, just click on the “Import from File” button. After this, select the CSV file you’ve previously saved to your computer and press “Open”.

In an instant, RoboForm will import all your passwords (and other data) and let you easily inspect everything on your dashboard. If you got the message above - good job - your passwords are now stored with RoboForm.

In the end, don’t forget to delete the CSV file - after all, it contains unencrypted data you don’t want to see fall into the wrong hands. Also, don’t send your CSV file to anyone, and don’t upload it to the internet for whatever reason.

Lastly, let’s delete your LastPass account and any installed apps

In conclusion, transferring your digital credentials from LastPass to another password manager and ensuring a smooth transition is a significant step towards maintaining your online security. By carefully exporting and importing your passwords, you've taken control of your digital identity and chosen a tool that aligns with your current needs and expectations. It's crucial to remember that this is not just a one-time task, but part of an ongoing commitment to your digital health. 

As you proceed to delete your LastPass account and any related apps, you're not only tidying up your digital footprint but also safeguarding against potential security vulnerabilities associated with unused accounts. This guide has hopefully made the process less intimidating and more accessible. Remember, staying proactive about your digital security is a continuous journey, and adapting to new tools and practices is a key part of that journey. Stay vigilant, stay informed, and keep your digital life securely managed with the right tools at your disposal.

• Check out our list for the best password managers

Norton LifeLock has announced that a large number customer accounts have been affected by a breach.

A customer notice from Gen Digital, Norton's parent company, claimed that the breach was likely the result of a credential stuffing attack, where threat actors use lists of previously exposed passwords to hack into numerous accounts used by victims, on the presumption that they will have used the same password for multiple services. 

On December 12 2022, Gen Digital said that it received a large number of failed login attempts, tipping it off to the attack. It believes that compromised accounts dated back to December 1.

Passwords at risk

Given the fact that many admit to reusing the same passwords for various accounts, these attacks can be quite effective. 

The notices were sent to over 6,000 customers whose accounts had been hacked. Gen Digital stated that hackers may have ascertained personal information from hacking into customer accounts, such as names, phone numbers and addresses. Passwords stored using the password manager feature may also have been accessed, with Gen Digital cautioning this could not be ruled out.

LifeLock is an identify theft protection platform by Norton, the company best known for its once market leading antivirus software. It also comes bundled with the company's security suite Norton 360. 

As Gen Digital itself recommends, multi-factor authentication is essential for keeping safe, by making sure it is actually you who is trying to access your account. It works by sending a verification prompt or code to another one of your devices, such as your smartphone, via SMS or a dedicated authenticator app, when a login is attempted on your account. 

LifeLock's password manager isn't alone in suffering a potential breach. LastPass has been having a torrid time since its customer's password vaults were stolen last year, despite assuring customers that the passwords remained encrypted.

• For optimum security, you should consider using the best firewall

Are you ready to leave LastPass and wondering how to export your passwords to NordPass? Well, you probably wouldn’t be here if you weren't, so let’s get down to work.

Although LastPass was loved by many and treated as one of the top password managers in the industry for over a decade, its latest security breaches have left a terrible stain on its track record. So, like many, you were probably searching for a more trustworthy password manager when you stumbled upon NordPass - after all, NordPass has never been breached. 

Not only is it a more secure choice than LastPass, but NordPass is also one of the most popular password managers known for its pocket-friendly yet feature-rich plans. Plus, even if we focus on freebies, NordPass’ freemium edition is less limiting than one LastPass offers. For starters, it doesn’t restrict you from using its app on multiple devices - however, you still can’t stay logged in while switching between them.

Also, like all the best password managers, NordPass utilizes multiple authentication methods, zero-knowledge architecture, and a strong encryption algorithm to keep all your sensitive information on the safe side. 

So, if you’ve decided to give NordPass a shot, here’s how you can securely export your passwords and other data from LastPass and import it to your new solution.

Export your passwords from LastPass

Before beginning to export your passwords and other data via CSV file, make sure that you’re using a secure device, preferably your personal computer (PC). After all, you wouldn’t want scheming cybercriminals to get hold of your sensitive information. For additional security, if you’re using any backup software, switch it off until this process is complete. This will stop your unencrypted export file from getting backed up. 

Exporting passwords from LastPass can be done via browser extensions or LastPass’ official site and the latter method is a simpler one - that’s why we’re going to use it.

1. Log into your LastPass account

First and foremost, you’ll want to log into your LastPass account. Like many times before, you’ll be asked to surrender your email address and your master password - once you’re done, press the “Log in” button and that’s it.

However, if you want to do this via the LastPass browser extension, it’s slightly less straightforward. You’ll have to go to your browser and click on the “Extensions” button at the top right - the one that looks like a puzzle piece. After this, you’ll want to find “LastPass” on the dropdown menu and press it.

2. Tap on “Advanced Options” on the sidebar, then select “Export”

After you arrive at your LastPass dashboard, start looking for “Advanced Options” on it - it’s on the left sidebar squeezed between the “Account Setting” and “Help” buttons. The next thing you want to do is to tap on the “Export” button - it’s a bit to the right - you can’t miss it.

3. Enter your master password, export your vault data as a CSV file and download it to your computer

As soon as you click on the “Export” button, you’ll be transferred to the next page and asked to enter your master password. Once you do this, click on the “Continue” button.

This will trigger a CSV file titled “lastpass_export.csv” with all your vault data to be automatically saved to your computer. Once the download is complete, go and check if the file has the CSV extension - without it, you won’t be able to import it to another password manager. 

We should also note that LastPass’ export does not include file attachments. So, if you have any, download them before exporting your passwords.

And that's about it, you’ve efficiently exported your passwords and other vault data from LastPass.

Import your passwords to NordPass

While importing passwords into NordPass is surprisingly simple, there are a few things we should point out first. 

First off, NordPass doesn’t import time-based one-time passwords (TOTP), so make sure to store your TOTP secrets somewhere else before exporting. 

Also, addresses and payment cards that contain non-numeric field data (for instance, “one four zero eight” instead of “1408”), can’t be imported, so you’ll have to update this before starting to export your data from LastPass.  

All data stored in your LastPass shared folders will be imported as personal folders in NordPass. Item categories such as SSH keys, bank accounts, and custom items with LastPass will be imported as secure notes to NordPass. 

Now, let’s get on with it.

1. Sign in/log in to your NordPass account

If you have a NordPass account, log in to it right away - and if you don’t, create your new NordPass account. As per usual, you’ll be asked to provide your email address and your master password.

2. Select “All Items” and then click on the “Import Items” button

You’ll find the “All Items” button on the left sidebar, so go ahead and click on it. After this, you’ll get to choose between two options: to “Add items” one by one or to “Import items” via CSV file - opt for the letter one.

3. Pick out LastPass from the list of supported platforms

Here, you can choose between a few web browsers (Chrome, Safari, and Brave included) and a couple of other password managers (such as BitWarden, 1Password, and LastPass) - pick out LastPass from the list. If you don’t see it now, scroll down until you do.

4. Drag and drop/browse the CSV file you’ve exported from LastPass and hit “Import”

Before hitting the “Import” button, take some time to check out all items you’re going to import first. Fortunately, NordPass’ easy-to-use user interface (UI) makes this effortless.

In a couple of seconds you should get the message above - congratulations, you’ve successfully exported your LastPass passwords to NordPass.

Now, let’s say goodbye to your LastPass account

Since you probably don’t plan to use LastPass anymore, it’s best to part ways with your LastPass account and remove any app or browser extension you’ve previously installed. 

For this, you’ll want to go back to your LastPass dashboard, find “Account Settings” (it’s just above “Advanced Options), and press it. 

When a new window pops up, select “My Account” (in the “General” section”) and then opt for the “Delete or Reset Account” option. You’ll have to confirm your choice once again by pressing yet another “Delete Account” button - and that’s it, your LastPass account has become a thing of the past.

