Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

64 comments on “LastPass – Securely Keep Track of Multiple Passwords on Multiple Devices”

  1. Good post. I’ve used both Roboform and Last Pass. I don’t really care for either because of the way they required me to change my personal habits. But the biggest thing I had against Last Pass was that so often it had connection errors and kept telling me something was wrong with my internet connection when everything seemed to be running fine.

    I’ve never had that problem – so much so that I wasn’t even aware that it would complain about the network.

  2. Leo, excellent article as usual, and I am seriously considering using LastPass, I just have one question. If I use two factor authentication and get my phone stolen, what happens then?
    Maybe a daft question, but it has happened to me before and it was traumatic enough just dealing with the lost contact details etc!

    When you set up two-factor authentication, LastPass generates for you a set of one-time passwords. As the name implies each can only be used once. You save those in a safe & secure location in case you ever need them. Lose your phone and you then use a one-time password to login to LastPass on the web, and turn off two-factor authentication until you’ve replaced your phone.

  3. Hi Another very good article. I have used Lastpass for some time now and find it very good.
    However I have a little question !!!
    It work’s for me perfectly on all Windows App’s. But how about all the other programs that also require a password ?? Will name just one which is Skype !!! As a granddad with family around the globe this is very important to me and lastpass does not save the password (At least not the free version) At the moment Skype and other passwords I just save in Secure notes so I suppose no real problem.
    Even so I would like your opinion on the matter.
    Ta in advance

    LastPass (and other password vaults) are designed primarily for websites. I’m not aware of a utilty that handles arbitrary programs asking for login credentials.

  4. The trouble with Google two factor authentication is it assumes we all have mobile phones. I don’t leave my home very often, there is no mobile signal where I live, and although I do still have a mobile at the moment the day may come when I ditch it. A landline phone doesn’t seem to be acceptable to Google.

    The Google two-factor application does NOT require connectivity. LastPass also supports alternate forms of two-factor as well, including a program you can simply run from your own USB stick.

  5. Is their a provision that allows you to access you passwords if you are using a public or friends computer? tks

    You can access your vault via a web page, but I would not trust someone else’s computer in general – whether you’re using LastPass or not. There’s simply too much risk.

  6. About problem you mentioned (re-visiting a site and it does not fill), I realized that first time when we Save site in LastPass, it may save the googly garbagy loooong link (like and then we we re-visit site, that is not the link we visit again!!
    When I save a site in LastPass I always delete all those extras from link (and even S from https://) and make link as simple as possible (like or then it covers all subsidiary links and subdomains that site may produce when I visit every time.

    • Paul,

      I do that too.
      I created a text file (called “Projects-To-Do” which is better than ‘Here-are-all-my-passwords and bank account information’)
      Which in fact contains all my passwords for various forum, shopping sites, bank accounts etc etc.
      That is then kept on a at least two flash drives.
      When logging on to sensitive sites such as a bank, I use that text file and copy/paste the information into fields, that way there is no way any keyboard loggers know what I typed.

      – B!LL!

      • I stand corrected on the copy/paste thing as noted by LEO in the post below, however I only ever use my OWN computers (at home), never use computers at Internet Cafes or use my laptop/tablet at Wi-Fi’s such as McDonalds for important things like banking.

  7. Hi Leo,

    I signed up for LastPass a few days ago based on recommendations I read from you and on Lifehacker, and I really think it’s great.

    I have a question that I can’t resolve on my own: If I’m on somebody else’s (or a public) computer, how do you advise accessing my passwords for things like email, since I don’t have them memorized anymore? Is it risky to log in to LastPass (using their onscreen keyboard to avoid keyloggers) and use the online vault to access my passwords? I assume I’d have to do a copy/paste of my email password and then overwrite the clipboard afterward. Any thoughts?

    Thanks for a really excellent website!


    If you’re at a computer you can’t trust then you shouldn’t be logging in to your email at all regardless of whether you’re using LastPass or not. Your email password could be captured by several different means. Copy/paste does nothing to thwart keyloggers since in reality there are “activity” loggers which can easily capture what comes and goes in the clipboard.

