What to do if you’re affected.
LastPass threw us a curve with a change to the terms of their free tier.
I don’t expect it to affect most folks, but it will affect a few.
I’ll review the change, and my recommended approaches if you’re affected.
Become a Patron of Ask Leo! and go ad-free!
LastPass’s free tier will be restricted to a single platform: PC or mobile. If you’re impacted, paying is my recommendation, but you can also switch to other free solutions or live with the new restriction. Continuing to use a password manager remains an important part of overall security.
LastPass free tier
In their blog post What can I expect to change for LastPass Free on March 16, 2021?, LastPass announced a change to the terms of their free offering: it will be free on only one “type” of platform. What that means is:
- LastPass Free will continue to be free if you use it only on PCs1 (laptops or desktops).
- LastPass Free will continue to be free if you use it only on mobile devices and tablets.
- LastPass Free will no longer support using both platform types on the same account: it’s one or the other, but not both.
You are only affected if:
- You use LastPass Free.
- You use LastPass Free on both PC and mobile platforms.
Recommendation #1: stay and pay
I’m a fan of LastPass, and use it across all my devices constantly.
While I don’t like the way they handled this change, I believe LastPass is worth the upgrade to an annual paid subscription. At this writing, that’s $36 USD per year.
Like backing up, password management is important enough to pay for.
I know not everyone will agree.
Recommendation #2: switch
I don’t yet have a specific recommendation for an alternative.2
If free is important, your choices will be limited. Some free plans, such as that offered by Dashlane, are more restrictive than LastPass’s new plan. Review them carefully.
Bitwarden has a good reputation, and its free plan seems comparable.
PC Magazine has a recent comparison of free password managers that includes several alternatives.
One word of advice: if you move, make sure whatever alternative you choose will let you take your passwords with you. One of the reasons I originally moved to LastPass was because the solution I had been using had no export function. I believe that’s critical, both for backing up and not being locked in. Since LastPass has an export function, switching away from it is theoretically easier. Make sure that’s true for whatever solution you choose in case you later decide they’re not for you.
Recommendation #3: Live with it
You can simply choose to live with the new restriction. Select one platform, PC or mobile, and stop using LastPass on the other.
There is another somewhat cumbersome approach: a second account. Continue to use your existing free account on one platform, and set up a new one (using a different email address) on the other. You should be able to export and import for the initial setup. Adding new entries and making changes, though, will be difficult to synchronize between the two.
NOT a recommendation: Stop using a password manager
Some folks may take this as an excuse to stop using a password manager altogether.
Don’t be one of those people. Using a password manager — any reputable password manager — is far safer than any alternative.
Pay, switch, or live with it, but don’t stop using something altogether.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Love LastPass and am a paid subscriber.
While trying to eliminate my “reused/duplicate” files, I found that it was cumbersome as I have almost 100. It took 15mins for one. After contacting support, I was told that is the only way. I was disheartened. This will take months! 2 days later I get an email stating that they actually agreed with me and will work on a way to do multiple passwords at once.! Time will tell.
Thanks Leo,
Jim
I had the same experience as you… Glad to year they may be working on a solution!
Susan
That’s another advantage of a paid program. You get personalized support. A paid program also means development of new features.
I’ve been paying for them for over 10 years (for whatever reason, I’m paying much less than the amounts listed above), but I have felt the customer service has just gotten worse and worse.
I didn’t quite understand the OP about what is taking so long with duplicate passwords.
I use LastPass Families, which is $48 per year. Allows for up to 5 users and the ability to share passwords in the group, among other benefits. One feature I like is the emergency access to my account. The only drawback is that it can only be granted to another LastPass user. I’ve also set up and printed out a group of one time passwords (OTPs) for emergency use.
Thanks for that Leo – you confirm what I suspected, I’ll need to pay.
I’m surprised you think it won’t affect many people – having set up loads of strong random passwords through Last Pass on my PC, if I want to access any of those accounts on my Mobile Phone I will have no way of doing so at all, unless I do pay, so I really have little option – just holding out a few days in case they decide to offer a better deal nearer D-Day!
I am kinda hoping they’ll rethink this, but only time will tell. I suspect I’ll have to upgrade my wife’s LastPass since she’s on a free account. Like you, waiting until the last minute.
or move both of you to the paid version of Bitwarden, an overall superior, open-source password manager, for only $10/year.
just because the company was bought by people who want to appear that the company is far more profitable than it really is and then sell it for many millions on profit, I don’t think I can tolerate that.
happy to pay, only to people who can tell the difference between profit and greed. so for me off to Bitwarden, the transition took all of 2 minutes!