• Check out our list for the best password managers

Today’s users have to have unique passwords for each account they use, and often, there are a lot of them. While keeping them in your head is the safest option possible, from a security standpoint, doing so is simply impossible for the majority of us as there are dozens and more accounts we need to log in to. To circumvent this, users sometimes fall back to using one password for all their accounts, which is a very risky gamble. Enter password managers, tools that should help us keep all of our passwords in one secure, encrypted place, protected by a single master password. 

Despite this promise and the fact that most password managers are safe, there are instances of hacking and data breaches inside these companies. Take LastPass, for example, and the security breach that occurred in 2023, which is a reason you may be considering switching password managers. If you’re still using LastPass and wonder whether you will have to manually transfer all of your passwords, worry not.

So, if you wish to upgrade your password manager from LastPass to Dashlane and move your passwords safely from the former to the latter, here’s a step-by-step guide.

Export your passwords from LastPass

Before starting with the first steps, you’ll want to make sure of a few things first. For the sake of your online safety, don’t use anything else than a secure personal computer. After all, you’ll be exporting/importing your sensitive data via CSV file, and doing it via an unsafe device could leave all your data susceptible to cyberattacks. 

To be extra safe, if you’re currently using any backup software, switch it off during the exporting process - you wouldn’t want your unencrypted export file to get backed up.  

Another thing you’ll want to do before you get cracking is to install Dashlane and make sure you have your LastPass app at hand. 

You can export your passwords from LastPass via its browser extension or its official website. While the process is pretty similar, we recommend using the official site as it's more straightforward. 

Now, let’s start with the first step.

1. Log into your LastPass account

To log into your LastPass account, you’ll be asked to enter your email address and your master password. So, do that and then hit the “Log in” button - well, just like you did many times before.   

At the same time, if you wish to do this via the LastPass browser extension, go to your browser and click on the “Extensions” button at the top right, the one that looks like a puzzle piece. It will trigger a dropdown menu to appear, so select LastPass on it. 

Also, if you’ve enabled multi-factor authentication (MFA) on your account, you’ll have to verify your identity first.

2. Click on “Advanced Options” on the sidebar, then select “Export”

Once you arrive at your LastPass dashboard, you’ll want to look at the left sidebar and select “Advanced Options” on it. Then, click on the “Export” button on the right and wait for another page to pop up.

3. Enter your master password and download a new CSV file to your computer

As soon as you arrive, you’ll be asked to enter your master password, so do it. After this, click on the “Continue” button and stick around for a couple of seconds.

A new CSV file titled “lastpass_export.csv” will be automatically saved to your computer - still, double-check if the CSV extension is included. This file should contain all of your vault data, including all your passwords, secure notes, credit card details, and such. 

Once the download is complete, check the  CSV file’s location - you’ll have to use it soon enough. And that’s it, you’ve successfully exported your passwords and other data from LastPass.

Import your passwords to Dashlane

Now that your precious passwords have been exported from LastPass, it's time to transfer them to your new password manager, Dashlane.

1. Sign in / log into your Dashlane account

For starters, if you aren’t logged into your Dashlane account, do it straight away. As with other password managers, you’ll be asked to supply your email address and your master password. Then, tap on the “Log in” button. 

While Dashlane users can choose to stay logged in for 14 days straight, don’t do this if you’re not using a secure computer.

2. Open your Dashlane application and click on “Logins”

Once you make it to Dashlane’s dashboard, click on “Logins” on the left sidebar menu and then on “Import data” in the center of the dashboard. This is the simplest, swiftest, and most secure way to start adding logins to your Dashlane vault.

3. Go to “Select source” and pick out LastPass from the list

After this, you’ll be prompted to select the source you’ll be importing your passwords and other data from. You’ll see LastPass among other platforms on the list, so go ahead and select it. To proceed to the next step, click on the “Get started” button.

4. Select the CSV file you wish to import, first click on “Next” and then on “Import items”

Now you’ll want to upload the CSV file you exported a couple of steps ago. Once this is done, click on the “Next” button and preview the items before importing them. 

Here, you can choose to import specific items as logins, as secure notes, or to skip importing them altogether. Once every item is organized, press the “Import items” button below. Dashlane displays the number of passwords set for transfer, giving you an opportunity to review and modify your selection. This is the moment to deselect any passwords if you change your mind. Ensure that all the passwords you intend to transfer are selected. To initiate the transfer, simply click on the green “Import” button.

If the importing process was successful (and it should be if you’ve completed all the steps above),  you’ll get this message. And that’s it, you’ve exported your LastPass passwords to your new password manager.

Out with the old, in with the new: It’s time to ditch your LastPass account

Keeping in line with good security practices, once you have migrated to Dashlane, you need to securely delete the unencrypted CSV file on your computer.

Now, wave goodbye to your old LastPass account, and don’t look back. To do it, go back to your LastPass dashboard and click on “Account Settings” - it’s above “Advanced Options” you’ve visited before. Once a new window pops up, select “My Account” and then select the “Delete or Reset Account” option.

After this, confirm your choice by clicking on yet another “Delete Account” button. Finally, enter your master password and watch as your LastPass account gets cast into oblivion.

Also, don’t forget to ditch any LastPass apps you have installed, whether a desktop app or a web browser extension.

• Check out our list for the best password managers

If you’re trying to figure out how to transfer your passwords and other information from LastPass to 1Password, you’re at the right place. 

Perhaps the LastPass’ latest security breaches have left you anxious about the safety of your sensitive information. Or it might be the fact that LastPass operates from the core of the Five Eyes (FVEY) alliance which is unfortunate news for your privacy. Or it could be something as simple as steep cost, dated dashboard, or sluggish customer support. 

Whatever your reason, transferring from one password manager to another should be done with complete care. 

Fortunately, you can effortlessly import your passwords into 1Password from all popular web browsers (such as Chrome, Firefox, and Edge), as well as some other password managers (including LastPass, RoboForm, and Dashlane). And if you want to import from other applications, you can always utilize comma-separated values (CSV) file format.

While all popular password managers (1Password included) provides general guidelines on this process, it can get tricky in no time. That’s why we’ve come up with this simple step-by-step guide - to help you successfully transfer your passwords from LastPass to 1Password without compromising your security.

Export your passwords from LastPass

Before making your first movies, make sure that you’re using a secure personal computer. Since you’ll be exporting/importing your sensitive data via CSV file, not using a secure device could compromise your security and leave your data vulnerable. 

Also, if you’re using any backup software, turn it off until this process is complete so your unencrypted export file doesn’t get backed up. 

There are two main methods you can use to export your passwords from LastPass - via the LastPass browser extension or LastPass’ official website.

However, since the process is much the same we’ll combine these two methods into a single how-to and point out any potential differences.

1. Log into your LastPass account

If you’re doing this via LastPass’ official website, go to it and log into your LastPass account. You’ll be asked to supply your email address and your account password. Once it’s done, tap on the “Log in” button, and that’s it.

Meanwhile, if you want to do this via the LastPass browser extension, go straight to your browser and click on the “Extensions” button at the top right - it looks like a puzzle piece. Once the dropdown menu appears, pick out LastPass on the list, and that’s it for this step. 

We should also note that if you’ve allowed multifactor authentication (MFA) for your account, you’ll have to pass that as well.

2. Click on “Advanced Options” in the sidebar, then choose “Export”

As soon as you arrive on your LastPass dashboard, take a look at the left sidebar and select “Advanced Options” on it. 

The next thing you want to do is to click on the “Export” button - you can’t miss it.

3. Enter your master password and download a new CSV file to your computer

Clicking on the “Export” button will take you to another page where you’ll be prompted to enter your master password. After it's done, click on the “Continue” button. 

After this, a CSV file titled “lastpass_export.csv” with all your vault data will be automatically saved to your computer.  

And that’s it, your passwords and other data have been successfully exported from LastPass.

Import your passwords to 1Password

Now it's time to import your precious passwords to your new password manager - 1Password.

