Softplorer Logo

Affiliate links present. Disclosure

LastPass

LastPass

The category's most widely used manager — with a 2022 breach that requires honest evaluation before signing up

If you are already embedded in the LastPass ecosystem and have read and accepted the 2022 breach disclosure — and your context is enterprise SSO rather than personal privacy — LastPass Business remains a competitive choice.

LastPass spent a decade as the default recommendation for password management, built on polished autofill, strong browser integration, and — until 2021 — a genuinely unlimited free tier. In 2022, an attacker exfiltrated encrypted vault backups and unencrypted URL metadata from cloud storage. No vaults have been publicly decrypted at scale, but the URL metadata exposure is a structural privacy failure. Post-incident, LastPass raised PBKDF2 iterations to 600,000 and rebuilt its infrastructure. The product remains a capable enterprise tool; the question is whether that remediation is sufficient for your context.

Open LastPass

Fits well if

  • Your organisation already uses LastPass and has assessed the 2022 incident against its risk tolerance
  • You need SAML SSO with 1,200+ pre-built app integrations on the Business plan
  • You want dark web monitoring bundled with your password manager
  • ISO 27001 and SOC 2 Type 2 certification are requirements your organisation can check

Score breakdown

Scale reflects category fit and operational confidence — not absolute product quality.

Security0.0
Transparency0.0
Privacy0.0
Usability0.0
Recovery0.0
Features0.0
Value0.0

Not the right fit if

  • The 2022 breach exfiltrated encrypted vault backups and unencrypted URL metadata — read the official disclosure before signing up
  • Free tier restricted to one device type since 2021 — not a practical free option for multi-device use
  • No self-hosting, no open source, no published penetration test reports
  • Anyone evaluating password managers fresh whose threat model includes URL metadata privacy

Trade-offs

  • 2022 breach exfiltrated encrypted vault backups and unencrypted URL metadata — attackers know which sites every affected user has accounts on, regardless of whether vaults are decrypted
  • URL metadata was stored unencrypted by architectural choice — not addressed by raising KDF iterations; a structural gap that persists post-remediation
  • Free tier restricted to one device type since 2021 — the change that made LastPass obsolete as a free option for most users
Open LastPass

Explore how it fits different use cases

LastPass alternatives worth switching toI just got a breach notification — do I need a password manager

Quick decisions

I just had a breach — act nowBusiness with compliance requirementsSetting up for a non-technical user

Sources

Not sure LastPass is the right fit?

Start with a quick decision →
Compare LastPass with othersBrowse all providersAll password manager guides

© 2026 Softplorer

About·Contact·Privacy Policy·Affiliate Disclosure