Softplorer Logo

Affiliate links present. Disclosure

LastPass

LastPass

The category's most widely used manager — with a 2022 breach that requires honest evaluation before signing up

If you are already embedded in the LastPass ecosystem and have read and accepted the 2022 breach disclosure — and your context is enterprise SSO rather than personal privacy — LastPass Business remains a competitive choice.

LastPass spent a decade as the default recommendation for password management, built on polished autofill, strong browser integration, and — until 2021 — a genuinely unlimited free tier. In 2022, an attacker exfiltrated encrypted vault backups and unencrypted URL metadata from cloud storage. No vaults have been publicly decrypted at scale, but the URL metadata exposure is a structural privacy failure. Post-incident, LastPass raised PBKDF2 iterations to 600,000 and rebuilt its infrastructure. The product remains a capable enterprise tool; the question is whether that remediation is sufficient for your context.

Open LastPass

Fits well if

  • Your organisation already uses LastPass and has assessed the 2022 incident against its risk tolerance
  • You need SAML SSO with 1,200+ pre-built app integrations on the Business plan
  • You want dark web monitoring bundled with your password manager
  • ISO 27001 and SOC 2 Type 2 certification are requirements your organisation can check

Score breakdown

Scale reflects category fit and operational confidence — not absolute product quality.

Security0.0
Transparency0.0
Privacy0.0
Usability0.0
Recovery0.0
Features0.0
Value0.0

Not the right fit if

  • The 2022 breach exfiltrated encrypted vault backups and unencrypted URL metadata — read the official disclosure before signing up
  • Free tier restricted to one device type since 2021 — not a practical free option for multi-device use
  • No self-hosting, no open source, no published penetration test reports
  • Anyone evaluating password managers fresh whose threat model includes URL metadata privacy

Trade-offs

  • 2022 breach exfiltrated encrypted vault backups and unencrypted URL metadata — attackers know which sites every affected user has accounts on, regardless of whether vaults are decrypted
  • URL metadata was stored unencrypted by architectural choice — not addressed by raising KDF iterations; a structural gap that persists post-remediation
  • Free tier restricted to one device type since 2021 — the change that made LastPass obsolete as a free option for most users

When it breaks

  • The 2022 breach exposed that URL metadata was stored unencrypted. An attacker who obtains a vault backup knows every website the vault owner uses — this exposure persists regardless of whether the encrypted passwords are ever cracked.
  • The free tier's one-device-type restriction makes it functionally unusable for most real workflows. Users who signed up for the historically unlimited free plan will find the current product significantly more restricted.
  • No native desktop application exists. Access on Windows, macOS, and Linux requires either the browser extension or the web vault. Workflows that depend on a system-level credential manager are not served.
  • Enterprise customers facing FedRAMP or StateRAMP requirements will find LastPass cannot satisfy them — only Keeper holds these authorizations.

Hidden trade-offs

  • The 2022 breach affecting accounts with historically low PBKDF2 iteration counts (some legacy accounts had as few as 1 iteration) means older LastPass accounts are disproportionately exposed to offline brute-force attacks on stolen vault data.
  • The enterprise feature set is broad — 1,200+ SAML integrations is a genuine differentiator — but this breadth comes from a legacy of enterprise-first development that predates modern security standards. The integrations work; the underlying architecture has known gaps.
  • LastPass's pricing structure has changed significantly over time. The free tier was degraded in 2021; pricing tiers have been restructured multiple times. Assume current pricing may not reflect what you'll pay at renewal.

Explore how it fits different use cases

Quick decisions

Sources

Strengthening your overall security setup?

Password managers seal your credentials. Antivirus and VPN cover the rest of the stack.

Not sure LastPass is the right fit?

Start with a quick decision →