1. Sign in / log into your 1Password account

For this, you’ll be asked to provide your email address, your account password, and your Secret Key. 

If you can’t remember your Secret Key, you can find it in your Emergency Kit. It’s a PDF file named “1Password Emergency Kit” that was created and saved to your device when you created your 1Password account in the first place. It contains all your account information.

 2. Click on the “Import” button on the dropdown menu

Once you find yourself on 1Password’s dashboard, find your name in the top right corner and click on the arrow next to it. Among other opinions you’ll see the “Import” button on the dropdown menu - so, go on and select it.

3. Choose LastPass from the list of supported platforms

It’s time to choose the platform from which your passwords are coming - you’ll see a couple of web browsers and password managers to choose from. Fortunately, LastPass is one of them - so, go ahead and click on it.

4. Drag and drop the CSV file you created a bit earlier and click on “Import”

First, choose the vault you want to import your data into - so, the Private or the Shared vault. If you’re importing personal information, you'll probably want to pick out the Private vault.

Then, drag and drop the CSV file you created and tap on the “Import” button above. Alternatively, you can select a CSV file from your computer or copy/paste content from your CSV file.

If the import is successful - and it should be - you’ll get the message above. Beneath it, you have the option to view your imported items. If something went wrong, you’ll have a choice to undo your last import - just click on the “Undo Import” button.  

On the other hand, if everything looks alright, congratulations, you’ve successfully imported your passwords from LastPass to 1Password.

Finally, it’s time to delete your old LastPass account

If you’re not planning to continue using LastPass, the smartest move would be to delete your old LastPass account and do it straight away. 

To do this, go back to your LastPass dashboard and go to “Account Settings” (it’s just above “Advanced Options) and click on it. When a new window pops up, select “My Account” and then opt for the “Delete or Reset Account” option. 

This will open yet another window with yet another “Delete Account” button, and, yes, you’ll have to click on it. At last, enter your master password and confirm your choice - your LastPass account will be deleted after this.

However, you’ll still have to get rid of any LastPass apps you’ve installed, whether the desktop app or web browser extensions - and don’t forget to do this.  

Now, you can say goodbye to LastPass at last and warmly welcome your new password manager - 1Password.

• Check out the best password managers and 1Password vs LastPass: Which one is better?

LastPass has been threatened with legal action following a months-long data breach that began in August 2022 and led to the leak of potentially millions of users' private information.

A statement by the password manager CEO Karim Toubba at that time claimed a lack of evidence that any customer data was at risk, though a leading cybersecurity and forensics firm was deployed. 

A December 2022 notice announced that “an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident”.

LastPass August 2022 leak

According to the class action complaint filed in a Massachusetts court, names, usernames, billing addresses, email addresses, telephone numbers, and even the IP addresses used to access the service were all made available to wrongdoers. 

The final straw in the hat could have been the leak of customers’ vault data, which includes all manner of information ranging from website usernames and passwords to other secure notes and form data.

According to the lawsuit, “LastPass understood and appreciated the value of this Information yet chose to ignore it by failing to invest in adequate data security measures”.

The case’s plaintiff claims to have invested $53,000 in Bitcoin since July 2022, which was later “stolen” several months later, leading to police and FBI reports. 

More recently, Toubba took to the company’s blog to announce that “some source code and technical information were stolen from [LastPass’s] development environment”, leading to an attack on an employee’s account that saw credentials and keys being stolen. The company has since that it is “decommissioning that environment in its entirety and rebuilding a new environment from scratch.”

While the case plaintiff has demanded a jury trial with regards to the leak and their subsequent losses, it remains to be seen what (if any) action shall be taken against LastPass.

• Protect yourself with the best firewalls

With most of us amassing digital accounts all the time, password managers are a useful tool to help take the hassle out of keeping track of every single login and password we have.  

In an exclusive survey of a thousand people, TechRadar Pro found that three-quarters of users have at least one password manager to store our credentials, yet most do not seem overly confident in their abilities to keep these details safe.

A third of those surveyed used a combination of a dedicated manager and one integrated with their browser, while another third used just one of the two. A little over a tenth used two dedicated password managers, and a quarter didn't use any manager at all.

Trust issues

When asked to score their trust in the security of password managers, the results were less than impressive. Six out of ten was the most common score, chosen by 144 people, closely followed by five and seven, chosen by 140 and 136 people respectively.

Perhaps these middling figures can be explained by the recent stories of prominent password managers being hacked, or maybe people are worried about the various privacy issues surrounding behemoths like Apple and Google, both of whom make it hard to resist using their respective proprietary mangers, if you happen to use any of their devices and/ or browsers. 

The results may also reflect the conflicted attitudes people have towards such companies. On the one hand, people may believe that tech giants must be keeping our passwords safe - aside from having the resources to maintain a strong security posture, it would be catastrophic PR for them to have some kind of major breach, given how much they have to lose. 

But on the other, there is plenty of mistrust around how such corporations do business, with the aforementioned privacy issues a real cause for concern for many.

However, analyzing the rest of the scores, more people did pick a rating between eight and ten than one and three - 284 to 215. Also, 110 gave these utilities a perfect ten, and 97 one out of ten.

Splitting the results down the middle, just under half of all respondents (43.6%) rated the trustworthiness of password managers between one and five, and just over half (54.6%) between six and ten.

The results also contradict a previous survey we conducted, where most respondents said they didn't use a password manager. Another survey we conducted also found that most people don't use password generators either - which are integrated with virtually all password managers, but there are standalone versions too. 

These two facts combined perhaps explain why so many people form bad password habits. In fact, there have been various reports on the state of passwords globally, and pretty much all of them arrive at the same conclusion - we need to do better with them.

However, this may be a moot point, given that passwordless systems are increasing in prominence, set to be the new technology securing our digital world. These include biometric systems - such as facial recognition and fingerprint scanners - passkeys and single sign on (SSO) technologies, which are available in many identity management software. 

• See our choice picks for the best business password managers

The data breach incident that hit password manager LastPass earlier this year saw the thieves crooks steal encrypted password vaults belonging customers, the company has confirmed.

The password vault is where people keep their passwords, so should the attackers find a way to decrypt the vaults, they’d be able to read all of the passwords saved in there.

In an update published on the LastPass blog, CEO Karim Toubba said that the threat actors used cloud storage keys stolen from a LastPass employee to access and exfiltrate customer vault data. The data stolen is a combination of encrypted intelligence - password vaults, and unencrypted information - vault-stored web addresses, names, email addresses, phone numbers, and in some cases - billing information.

Master password secure

The good news is that the password vaults are stored in a “proprietary binary format”, meaning that it’s close to impossible to actually read the contents. For that, the attackers would need the customer’s master password, which no one but the user (hopefully) knows. LastPass claims not to know this info. 

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” Toubba said. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

Still, the company warned cybercriminals “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took,” which could be a problem if the users created weak and easy-to-guess master passwords. 

For those worried their master password might be cracked, the best thing to do right now would be to change it to something more resilient. If you have reason to believe the contents of your vault might be compromised, then changing the passwords is the only way to stay safe (aside from setting up multi-factor authentication whenever possible). 

• Check out the best firewalls around

Leading password manager LastPass and its affiliate, communications software provider GoTo, has revealed it suffered a breach to its cloud storage infrastructure following a cyberattack in August 2022.

In an update regarding the ongoing incident, the company admits that it has recently detected “unusual activity” within a third-party cloud storage service used by both LastPass and GoTo. 

The results of Lastpass' investigation, signed by LastPass CEO Karim Toubba and involving security experts from Mandiant, showed that someone used the credentials leaked in the incident to gain access to “certain elements” of LastPass’ customer information

Passwords are safe

Toubba did not go into further details about the type of data that was accessed, but he did say that the user passwords were untouched. 

“Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” he said. 

"While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity."

By virtue of being one of the most popular business password managers and generators out there, with over 100,000 businesses relying on it daily, LastPass is no stranger to data breaches committed by cybercriminals.

