LastPass review: Great to administrate, a little clunky to use

LastPass has the most comprehensive admin portal around but it’s excessively browser-focused

Screenshot of LastPass password vault

IT Pro Verdict

Pros

  • +

    Comprehensive management dashboard

  • +

    Sophisticated identity & access management options

  • +

    Outstanding policy control

Cons

  • -

    More expensive than some rivals

  • -

    No desktop clients

  • -

    No password generation for manual creation

LastPass is one of the most recognisable brands in the password management space, although the company has not always been seen in glowing terms by the wider community.

It recently raised the ire of consumers with changes that force free users of its password management service to choose between using it on either desktop or mobile devices, something which caused a spike in the number of people looking for alternatives to the service.

That said, its business services are as strong as ever, and you could be doing yourself and your company a disservice by passing over LastPass. In fact, we've ranked the software as one of the best password managers on the market, as well as one of the best business password managers.

LastPass review: Client interface

LastPass’s web browser plugin and mobile clients are still among the most widely-used by general consumers, so there’s likely to be less of a knowledge gap when it comes to adoption.

On the desktop, LastPass is only available as a browser plugin. It supports the most popular browsers on Windows, macOS and Linux, so compatibility won’t be a problem for anyone. The LastPass vault is well designed, and, assuming the admin allows it, web passwords will be automatically captured and entered.

However, if you need to use or store passwords from elsewhere, such as servers you regularly access via FTP or SSH, you’ll have to manually create an entry using a web vault, and the password generator isn’t available when you do this.

Users can also store payment and address data and secure notes, including encrypted attachments. Like many other password management services, LastPass allows users to link their personal accounts. These are loaded as a new sub-folder in their enterprise vault, allowing them to access their personal passwords. Enterprise policies are applied to this folder when accessed via the user’s work account.

A command line application is also available for management and automation, and is particularly handy for creating and giving access to shared company folders.

LastPass was recently found to be using a number of trackers on its Android app, including some behavioural analytics and profiling tools, alongside more expected crash and error trackers. LastPass tells us that “aggregate data provided by trackers help to identify and troubleshoot issues within the product and prioritize areas to improve and optimize the end user experience.” However, these can be disabled in your LastPass vault, accessible from a desktop browser

LastPass review: Management interface

LastPass has a particularly nice dashboard to help you manage your users. Heads-up displays show total, active, registered and blocked users, figures on the number of policies you have in place and how many users are geofenced, and a chart showing successful and failed authentications – useful for spotting efforts to penetrate your users’ accounts.

LastPass Business and Identity users can be added via a wide range of Single Sign-On portals, but admins for Teams will have to invite everyone by email. Once added, users can be assigned to groups and roles to give them access to different shared vaults and features. Admins can view each user’s saved sides, shared folders, and registered devices.

Policies can be applied to groups and individuals, and range from standard security policies to specific password and multifactor authentication requirements, blocking access from specific countries or devices, and a wealth of other settings. Our only complaint is that the policy list is a little cramped, as they’re shoved into a skinny bar at the right of the interface.

Identity tier subscribers can also roll-out LastPass’s passwordless access systems, allowing users to access their vaults more easily when connected from a specific IP address, geographic location, and enabling device authentication and biometric login models.

LastPass review: Pricing

LastPass’s business offerings start with Teams, priced at £40.80 per user, per year, and intended for SMBs or workgroups with up to 50 users, although this is a recommendation rather than a hard limit. This provides each user with an industry-standard password storage vault with optional two-factor authentication, shared folders for your team, and a dashboard to administrate everything.

The next tier up, Enterprise, has no recommended ceiling on user numbers, and adds Single Sign-On support, personal customer support, API and app integrations, and customisable security policies.

These are extremely flexible, and include settings such as requiring users to link a personal vault to keep them from using their business account to store their own day-to-day passwords, access restriction based on IP address, automatic logout windows, and highly specific control of the kind of secure data and passwords that can be stored or shared.

A more expensive Identity tier adds extra authentication options, taken from LastPass’s subscription-based multi-factor authentication toolset.

Unlike rivals including Keeper and Bitwarden, users within a Teams, Enterprise, or Identity subscription don’t get a free LastPass Personal subscription to go with it.

LastPass review: Verdict

LastPass is still an industry leader, and has one of the best management interfaces around, although the lack of a desktop client for users feels like an omission in a business environment. It’s not cheap, either: Many rivals provide equivalents to the features of LastPass’s Enterprise tier, priced at £61.44 per user, per year, for less. A flat-fee site license is also available for larger businesses.

The adaptive multifactor authentication options of the top Identity tier, designed to provide users with secure and passwordless access to both their vaults and other business identity challenges, are unique, although some rivals such as Keeper are developing similar tools in parallel. LastPass Identity is certainly costly, at £81.60 per user, per year, and its comprehensive identity verification functions – also available without password management – are beyond the scope of this review.

The lack of a desktop client is an irrelevance to web-oriented personal users, but if you have staff members who’ll be accessing desktop applications and remote servers without going via a web browser, flipping to a browser plug-in just to copy out passwords can slow the workflow.

LastPass’s online vault is still great to use, and its top tiers are lavish when it comes to providing features, but for price and convenience, Bitwarden and Dashlane provide a better business password management solution right now.

K.G. Orphanides

K.G. is a journalist, technical writer, developer and software preservationist. Alongside the accumulated experience of over 20 years spent working with Linux and other free/libre/open source software, their areas of special interest include IT security, anti-malware and antivirus, VPNs, identity and password management, SaaS infrastructure and its alternatives.

You can get in touch with K.G. via email at reviews@kgorphanides.com.