  8. I have been using LastPass for about 6 months and really like it. I used to use Password safe before. The only problem I’ve had is when a web site wants me to change my password. LastPass will generate a new one but since I don’t see the passwords I am not sure which is new password and the old. I end up having to call the site to reset my password because I can’t get it.

    You can simply view your vault in your browser. You can see what the password is that’s been saved for that site, or if you have LastPass generate a password for you, “Generated password for…” entries will also appear in your vault.

  9. I got Lastpass after you recommended it ages ago. Most of my friends now use it. Those that don’t usually have to get their mother to tie their shoelaces. I can’t understand anyone not using it. Great for travelling. I have over 80 passwords and get Lastpass to generate passwords for me usually a mix of characters generally 18 to 20 in length. Keep up the good work Leo.

  10. Read article, read security article on spinrite’s site, and downloaded it.
    it SEEMS very neat.
    HOWEVER, could you PLEASE address this problem – on EXPORT to CSV file, i CANNOT export the custom form fields that I create or that LastPass creates.
    to me, this is the biggest bummer there is.
    EXPORT exports the first page of data for a LIST item, but does NOT EXPORT the 2nd page of a list entry, the custom form fields.

    can you or other users address this, and provide fedback?


    I don’t have an answer for this. I’d recommend submitting this as an issue to LastPass directly.

  11. downloaded it, and trying it.
    (I posted comment last evening, but not sure if it got lost, not showing up)
    ONE BIG DEFICIENCY – inablility to export custom fields.
    if you create a site, and fill in just the normal site field values – those can be exported to a CSV file.

    BUT, if you capture a site, and it creates custom fields, those values or fields are NOT exported to CSV, AND they are NOT exported to even the encrypted file that LastPass Pocket uses.

    So, you are captive to using the browser format, and if for what ever reason they go defunct or you don’t like that program and decide to change, you can’t get custom data out of the database.

    I LIKE the design of the program, but I HATE it (and hate OTHER programs) when you can’t do a simple export of all the data within the database.

    any otehr feedback from others, if I’m doing something wrong and not understanding how to export (spent 8 hours on machine last evening researching this, forums, google search,e tc…) please let me know


  12. I have several Twitter accounts and found that LastPass would not always populate the login fields.

    After reviewing the LastPass records in my vault, I found that changing the URL protocol from https to http fixed the problem.

    I still have a few sites that won’t auto-fill (e.g. Magnatune), and have to resort to copy and paste via the LastPass drop-down.

  13. I have used LastPass for a few years now and find it very useful.

    It struggles with my UK bank websites, which all require multi-level logins. They need an identifier and password on a first screen, then 2 random dropdown digits from a 4-digit PIN, then a random piece of personal information from a range of 6 items. LastPass can cope with the first screen, not a chance for the second and a bit of a fiddle for the third data.

    I have just bought an Android smartphone and tried LastPass on that. It is not integrated into the browser, but comes as a separate app. That cannot cope with the above scenario.

    So, in summary, LastPass is great when it works, but is not a solution to all approaches to my bank websites. So I have to use passwords that I can remember myself – a great pity.

    Leo, you did not mention that LastPass also stores its database locally, so that it can be used offline to access any other information you may have stored there – e.g. telephone banking passwords.

  14. If it’s ‘on your machine’, then what happens if you get a new computer, or if your current machine fails/is stolen etc? Can you access LastPass from a cloud off the web?

  15. Leo;
    Thanks for the fine work you share.
    Could you give some of your thoughts on Password Safe?
    Again thanks.

  16. @Z Berkeley
    Yes, LastPass stores a copy of your passwords on their servers (the Cloud). Because of that I can use it to sync my passwords on all of my computers and my smart phone.

  17. I tried lastPass and liked it enough to pay for the Premium upgrade, While i agree there are some limitations, I wouldn’t be without it now.
    Also Leo you referenced Steve Gibson in your column, That episode was what led me to try the program. I actually subscribe to Security Now and find it an equally good source of info like your’s Leo.
    If you haven’t already seen it i highly recommend you get episode #366 The Death of Clever.
    He talks about passwords and hackers, I found this episode quite alarming!

  18. Hi, Leo

    I wanted to ask a follow-up question of sorts to an answer you gave another commenter re: two-step authentication with LP. My question is not about that but about one-time passwords that you referred to….