TechRadar Pro has previously reported that the company confirmed In late September 2022 that the threat actor responsible for the original breach in August lurked for days in its network, before ousted. 

However, the threat actor did not manage to access internal customer data, or encrypted password vaults at the time. LastPass claims that the latest development  has not changed that, owing to its Zero Knowledge architecture.

"Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults," Toubba said at the time. 

The attacker was apparently able to access the company’s Development environment through a developer’s compromised endpoint. 

The investigation and forensics did not manage to determine the exact method used for the initial endpoint compromise, Toubba did say the attackers utilized their persistent access to impersonate the developer after successfully authenticating with multi-factor authentication.

• Here's our list of the best authenticator apps right now

Password management apps are one of the most valuable tools every internet user can get their hands on. They let you keep track of your passwords across dozens of websites and applications and avoid getting locked out of any of your accounts. 

There are endless examples of password manager apps, and one of the most popular is LastPass. It lets you store your passwords and other types of sensitive credentials in a digital vault and retrieve them whenever you want. It’s a freemium tool, meaning it has both free and paid versions.

We want to see how the free and premium tiers of LastPass compare to each other, and this review will let you know which is the best to choose. You can also see our previous LastPass review for more information. 

LastPass Free vs Premium: Features

The free version of LastPass gives you access to the platform’s basic features. You can store passwords in a digital vault and retrieve them whenever you want. However, it’s limited to just one device. You can’t manage your LastPass vault from multiple devices with the free version but only the paid one. 

The free and premium versions of LastPass use the same encryption algorithms (SHA-256 and AES-256) to protect your vault from malicious actors. Because of this encryption, even LastPass employees can not access your data. 

But, there are various security benefits available to premium users but not for those on the free plan. You can't use multi-factor authentication to protect your accounts on the free plan. You also can't use emergency access, which offers a way for trusted persons to access your LastPass account in case of emergencies.

You can share the passwords in your LastPass vault effortlessly with other users. For instance, you can share passwords to your social media accounts with trusted family members or passwords for corporate accounts with your office colleagues. Users on the free plan can only share passwords with one person at a time, while premium users can share with multiple users simultaneously. 

LastPass Free vs Premium: Performance

You can access LastPass through the web interface, mobile app (iOS and Android), or desktop app (Windows, macOS, and Linux). If you’re on the free plan, you can only use LastPass on one device, so you’ll have to choose whether it’s your PC or mobile phone. 

LastPass offers solid performance across its web interface and mobile apps. This password manager always ranks highly when it comes to ease of use. Once you create your vault, you're free to add as many passwords to it as you want. You can also add other types of sensitive information like secure notes, Social Security numbers, credit/debit card numbers, and routing numbers. Afterward, you can join multiple pieces of information to build a profile. Passwords you save on your LastPass vault autofill when you enter a relevant account login page on your web browser.

You may observe a lag in LastPass’s performance if you store too many credentials, think hundreds to thousands. The app may become slow to load and switching between different features take more time.

The free and premium tiers of LastPass don’t have much difference in performance and usability. It’s still the same platform after all.

LastPass Free vs Premium: Support

LastPass offers direct customer support to premium users but not free users. Premium users can contact the platform’s support team through email or telephone, but accessibility depends on what premium plan you subscribe to. Users on the Personal or Family plan can contact the support team by phone but not email, while users on the Business plan can contact through both channels.

It’s not all doom and gloom for free users though. LastPass provides a lot of support resources that any user can take advantage of. On the official support page, you can find comprehensive articles and user guides concerning all aspects of LastPass. These articles help you become familiar with the platform and can solve your challenges without needing to contact the support team directly. 

There's also an official LastPass community forum where you can ask questions and have volunteer members of the community answer them. If you wish, you can also answer questions that other users ask to encourage the free flow of information.

When it comes to customer support, the premium tier of LastPass is much better than the free tier. 

LastPass Free vs Premium: Pricing

The main difference between the free and premium tiers of LastPass is obviously the price. You can use the former without paying a dime but not the latter. LastPass offers different premium plans for personal, family, and corporate use.

The Personal plan costs $3 / £3 / AUD$5 per month and includes all features of the free plan plus advanced ones like access on multiple devices, one-to-many sharing, 1GB of space for secure file storage, and a dedicated security dashboard.

The Family plan for LastPass costs $4 / £4 / AUD$6 per month and covers up to five users. It’s just slightly more expensive than the Personal plan, but yet supports five accounts instead of one. Users on this plan have access to family-oriented features like easy sharing of folders.

LastPass offers two plans for enterprises; Team and Business. The Team plan costs $4 / £4 / AUD$6 per user per month for a maximum of 50 users. The Business plan costs $6 / £6 / AUD$6 per user per month for an unlimited number of users. The difference is that the Business plan includes advanced features like single sign-on and a free Family plan subscription for every user.

Note that if you represent a large organization with hundreds to thousands of employees, you can contact LastPass’s sales team to arrange a plan that includes bulk discounts. There are also some LastPass promo codes available if you take a look.

LastPass Free vs Premium: Verdict

The premium tier of LastPass costs money to use but it’s a much better solution than the free plan. Free users can only access the app on one device and they’re locked out of many advanced security features. There’s also much better customer support for paid users than for free ones. 

If you have the budget, we’ll advise you to choose a premium plan instead of the free one. Otherwise, the free one is still manageable but not the best you can get.

You may also like Keeper vs LastPass: a features comparison.

One of the essential tools for every active internet user is a password manager. They help you keep track of your passwords across dozens of websites and applications and avoid getting locked out of any of your accounts. 

There are virtually unlimited examples of password manager apps, and two well-known ones are Keeper and LastPass. These tools let you store your passwords and other types of sensitive credentials in a digital vault and retrieve them whenever you want.

We want to see how Keeper and LastPass compare to each other. We’ll weigh them based on critical factors like pricing, features, customer support, and performance. You can also see our previous Keeper review and LastPass review for more information. 

Keeper vs LastPass: Features

Keeper lets you store your login details in a digital vault and retrieve them whenever you want. But, it’s not only passwords you can store. You can also keep other types of sensitive data like secure notes and debit/credit card information. Your vault is protected by a master password that you create. Use a combination of letters, symbols, and numbers to create a strong password. 

For extra security, you can enable two-factor authentication on your Keeper account. This way, anytime you want to log in, the app also generates a 10-byte secret key sent to you by SMS or an authentication app, and this key is only valid for one minute. Hence, even if someone gets your master password, they won’t be able to break into your vault.

Similarly, LastPass lets you create a digital vault to store your passwords, and the vault is protected by a master password. After you save your password to a vault, LastPass always remembers it for you and can auto-fill it on account login forms. You can enable two-factor authentication for your LastPass account just as you’d do with Keeper. 

Both platforms offer some extra features to lure users. For instance, LastPass offers a dark web monitoring tool that scans your email addresses against a database of breached credentials to let you know if you’ve been compromised. Keeper offers an encrypted messaging tool to help you communicate with other users securely.

Keeper vs LastPass: Performance

Keeper is accessible via a web interface, a desktop app (Windows, Linux, and macOS), or a mobile app (iOS and Android). There’s also a browser extension that lets you auto-fill passwords on login forms. The apps and web interface offer a pretty good user experience, with features neatly arranged on the left side of the dashboard. Keeper's uncluttered interface makes it easy to switch between different features.

You may observe a lag in Keeper’s performance if you store too many passwords or other credentials, think over a thousand records. But, this varies according to the type of device: higher-end devices get better performance than low-end ones.

Similarly, LastPass offers solid performance across its web app and mobile and desktop apps. The interface looks modern and uncluttered, making it easy to switch between different features. But, you may also observe a lag in LastPass’s performance if you store too many credentials.

Both platforms offer solid performance, but from using them, we consider Keeper the better one in this category, as it felt faster and easier to use. 