I have been hearing from a number of happy Bitwarden users.
Upgrading your wife to LastPass would only cost you $10 0r $12 more a year for a family subscription which would also add a few other sharing features. Sound like a good deal.
You are one of the not so many people it will affect. I haven’t tried it yet but BitWarden free has most of the features of LastPass paid and you can even import the passwords from a LastPass backup.
How Do I Back Up LastPass?
I probably could have gotten by just using LastPass on my PCs, but decided today to give Bitwarden a try and found the transition rather easy: Exported .csv file from LastPass; imported to Bitwarden. Same kind of extensions for the popular browsers. Synched perfectly. So far, I’d recommend it to anyone who wants to continue using a password manager the way they used LastPass.
Is there a legitimate reason for them doing this other than pushing users into paid plans? What difference does it make what type of device you’re using?
It appears to be for the purpose of making money. Would you work for free?
I understand the need for income, but I’m not a computer engineer or programmer. I was just wondering if there is some significant cost to them for allowing us to use different device types or if they are just looking for ways to make the free plan less attractive.
It’s not that it costs them more. That’s how freemium software works. Offer a free tier and charge for more features. Years back, LastPass did something similar. At that time i cost $12 a year to be able to use LastPass on a phone or tablet. Taking away a service that was previously free seems to many like a bait and switch,
I honestly don’t know. While the change itself doesn’t bug me that much, that they’re willing to make this kind of a change and inconvenience existing users to this degree is troubling.
It seems to me that it’s a huge gaffe by management. I don’t recall ever being “advertised” to by Last Pass to tell me of the advantages of having a paid account. I can’t even tell you what the advantages are. It seems to me that if you’re going to make this kind of a change, you should have a sustained marketing campaign directed at your free users to convince them that it’s worth it to switch to a paid plan. Then, if that doesn’t work, then you can apply stricter measures like this.
At least with MS Office, because I use it at work, I know what I’m missing out on by using a free online version, and I can decide to purchase a 365 subscription or not.
Here’s an article about the investors behind LastPass. They were in it for the money.
https://arstechnica.com/gadgets/2021/03/demand-for-fee-to-use-password-app-lastpass-sparks-backlash/?comments=1
I’ve been using KeePass for years on my PCs. It’s free and open source. It stores passwords locally, not in “the cloud” (AKA somebody else’s computer). There is a review of KeePass in the PC Magazine link listed in Leo’s article.
yeah, password safe…open source, done by an old pro whos at the top of his game still, easily portable, no limit, and free….been using it for a decade with zero problems.
Me too!
I don’t see how KeePass would solve the problem of syncing between computers and your mobile devices. If you can afford the paid LastPass, you get the convenience of full synchronization.
I haven’t had a problem using KeePass to sync between computers and mobile devices. If that’s your concern just store your KeePass database file or files (*.kdbx) in a cloud drive accessible to all of your devices. I happen to use Google Drive; but OneDrive, iCloud, DropBox, or any other reliable cloud storage would work just as well. Any changes you make to the KeePass file on your computer will be accessible by your smartphone, and vice versa. And all for free with no monthly subscription fee.
I have also used KeePass for several years. I like that the portable version of the application can be placed on (and used from) a flash drive. While I understand that cloud password vaults are extremely secure, I still prefer to store my passwords locally. With my sometimes spotty Internet connection, I appreciate that I can still access all my information and passwords at any time, regardless of whether or not I have connectivity at that moment.
I saw this headline the other day: “You need a password manager! Just not Last Pass.” I certainly hope they took into account the negative press they were going to get about such a move as this.
I get that they need money to keep them going. Software doesn’t develop for free. But some people are just on a very tight budget, especially now with the way COVID has affected everything.
I would have liked to have seen some marketing aimed at convincing free subscribers of the value of paying before downgrading the service they provide. I don’t actually even know what advantage I would get with a paid subscription. When the free version does what I need it to do, there’s not much incentive to go looking for extra features I might need to pay for. It just seems to me that they’ve missed this whole middle step of talking to their free customers and extolling the virtues of a paid subscription.
I have a theory.
It’s a theory I don’t really like.
This is pure speculation, and not based on anything other than my own gut feel, and having seen this scenario play out elsewhere.