    Isn’t there a sense in which OTPs can somewhat defeat the purpose ? I mean, for my email accounts — and certainly for my LP account — I want to have good, long passwords so that the accounts will not be compromised by guessing or hacking my password. As it is my LP account should be fairly secure with the long password I have for it, since any would-be hacker must guess or crack the ONE valid password I have out of however many millions/billions of possible combinations.

    But if at any time I enable the use of OTPs (for LP or any of my email accounts) doesn’t that in a way give the hackers a larger bull’s-eye ? If I’ve got a list of 50-100 OTPs, that might, indeed, make it easier for ME to login once-and-only-once at library computer or somewhere. But as long as those OTPs are valid, it’s also providing more targets for hackers, no ?

    So, in general, and specifically for the security of a password manager, would you say it’s wise to keep one’s list of valid OTPs way down, like at least in the single digits ?

    Or am I misunderstanding something about OTPs in all this security business ?

    Thanks ! 🙂

    • I use Lastpass and have over 270 sites stored and I only have 2 OTP,s activated why would you need anymore, when used just generate a couple more but keep them safe.

  19. @Scott
    The one time passwords usually work in conjunction with a normal password. It is a form of 2 factor authentication. Factor 1 is your user password. Factor 2 is the one time password which can be on a list, sent to your phone or generated by a onetime password calculator. In most cases, your user password can be as long as you want it to be. 2 factor authentication.

  20. I had an issue with a banking login site one time, and I e-mailed Lastpass about it. I was answered pronto, that it would be fixed with the next update, and it was. Great service for free.

  21. Thanks for article and link to Steve Gibson podcast. I’m sold on the security regarding Lastpass not being able to decrypt my passwords and the 2 factor auth. But, how about the database file of passwords that’s created and stored locally on my PC? If stolen PC or if there’s malware, how easily can a good hacker break into my Lastpass database file on my hard drive?

  22. disappointed that my Browser..MSN does not interest Last Pass– no offers to save pw from it when i sign into sites.. hope I can consolidate my pw’s on there manually…happy sabatical!

  23. Quick question regarding password strength. In the article you refer to the xkcd site which suggests an 11 character randomly generated password (such that LastPass might generate for a website) was weaker than the four word phrase using common words. Based on that should we not use the Lastpass auto generator for passwords and instead create our own pass phrases or are we ok so long as we set “minimum characters” to 12 (or more) and let it auto generate?

    There’s no absolute answer here. Longer is better, in general. 12 is what I would consider a minimum these days. Using words allows you to make an easier to remember long password, but with proper settings random password generators can be good. I do indeed use LastPass’s myself if it’s not a password I’ll ever need to remember. Length = 12 for me.


  24. Hi, Leo – truly appreciated your article reviewing LastPass; had a couple of questions: (1) Does LastPass work with Internet Explorer in it’s “InPrivate Browsing” mode? (asking about this because, in my experience, Norton Security Suite / Norton 360 doesn’t and neither does Comcast/Xfinity Constant Guard); and (2) Does the “Multifactor Authentication” available with LastPass Premium work with an older plain vanilla cellphone that can receive SMS and Text messages, or does it require the more sophisticated ‘Smart’ phones with either Android or Apple op. systems?

    • I’ve tried to use LastPass with InPrivateBrowsing in IE and it doesn’t seem to work.
      The second part of your question is unclear. You should be able use any cell phone to receive the text message containing the one time password, but you can’t use LastPass on that phone as it is incapable of accessing the Internet.

      • Mark, thanks for the clarification on my 2nd question; I may opt to use the multifactor authentication with my old tech cellphone for some of my banking and investment websites. ___ Incidentally, a number of these sites have already employed a type of two-factor authentication whenever I try to access them with a computer they did not recognize (where I can usually opt to have a Text message sent to my cellphone with a 5 digit ‘code’ or an email with same or, in some cases, to receive a phone call which probably would have a pre-recorded message with the code to use). It’s interesting, though, when this happens repeatedly with some of those websites, because I’ve cleared my Cookies… and, apparently, in not finding the expected cookie, the bank’s website assumed I was trying to gain access with a new or different computer.

    • Not sure about IE (see Mark’s comments about not getting it to work there, though), but I use it in Chrome’s equivalent Incognito all the time.