Keeper vs LastPass: Support 

You can contact Keeper’s support team through a form available on the official website. The form requires you to provide your email address and telephone number so that Keeper can provide feedback through one of these channels. 

Free users can’t access Keeper’s direct support. But, there’s extensive documentation concerning all aspects of the platform on the official help page and user guides to help you navigate the platform. These are beneficial support resources for every free or paid user.

LastPass offers direct support through email and telephone, but free users can’t access this support. Otherwise, you can access the official help center which contains a plethora of support resources. You can find written articles and guides for all LastPass features. There are also video tutorials that give you a more interactive learning experience.

We consider LastPass the better option in this category because it lets you choose how you’ll contact its support team (phone or email). In contrast, you must fill out an online form to contact Keeper, and it’s the company that decides how to contact you for feedback.

Keeper vs LastPass: Pricing 

Both Keeper and LastPass offer free tiers, but they’re limited to just one device. If you want to store and retrieve your passwords from multiple devices, you must pay for a premium subscription.

Keeper offers different pricing tiers for personal, family, and corporate use. The Personal plan costs $2.92 / £2.70 / AUD$5 per month and offers access to all standard Keeper features. The Family plan costs $6.25 / £6 / AUD$9 per month and covers up to five users. Businesses pay $3.75 / £3.50 / AUD$6 per user per month.

Students get a 50% discount on Keeper’s Personal plan, while military and medical personnel get a 30% discount, which is considerable. It's also worth seeing what other Keeper Security promo codes are currently available. 

Similarly, LastPass offers different plans for personal, family, and corporate use. The personal plan costs $3 / £3 / AUD$5 per month. The family plan costs $4 / £4 / AUD$6 per month and covers up to five users. Businesses with less than 50 personnel pay $4 / £4 / AUD$6 per month per user, while those with a headcount above 50 pay $6 / £6 / AUD$9 monthly per user. There are LastPass promo codes too if you want to see how you can save through them.

Note that if you represent a large organization with hundreds to thousands of employees, you can contact both Keeper and LastPass’s sales team to arrange a custom plan that incorporates bulk discounts.  

Keeper vs LastPass: Verdict

Both Keeper and LastPass are adequate password management platforms for personal, family, and corporate use. They let you store your passwords securely and retrieve them anytime. However, we consider Keeper a superior platform because it has a more comprehensive feature set and offers better pricing and performance. LastPass has better customer support, but that’s that. 

You may also like LastPass Free vs Premium: a features comparison.

Password management apps are one of the most useful tools for active internet users. They let you keep track of your passwords across dozens of websites and applications and avoid getting locked out of any of your accounts. 

There’s an endless list of password management apps available, and two popular examples are KeePass and LastPass. These two platforms let you store passwords and other types of sensitive credentials in a digital vault and retrieve them whenever you want. A master password protects the vaults, so you can always enter the vault if you have the correct details.

We want to see how KeePass and LastPass fare against each other. We’ll compare them based on critical factors like features, pricing, performance, and customer support. You can see our previous LastPass review for more information.  

Features

LastPass lets you create a digital vault to keep your passwords. The vault is protected by a master password that you choose. You should use a combination of symbols, letters, and numbers to create a strong master password. You may also use a passphrase that’s difficult to guess, e.g., “The U.S. is a large country”.

Similarly, KeePass lets you create an encrypted file to store passwords and other sensitive information. This file is protected by a master password or a key file. One major difference between LastPass and KeePass is that you can access the former through a web interface or mobile and desktop apps, while the latter is only accessible from a desktop app.

The KeePass desktop app is only compatible with the Windows operating system. There’s no macOS version, but you can use the Wine emulator to run the Windows app on Linux, Solaris, BSD, or other Unix-like desktop operating systems.

Both KeePass and LastPass store your passwords securely on your local device. However, LastPass also stores encrypted versions of your passwords on the cloud, while KeePass doesn’t. This means you can recover your LastPass passwords if your local storage gets corrupted but not with KeePass. 

KeePass has a unique feature; an ecosystem of plugins and extensions that provide additional features. Examples include a browser extension that retrieves and auto-fills passwords from KeePass and another that imports vaults from other password management apps.

Performance

LastPass is accessible via a web interface and a mobile or desktop app, and it offers solid performance on all platforms. The interface is modern and spacious, letting users switch between features with ease. However, you may observe a slowdown in LastPass’s performance if you store too many credentials, think over a thousand. Too many credentials make the app take longer to load and switch between features, although the experience varies depending on the specifications of your device; higher-end devices experience better speed than lower-end ones. 

We also observed a pattern of customer complaints about the LastPass browser extension on Google Chrome, Microsoft Edge, Firefox, and other supported browsers. The extensions can be slow to load and may slow down other browsing activities.

The KeePass Windows app offers solid performance that user reviews often tout. However, the interface is not as modern and intuitive as LastPass's. KeePass feels more like software from the old times compared to its rival– you're more likely to get confused using KeePass than LastPass.

Support 

You can contact LastPass’s support team through email and telephone, but free users can’t access this support. Otherwise, you can access the official Support Center, which contains a plethora of resources to help LastPass users. 

You can find articles and tutorials covering all aspects of LastPass at the support center. There are video tutorials that give you a more interactive learning experience. There’s also a community forum where you can interact with other LastPass users and seek solutions to challenges you encounter.

KeePass is a free and open-source tool, so it doesn’t have any dedicated support team attending to user requests. But, you can head to the official help center to find tutorials to help you learn about the platform. 

LastPass is the clear winner in this category because it’s the only one with a dedicated support team. It’s also the only one among the two that offers video tutorials to help users learn about the platform. 

Pricing

LastPass has a free tier, but it’s limited to one device. You must pay for a premium plan to make the best use of the platform, and there are separate plans for personal, family, and corporate use.

The personal plan for LastPass costs $3 / £3 / AUD$5 monthly. The family plan costs $4 / £4 / AUD$6 monthly and covers up to five users. Businesses with less than 50 personnel pay $4 per month per LastPass user, while those with a headcount above 50 pay $6 / £6 / AUD$9 monthly per user. But, note that if you represent a large organization with hundreds to thousands of employees, you can contact LastPass’s sales team to work out a custom plan that incorporates a bulk discount. It's worth seeing what LastPass promo codes are currently available too for other discounts.

In contrast, KeePass is a free and open-source tool. You don’t need to pay any dime to use it, which is a great advantage for individual users. Just download the app, and you’re good to go.

Verdict

LastPass and KeePass are both great tools, but we consider LastPass the superior option. For one, it delivers a much better user experience than KeePass. You can access LastPass through a web interface or mobile and desktop apps, while KeePass is only accessible via a desktop app. LastPass also has a much more user-friendly interface than KeePass. 

The main advantage KeePass has over LastPass is that it’s free, but this benefit skews towards individual users. Businesses with adequate IT budgets will be better off paying for LastPass, where you know there’s a dedicated support team to contact if anything goes wrong.  

If you’re on a tight budget, it’s wise to go with a free tool like KeePass but we consider LastPass the best to choose if it’s within your budget. 

We've listed the best business password managers.

A password manager is one of the most valuable tools for every active internet user. It helps you keep track of your accounts across dozens of websites and applications and avoid getting locked out of any of them. 

There are many password managers designed for personal or business use, and two examples are Dashlane and LastPass. These tools let you store your passwords in an encrypted digital vault where you can retrieve them at any time. 

We want to show you how Dashlane and LastPass stack against each other. We’ll compare them based on critical factors like pricing, ease of use, performance, and customer support. After reading this review, you can see our previous Dashlane review and LastPass review for more information.  

Features

Dashlane lets you create a digital vault to store passwords and other types of sensitive credentials such as secure notes and ID cards. The vault is protected by a master password that you’ll assign. Use a mixture of letters, numbers, and symbols to create a strong master password. You may also use a unique passphrase that no one can easily guess, e.g., “Energy prices have shot through the roof”. The digital vault works like a real vault such that you can enter it and retrieve any password if you have the master key. 