      Lastpass’s two-factor options are here: – I’m not seeing straight text-messaging as an option, which implies smartphone – or some other kind of device – may be needed. There are hints of SMS support through other applications but I haven’t been able to nail it down in a quick search.

  25. Am I correct in understanding that as long as my computer is on and I’ve logged into LastPass with my master password, any site I visit will be auto logged in without any further intervention from me?

    On my main laptop I have all my browsers set NOT to remember anything, which means that on every site I visit I MUST enter a password to get in. It appears to me that anyone else going to my computer could get into my sites simply because LastPass will auto fill my user name and password without any further prompting.

    Is there a way to set LastPass to ask for the master password for every site I visit? Or do I need to resolve that by signing out of LastPass every time I move away from the computer?

    • You can easily set LastPass to require the LastPass master password every time you to want to log on to a website. This can be done on a website by website basis. For example, I have LastPass ask me for my master password for my bank and other financial logons.

    • Last pass can be configured to auto-login on a site-by-site basis – or not. It can also be configured to request the master password on a site-by-site basis – or not.

      • Thanks to both of you. I see you’ve now addressed this in your newest article dated April 4th published in newsletter of April 8th. My password list is getting longer and I need to stop using my Excel sheet with semi-coded passwords, but I know you’ve said “If your computer is not physically secure, it’s not secure”, so I don’t want to make it easier for anyone who tries to exploit an insecure moment.

        • If you are in a situation where someone might be able use your open LastPass to log into your websites, you can also set LastPass to require the master password for all of your logins. It’s more work as you have to type in the password for every login, but it’s the same master password every time, so you get quite quick at typing it in each time.

  26. On one of my computers I can’t get LastPass to work on Chrome. It says:

    inline install failed: Line 1, Column 1, Unexpected token.

    The extensions installed okay on Firefox and IE. How can I fix this?

  27. I use KeePass ( – free, open-source, also supports 2-factor authentication, and you can get it for your mobile device. There are two versions – one you can install, and a portable one (my preference). I couldn’t even begin to go over all the features – I’ve never used LastPass though I’ve heard good things about it, too – you probably wouldn’t really go wrong with either one, but I couldn’t recommend more highly that a person consider KeePass. (And no, I’m not affiliated in any way – I just love it and recommend it to everyone I can.)

  28. yes i have lost my mpw; however, LP autologsin, so it does have the correct mpw. is there then a way i could view it? when i use a second browser, LP wants the mpw and does not auto login. that is also true when i go to the chromebook. and when i think have got it right and get “invalid pw”, i don’t know which is invalid, the siite, or LP’s master.
    am i just stuck and need the drastic reset? thanks always.

    • If you lose your LastPass Master Password (I assume that’s what you mean by mpw) then there is no way to recover it. You’ll need to start over. This is documented on the LastPass site, and is a side-effect of their security measures – even they don’t know your password.

  29. You can go to and click “Sign in” then click “Click here if you forgot your password”. Enter you email address you use to log into LastPass and click “Email hint” The password hint you entered when you set up LastPass will be mailed to you. This might jog your memory. If that doesn’t work, right underneath the Email hint there is s link “* Note: if your hint doesn’t help you, you still may be able to use Account Recovery”. Try clicking on the Account Recovery link and further instructions will be sent to your email address. I’ve never tried this, but I imagine it should work in most cases.

  30. What prevents someone accessing your computer from being logged into your sites automatically by LastPass?
    I think I will encrypt my password list and keep it on a USB stick so that it isn’t on my computer.

    • LastPass encrypts your passwords with the master password you use to log on to LastPass with. LastPass only has the encrypted version of the password file. It is only decrypted by your computer never on the server. Your method is, of course safer, but I personally trust the LastPass encryption model. The cost of cracking a strong password is much more than the yield they would get hacking small fish like most of us as they would have to spend several hours to crack each password.

  31. How come i can use LastPass from several pc’s, if encryption is locally? If LastPass knows only my credentials after encryption, then logging on from a second pc would produce a different encrypted ‘blob’ and LastPass should not be able to authenticate that. If the encryption key used on the 2nd pc is the same, then there is no use in encrypting it at all.