You can access Dashlane through the web interface or a mobile app. There’s also a browser extension you can download that lets you auto-fill passwords from your Dashlane vault on different websites with one click. Dashlane used to have a desktop app but discontinued it in 2022.

Similarly, LastPass lets you create a digital vault to store your passwords, and the vault is protected by a master password. You can access LastPass from a web interface or a mobile or desktop app. 

Where LastPass and Dashlane stand out is in the extra features they offer. For instance, LastPass offers a dark web monitoring feature that scans your email addresses against a database of breached credentials and alerts you if you fell victim to any data breach. Dashlane offers a virtual private network (VPN) service to help you browse the web securely.

Performance 

LastPass offers solid performance when using its desktop and mobile apps or web app. The platform's interface is visually-appealing and spacious, which makes it easy to navigate. You'll find all features neatly arranged on the left side of the dashboard, and you can switch between different ones with ease.

However, we observed a pattern of customer complaints about LastPass’s Google Chrome browser extension being slow to load and also slowing down the responsiveness of other websites. We didn't notice similar complaints about the extension on other browsers.

Dashlane also offers solid performance with its web interface or mobile app. However, we observed complaints of the app becoming slow when you store too many credentials, think over a thousand even though people users don’t store up to that amount. Too many credentials increase Dashlane’s load time and, sometimes, the mobile app will crash and restart. 

Overall, LastPass offers better performance than Dashlane. Besides, LastPass offers a desktop app, while Dashlane doesn’t.

Support 

You can contact LastPass's support team via email or telephone. However, free users aren't entitled to this support. There’s an official help page where you can access a plethora of resources to help you navigate the platform. You can find articles to help you recover your passwords, manage account settings, use an authenticator, etc. You can also access video tutorials to give you an interactive learning experience.

Dashlane offers direct support only via email. There’s no option for live chat or telephone. You can also visit the official Dashlane support center to access a comprehensive set of articles and user guides to help you find your way around the platform. 

LastPass offers better customer support than Dashlane. For one, you can contact LastPass’s support team through email and telephone, while Dashlane’s is only available through email. Telephone support queries receive instant feedback, while email means you may wait a few hours or, in some cases, days for feedback.

Likewise, LastPass offers a community forum where users often exchange solutions to each other’s problems, but Dashlane doesn’t. 

Pricing

Both LastPass and Dashlane offer free tier services that anyone can use, but they’re limited to just one device. If you want to access your vault from multiple devices, you’ll have to pay for a premium package.  

Dashlane offers different pricing plans for personal, family, and business use. There are two personal plans; Advanced, which costs $2.75 / £2.75 / AUD$4 per month, and Premium, which costs $3.33 / £3 / AUD$5 per month. The difference is that the latter includes a VPN service. There’s a Friends & Family plan that costs $4.99 / £4.50 / AUD$7.50 per month and covers up to ten users. There are also Dashlane promo codes out there which can help you save more.

For businesses, Dashlane offers three plans; Starter, Team, and Business. Starter costs a flat $20 / £18 / AUD$30 per month for ten accounts. Anything above 10, and you may choose Team, which costs $5 per user per month, or Business, which costs $8 / £8 / AUD$12 per user per month. The Business plan is more expensive because it includes extra security features like single sign-on.

LastPass also offers distinct plans for personal, family, and corporate use. Its premium plan costs $3 / £3 / AUD$5 per month, while its family plan costs $4 / £4 / AUD$6 per month and covers up to six users. Businesses with a headcount of less than 50 pay $4 per user per month, and those with a headcount above 50 pay $6 per user per month. Like Dashlane, there are LastPass promo codes you can look up to save more.

Note that if you represent a large organization with hundreds to thousands of employees, you can contact LastPass’s or Dashlane’s sales team to work out a custom plan that incorporates a bulk discount. 

 LastPass is the more economical solution. 

Verdict

We consider LastPass superior to Dashlane. The former offers better performance and usability than the latter. For instance, LastPass has a desktop app, while Dashlane doesn’t.

LastPass also offers better customer support despite being the more affordable solution. We think people that want to store passwords effectively are better off using LastPass than Dashlane. 

We've listed the best business password managers.

Password management apps are very useful in helping active internet users keep track of their passwords across multiple websites and applications and avoid being locked out of their accounts. 

There are many password managers available, and two popular examples are Bitwarden and LastPass. These examples offer similar functionality, enabling users to store passwords and other types of sensitive information in a digital vault. Yet, we want to see how they compare to each other based on other critical factors like features, pricing, performance, and customer support. You can see our previous Bitwarden review and LastPass review for more information. 

Bitwarden vs LastPass: Features

LastPass and Bitwarden work the same way. You can create a digital vault where you’ll keep passwords and other types of sensitive information. Any time you need to remember a password, you can head to the vault to retrieve it. 

The vault is protected by a master password you create and must input anytime you want to log into it. You should use a mixture of letters, numbers, and symbols to create a strong master password. Alternatively, you can use a passphrase that’ll be hard to guess, e.g., “Aren’t dogs beautiful creatures?”.

Both platforms offer a browser extension that lets you autofill passwords on login forms across different websites. These extensions are available for popular browsers like Google Chrome, Microsoft Edge, Firefox, and Opera. 

Where both platforms differentiate themselves is in the extra features they offer. For instance, Bitwarden offers a tool that allows you to generate strong passwords at the click of a button, passwords to protect your online accounts. LastPass offers a dark web monitoring tool that checks your credentials against a database of hacked credentials and notifies you if you were a victim of a data breach.

You can access both platforms from a web interface or mobile and desktop apps.

Bitwarden vs LastPass: Performance 

LastPass offers solid performance through its web interface or native apps. You can download the apps on a smartphone (iOS or Android) or a desktop (Windows, macOS, and Linux). Once installed, you can add credentials for different websites to your vault with ease. You can also access these credentials at any time.

Note that LastPass’s desktop application allows you to add a maximum of 5,000 items, including passwords, notes, forms, or any other type of sensitive information. Yet, you should expect to see noticeable performance degradation after adding around 2,500 or more items. 

Bitwarden is also accessible through a web interface or native apps for desktops (Windows, macOS, and Linux) and smartphones (iOS and Android). The apps offer a spacious interface that you should find easy to navigate, with features arranged neatly on the left side of the dashboard. 

Just like with LastPass, you may notice a decrease in performance after adding too many items to your Bitwarden vault. The platform doesn’t mention a specific threshold, but user reviews across the web put it at around 2,000 items.  

Bitwarden vs LastPass: Support

LastPass offers customer support through email and telephone but free users can't access this support. Otherwise, there's an official help page with a plethora of articles and user guides to help users get familiar with the platform. There’s also an official support forum where you can interact with other LastPass users and seek solutions to problems you encounter. 

Bitwarden offers customer support through email. There's no option to talk with its support agents via live chat or phone. Otherwise, you can head to the official Bitwarden Help Center for articles and user guides to help you navigate the platform. Just like LastPass, there’s also an official support forum where you can interact with other Bitwarden users and seek solutions to problems you encounter.

LastPass is the winner in this category, as it offers more support options than Bitwarden. You can talk with LastPass’s support team via telephone and get instant help, whereas, with Bitwarden, you have to send an email and wait some hours for feedback.

Bitwarden vs LastPass: Pricing 

Both LastPass and Bitwarden offer a free tier that anyone can use but with limited features.

They offer different paid plans for personal, family, and business use. Bitwarden's personal tier costs $10 / £10 / AUD$15 annually, much less than LastPass's equivalent plan which costs $3 / £3 / AUD$5 per month when paid annually.

Bitwarden’s family plan costs $3.33 / £3 / AUD$5 per month and supports up to six users, while LastPass charges $4 / £4 / AUD$6 per month for the same number of users. 

For corporate use, Bitwarden offers two plans; Teams and Enterprise. The former costs $3 / £3 / AUD$5 per month per user, while the latter costs $5 / £5 / AUD$8 per month per user. The difference is that the latter includes advanced functionalities like single sign-on integration.