    • Your data is encrypted once, and then copied to all the computers via LastPass’s servers in its encrypted form. It’s only decrypted locally when you specify the correct password.

    • Local encryption and decryption means that the password file is encrypted and decrypted on the local computer not in the cloud. The encrypted LastPass password file is stored on LastPass’ servers.

  32. Ok thanks, the master password also is used for generating the encryption key. That explains it.
    Another question is exactly when the password list is decrypted on my pc and how long it stays decrypted. I hope only when a password is actually needed and not from the moment i activate LastPass in my browser add-on?
    And is it safe to let LastPass remember the master password (on browser add-on activation)?

    • I believe it decrypts only as needed, but don’t quote me on that. Whether or not it’s safe to let it remember the master password is a function of the overall security of your machine. If you feel the machine is secure, then it’s what I do. On the other hand if the machine could be compromised or stolen, then I do not (like my laptop, with which I travel).

  33. I feel Lastpass for Edge really sucks. I download as instructed and it gives an error when trying to create and account, then gives same error when using the alternate account creation method suggested then failed a 3rd time when trying to create and account on the web site. Have a good email address using and a very good all green PW, but the application and web site just upchuck.

  34. Here’s an instance of hating it! I use Firefox Beta versions. Came home from a week away, new Firefox installed itself and eliminated Lastpass. They have not kept up with Firefox and Lastpass is now not compatible with it, specifically Version 57. So I have to make SURE Firefox does not update itself on my desktop as it did on laptop and carry my phone version around with me to be able to access my passwords, as mostly I use the laptop for day to day computing. I have complained, no solution yet from LastPass, and Firefox doesn’t care!

  35. Will not work on Firefox for Linux Mint. Extension installs but willnot accept my email addresses, says “make sure you use a real email address”. Both of mine are real.

    • I don’t know why that could be. I’ve used LastPass with Firefox on Linux Mint without any problems. Have you tried uninstalling and reinstalling Firefox? Or consider using another browser.

  36. Personally, I would never use a service like LastPass. First of all, any information that is stored on the LastPass server(s) is subject to hacking. I don’t care if that information is encrypted. We have learned again and again that absolutely nothing is completely secure on the internet. Secondly, any service that is available in the cloud can go away without notice. I keep all of my files and passwords on my local system (redundantly backed up of course).

    • Needless to say, I disagree. Strongly. EVEN IF someone were to hack into LastPass’s servers and get the data stored there (which has never happened) all they would get is strongly encrypted noise. There is simply no practical way that a hacker would gain access to the contents of my vault. Period.

      OF COURSE services go away without notice. Or sometimes they just go down for a bit. While I would bet money on the former never happening for LastPass, I know that the later has happened. That’s why a) LastPass works without an internet connection at all — your vault is still accessible, and b) I so strongly recommend backing up the contents of your vault — be it LastPass or any other — in a differently-secure method. (Meaning plain text contents, then secured some other way.)

      This fear is preventing people from using long and strong passwords, and using different passwords on every site. It’s these two things that – when not done – put people at far greater risk than using a well known vault like LastPass.

  37. hi, i read your comments on password managers and was concerned about my using password safe witch is almost like keypass. so i wrote a note to them at their site. i got a return reply as follows:

    Sun, Feb 24, 2:11 PM (2 days ago)

    to {removed}
    Hi John,

    Not quite:

    1. Some password managers keep unencrypted password in memory longer than strictly necessary.
    2. One can argue if this makes the password manager “unsafe”, since if an attacker can get to the memory of your PC, it’s effectvely “game over” anyway (given that level of access, there are easier ways to access your protected passwords)
    3. PasswordSafe was *not* among the password managers reviewed in the article.
    4. PasswordSafe *does* encrypt the passwords in memory, so it probably would have passed the review in the article.



    On Sun, Feb 24, 2019 at 8:55 PM wrote:

    john clas ({removed} writes:
    hi, i just read that password safe and other password managers are unsafe due to unencrypted passwords in memory. is this correct? long time user.

  38. Last Pass will not let me create an account. I first tried to at the website & then I tried to create an account after I had installed it as a Firefox Browser Extension. It keeps hanging up when I enter a password. Any ideas why or what I can try?

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.