Similarly, LastPass offers two different tiers for corporate users. Businesses with less than 50 personnel pay $4 / £4 / AUD$6 per user per month for a LastPass subscription. Those with a headcount above 50 pay $6 / £6 / AUD$9 monthly for each user. Alternatively, see what LastPass promo codes are currently available and how you can save here.

Bitwarden is clearly the more affordable option. But, note that if you represent a large company with hundreds to thousands of employees, you can contact both Bitwarden and LastPass’s sales teams to arrange a custom plan with bulk discounts.  

Bitwarden vs LastPass: Verdict

LastPass and Bitwarden each have their pros and cons against the other. The latter is the more affordable option but offers lesser options for customer support. LastPass is more expensive and offers better customer support, making it more suitable for enterprise users.

Both platforms offers pretty good performance, so there’s no cause to worry in that category. All in, we think Bitwarden is the better option for personal and family use, while LastPass is the better option for corporate use. 

You might also like LastPass Free vs Premium: a features comparison and Keeper vs LastPass: a features comparison.

Despite the vast majority of people - 89% - knowing the risks of reusing the same password, 62% of consumers are still choosing to use repeat passwords, according to new research from LastPass.

In addition, the report found that only 12% of respondents use different passwords for different accounts.

The survey, which explored the password security behaviors of 3,750 professionals across seven countries, quizzed respondents about their mindsets and behaviors surrounding online security.

Who are the worst offenders?

While Gen Z is the most confident regarding their password management, on average describing their password methods to be “very safe”, they are also the biggest offenders in terms of poor password hygiene.

Though Gen Z is most likely to recognize that using the same or similar password for multiple logins is a risk, they use a variation of a single password 69% of the time, alongside Millennials who do this 66% of the time.

In addition, the report found Gen Z is the most likely to create stronger passwords for social media and entertainment accounts, compared to other generations.

On the other hand, Gen Z is the generation most likely to use memorization to keep track of their passwords (51%), with Baby Boomers the least likely to memorize their passwords at 38%.

The report also uncovered generally low levels of confidence when it came to cybersecurity, 70% of the respondents said they were neutral about their cybersecurity fluency, while only 24% are confident and 7% are “not confident”.

In addition, relatively few respondents are taking proper steps to protect themselves from hackers if the report’s findings are to be believed.

Only four-in-ten use multi-factor authentication (MFA), while only 23% use a password manager, and 8% do nothing at all.

“Our latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyberattacks, there continues to be a disconnect for people when it comes to protecting their digital lives,” said Christofer Hoff, Chief Secure Technology Officer for LastPass. 

“The reality is that even though nearly two-thirds of respondents have some form of cybersecurity education, it is not being put into practice for varying reasons.

He added: “For both consumers and businesses, a password manager is a simple step to keep your accounts safe and secure.”

• Interested in upping your personal security? Check out our guide to the best firewall tools

There aren’t many bigger names in password management than LastPass. This hugely popular app is powered by LogMeIn, which is one of the world’s largest SaaS companies, and it’s been around since 2008. Yet, despite its serious business-focused background and impressive credentials, it still serves as a legitimately good proposition for individuals, too.

There are some compelling reasons for LastPass’s enviable success. It’s got good security policies and best-in-class features, including easy sharing and impressive password-generation modules, and it also includes dark web monitoring and biometric login. It’s also among a growing number of password managers to be adding support for passkeys.

It’s certainly not the only app to offer these abilities, though, so LastPass will have to impress if it wants to maintain its place in our round-up of the best password managers as well as best business password managers.

LastPass: Plans and pricing

Unveiling the Latest LastPass Pricing: What's in Store for 2023?

As cybersecurity concerns continue to escalate, the imperative for robust password management solutions has never been more pronounced. LastPass, a leading name in the sector, has adapted its pricing structure in a bid to cater to a wider audience while offering sophisticated security measures. In this blog post, we'll delve into the latest LastPass pricing plans for 2023, examining the offerings and enhancements designed to meet the diverse needs of individual users and businesses alike.

Before we dive into the pricing details, let's briefly overview what LastPass brings to the table. LastPass is a comprehensive password management tool that stores encrypted passwords online. The basic service allows users to store passwords, generate secure passwords, and fill forms automatically. The information is accessible through a master password. LastPass offers various tiers, catering to individual users, families, and businesses, ensuring that there's a solution for every need.

Free Tier: LastPass offers a free version designed for individual users. It provides the basics: access on all devices, password storage, secure notes, and password generation. However, it lacks advanced security features and the ability to share more than a limited number of items.

Premium Tier: Priced at $3 per month (when billed annually), the Premium plan adds dark web monitoring, advanced multi-factor options, and priority tech support to the mix. It's designed for individual users looking for an extra layer of security.

Families Tier: At $4 per month (billed annually), the Families plan covers up to 6 users. It includes all Premium features plus a family dashboard for easy management and shared folders.

Teams Tier: Targeted at smaller teams, this plan costs $4 per user per month (billed annually) and includes all Premium features plus single sign-on for up to 3 applications and basic reporting.

Business Tier: Priced at $7 per user per month (when billed annually), the Business tier is suited for larger organizations. It builds on the Teams tier by adding advanced reporting, single sign-on for unlimited applications, automated user management, and API access for custom integrations.

Enterprise Tier: For enterprises requiring the utmost in security and customization, LastPass offers tailored solutions. Pricing for the Enterprise tier depends on the specific needs and scale of the business, encompassing all Business tier features plus dedicated customer support, advanced security measures, and integration options.

Selecting the appropriate LastPass plan hinges on your specific needs:

Individuals seeking a no-frills password manager might find the Free tier sufficient. However, for those requiring enhanced security features, the Premium tier is a worthwhile upgrade.

Families looking to manage their passwords collectively will benefit significantly from the added flexibility and shared capabilities of the Families tier.

Small businesses and teams can streamline their password management and enhance security with the Teams tier, while larger organizations will find the comprehensive features of the Business and Enterprise tiers indispensable for their operations.

LastPass's revised pricing strategy for 2024 reflects its commitment to providing a secured digital experience for individuals and businesses. By offering a range of plans tailored to different needs and budgets, LastPass ensures that everyone, from individual users to large corporations, can find a solution that meets their security requirements without breaking the bank. As cyber threats evolve, investing in a reliable password manager like LastPass is a step forward in safeguarding your digital identity and assets.

LastPass: Setup

Whether it’s your smartphone, tablet, or computer, setting up LastPass correctly is the cornerstone of enhancing your online security.

Step 1: Creating Your Account

Begin your journey by visiting the LastPass website or downloading the LastPass app from your device’s app store. You'll need to create an account by providing your email address and setting a strong master password. This master password is pivotal as it will be the only password you need to remember. Make sure it’s robust, unique, and known only to you, as it locks and unlocks your entire vault of passwords.

Step 2: Adding the LastPass Browser Extension

For those setting up on a computer, integrating LastPass with your browser is a breeze. Navigate to the download section on the LastPass website and select the appropriate extension for your browser. Chrome, Firefox, Safari, and Edge all support LastPass. Install the extension and log in using the master password you just created. This extension will automatically capture and fill passwords as you surf the internet.

Step 3: Importing Existing Passwords

If you've been managing your passwords in another software or browser, LastPass makes it easy to import them. Once logged into LastPass, head to the 'Password Vault' and look for the 'Import' option. LastPass can import data from various sources, ensuring you don’t have to manually re-enter all your credentials. This step is crucial for consolidating and securing all existing online accounts.

Step 4: Organizing Your Vault

Once your passwords are imported, spend some time organizing your vault. Create folders for different types of accounts like social media, banking, or entertainment. LastPass allows you to categorize and even share your passwords securely with family or team members if necessary. This organization aids in quickly locating and managing your credentials.

Step 5: Setting Up Multi-Factor Authentication

For an added layer of security, set up multi-factor authentication (MFA) on your LastPass account. This can usually be configured under the 'Account Settings' area of your LastPass vault. You can use options like biometric information, a mobile app, or a hardware token as your second form of authentication.

Step 6: Installing LastPass on Other Devices

To ensure seamless access to your accounts on all devices, install the LastPass app on other mobile devices or tablets you own and log in. With LastPass, syncing across devices happens automatically, so your passwords are always up-to-date regardless of where you access them from.

Step 7: Using LastPass for Password Generation and Secure Notes

Lastly, take full advantage of LastPass features like generating strong passwords for your new online account sign-ups. Also, use LastPass Secure Notes to store other sensitive information such as membership numbers, software licenses, or sensitive documents that benefit from robust encryption.

Congratulations! You’ve successfully set up LastPass. With all your passwords stored securely and efficiently, navigating your digital life will now be simpler and more secure. Regularly update your master password and review your vault for any old or compromised passwords. With LastPass, rest assured that your digital security is fortified.

LastPass: Interface and performance

Businesses will be glad to know that LastPass comes with password sharing, password generation, emergency access, one-touch login, and automatic syncing of all data.

Combining password management and MFA enables LastPass to secure every access point used by your business devices with single sign-on for over 1,200 integrated applications.

Advanced administrator controls also enable IT administrators to leverage over 100 policies for user management and data control. This makes it one of the most customizable password management platforms available.

The LastPass applications perform admirably, and in our test, we had no negatives to report. Syncing was efficient and with little lag, and working across multiple devices and browsers was as seamless as the company advertises.

It’s also one of the better-looking apps out there, with clear, easy-to-use menus and distinct sections for passwords, payment details, and the security dashboard. There’s no isolated area for IDs like drivers’ licenses and passports, but you can keep this information in the area designed for notes.

The applications themselves are well-designed, and the user interface is easy to navigate. We’ve tested the application on Windows 10 and 11, macOS, iOS, and Android, and were impressed with all of them.

LastPass: Passkeys

In June 2023, LastPass announced that passkeys are finally coming to its platform by the end of the year, specifically across web, extension, and app experiences, where LastPass will create and save passkeys for eligible websites.

The company hopes that this could even attract a new group of users to the password manager because the passkeys will work on any device that LastPass works on. This means iPhone users who run Windows on their desktop will just be able to use LastPass, instead of having to scan their desktop with their smartphone.

Keeping up-to-date with trends has clearly been a priority for LastPass, which also announced late in 2022 that it would be bringing password management to the metaverse with its Meta Quest app. With the launch of the Apple Vision Pro around the corner, it’s possible that the company already has an app in development for that, too.

LastPass: Security

Security policy can make or break a password management provider. Fortunately, LastPass is recognized as one of the most highly secure password managers available. The LastPass platform end-to-end encrypts all data using 256-bit AES encryption and uses advanced Transport Layer Security to prevent in-transit attacks.

Also, as is industry standard, LastPass does not store users’ master passwords or authentication keys locally or on its servers. So no one, including LastPass, can access a user’s encrypted data remotely.

We were also particularly impressed by LastPass’s frequent external auditing and transparent incident response protocol. This means that if there are any weaknesses in the LastPass system, they are quickly identified and addressed.

Finally, the LastPass bug bounty program adds a community-level pillar to the platform’s security framework and further protects LastPass from bugs and software weaknesses, which demonstrates that the company holds a high level of accountability.

LastPass: Customer support

Both businesses and individuals can avail themselves of the LastPass forums. The forums page contains threads on numerous business-related topics, and we were able to find advice for many niche problems. There are loads of help articles, too.

For issues that can’t be solved by exploring the forum and articles, free online training and how-to guides are also available. Email support is readily available, too, but only certain plans get phone support.

LastPass: The competition

Although LastPass is feature-rich and highly affordable, there are cheaper options that might appeal to businesses on a tight budget. 

For example, Sticky Password is cheaper than LastPass, with similar feature sets and security protocols. Another strong competitor is N-Able Passportal business password manager as well as Norton's password manager. You should also consider our comparison of 1Password and LastPass.

LastPass: Final verdict

LastPass is one of the best password managers available, and business leaders or IT administrators would do well to consider it for their organization. Advanced features, top-notch security, and centralized administrator controls and analytics all play their role in this superb password management solution.

Despite its advanced features, LastPass is still highly affordable in most cases, and this contributes significantly to our favorable opinion of the platform. However, if you’re looking for a free account only and you’re not willing to fork out a monthly fee, chances are you’d be better off with something that can support multiple signed in sessions simultaneously like Bitwarden or one of the software giants’ own solutions, like iCloud Keychain or Google Password Manager.

What to look for in a password manager

In an era where data breaches and cybersecurity threats loom large, ensuring the safeguarding of sensitive information is paramount for businesses of all sizes. A robust password manager is no longer a luxury but a necessity for companies striving to protect their digital assets. However, with a plethora of options available, choosing the right password manager can seem daunting. Here’s a detailed guide on what companies should look for when selecting a password manager, ensuring they pick a tool that not only secures their data but enhances overall operational efficiency.

The cornerstone of any password manager is its security features. Companies should prioritize services that offer advanced encryption standards, such as AES-256 bit encryption, to ensure that all data stored within the manager is impervious to cyber-attacks. Additionally, consider password managers that provide zero-knowledge architecture, meaning even the service provider cannot access your data. Features like two-factor or multi-factor authentication (MFA) add an extra layer of security, making it significantly harder for unauthorized individuals to gain access to your accounts.

For businesses, it's crucial to have granular control over who accesses what information. A password manager that offers customizable user permissions and roles enables companies to manage access based on the employee's role and responsibilities. The ability to easily add and revoke access, create user groups, and monitor who accessed what information and when helps maintain security protocols and ensures compliance with various regulatory standards.

Given the diverse technological ecosystem within most companies, a password manager must be compatible across different platforms and devices. Whether your team uses Windows, macOS, Android, or iOS, the password manager should offer seamless integration and synchronization across all platforms, ensuring that employees can access their secure passwords no matter the device or browser they use.

An often-overlooked aspect of implementing new software is the user experience. The best password managers combine advanced security features with user-friendly interfaces. Look for a solution that offers intuitive navigation, easy setup, and minimal maintenance. Moreover, consider the streamlined processes for adding new passwords, retrieving stored information, and sharing credentials among team members. A password manager that is cumbersome to use can lead to poor adoption rates among your workforce.

For enhanced security and compliance, choose a password manager that provides comprehensive audit and reporting tools. These features empower companies to monitor password hygiene, identify weak or reused passwords, and detect unusual access patterns. Regular reports can help you stay ahead of potential vulnerabilities and reinforce best practices among your team.

Choose a password manager that can grow with your company. Scalability is essential, as the number of users, amount of sensitive data, and complexity of your business needs will evolve over time. Opt for a solution that makes it easy to add licenses or features as your business expands and your security requirements become more sophisticated.

Effective customer support can significantly impact the user experience. Look for a password manager that offers reliable, 24/7 customer support through multiple channels, including live chat, email, and phone. Service Level Agreements (SLAs) that guarantee uptime and quick resolution times can also offer peace of mind that any issues will be swiftly handled.

Finally, while not compromising on security and functionality, consider the cost efficiency of the password manager. Many services offer tiered pricing based on the number of users, so you pay for only what you need. Additionally, weigh the long-term benefits of enhanced security and efficiency against the investment in the password manager.

Selecting the right password manager is a critical decision for businesses aiming to bolster their cybersecurity posture. By focusing on security features, user access controls, cross-platform compatibility, ease of use, audit and reporting capabilities, scalability, customer support, and cost efficiency, companies can find a solution that not only secures their digital assets but also supports their operational objectives. Remember, in the digital age, your passwords are as valuable as the information they protect—choosing the right manager is paramount to safeguarding your company's future.

We've also featured the best password recovery software.