I’m wondering if LastPass is focusing their efforts on the enterprise and business side of the market, and decreasing their interest in the consumer market. I say this because almost all of the advertising I see for LastPass is enterprise-related. Part of that is the podcasts and media I consume, so I have to take it with a grain of salt. But I’ve seen this play out before when other companies decide that their business-oriented endeavors are more lucrative financially than continuing to maintain a strong presence in the consumer market. There are some very good products we talk about all the time that fit this model: that there is a consumer edition is a side effect, not a targeted goal.
I hope LastPass isn’t moving to such a model.
I’m not leaving LastPass. In fact, I’ll probably upgrade to family after the deadline hits and I see the impact on my wife’s free account. But I’m definitely watching.
I hope I’m wrong.
That is a possible theory. There is probably a hole in the business side of things, given the phishing that goes on to try and gain access to company systems.
I wish we could use a password manager at work. I work for one of the largest employers in Canada and our IT department still believes that good password security involves changing passwords every 90 days. Yes, they have to be strong passwords, but there’s the problem. Each system requires a different password and with changing strong passwords so frequently, a lot of people have a hard time remembering their passwords. Do you know how many people in my office that I see look in their daytimer or desk drawer for a password? Lots. It would be nice if we could get a password manager and be able to use the long complicated strings that LastPass creates (and drop the mandatory 90 day password change).
LastPass has just lost my confidence completely. I paid for a premium subscription in Februrary and now I’m getting a notice to upgrade to Premium. I tried to get a phone number but you can only get phone support with a Premium account. It’s been several hours since I submitted an online request but still no answer. They have terrible support.
It’s been over 24 hours and still no response. LastPass has terrible support. I’m looking for an alternative.
I can’t speak to the support, but bitwarden is next on my list, based on reader feedback, as is keypass, because it has no cloud of its own — something that some folks find attractive.
48 hours later and still no joy. I write twice a day to remind them. They even answered and said I have premium and the problem was caused by a trial subscription of their family plan. Their tech support is atrocious.
After half a dozen emails and two phone calls, the problem has been finally resolved.
Given there are solid alternatives I can’t see paying for a password manager, especially one that has a annual fee which makes it even less attractive.
I am not a fan of password managers that store the password database online as it seems like a potential security risk. but it’s probably a minimal risk assuming the place storing the database is secure enough. still, I tend to be a bit more on the cautious side of things in this regard and keep the database locally stored and make my own backup copies.
I have been using Password Safe (pwsafe dot org (Designed by renowned security technologist Bruce Schneier)), which is 100% free with no strings attached, since probably somewhere around 2005-2007 and it’s never failed me yet. it has a Windows/Linux version (Linux version = sourceforge.net/projects/passwordsafe/files/Linux/ ) and there is even a mobile version to (search for Password Safe on Google Play store as Jeff Harris maintains the android version). but personally I would never trust a smart phone with doing sensitive stuff online in general and they are just a chore to use compared to a proper computer (desktop/laptop) and are probably generally less updated with security patches (it’s not necessarily a bad idea to use a smart phone but I personally don’t like them for doing anything sensitive online in general). the Windows database file from Password Safe works fine on the Linux version to as I was using it on Windows since I started using it until Jan 2019 when I switched over to Linux Mint. the current newest version on Linux is v1.13.0 which was released a couple of days ago now.
but if I was using a smart phone for some non-sensitive accounts online… what I would probably do is sacrifice a bit of security for ease-of-use and just use a half way decent easier to remember password with a little padding (i.e. for example… “MyDecentPassword” becomes something like “…..MyDecent.Password,”) for the small amount of non-sensitive accounts. NOTE: but in general don’t use the same password across multiple accounts as it’s a bad idea!
for those who want to verify the Password Safe download is good and not been modified by any shady person, you can do the following on Linux for example… you can go to the pwsafe dot org website click on ‘contact’ (on the left side of the page) and scroll down to bottom of page where it shows “To verify the signature, use this public key (key fingerprint = C887 6BE6 9A8E C641 4C8C 8729 B131 423D 7F2F 1BB9)” and click on that ‘this public key’ part which will download a ASC file as I just rename it to PWSafe.asc and then save it to your ‘home’ folder and then at that point go to the terminal and type in “gpg –import PWSafe.asc” (without the “) and hit enter and it will import the key. then you simply download the Password Safe .deb file and .sig you want to download and then you do something like… “gpg –verify passwordsafe-ubuntu20-1.13-amd64.deb.sig passwordsafe-ubuntu20-1.13-amd64.deb” (without the “) and press enter and you should see something like “Good signature from “Rony Shapiro (PasswordSafe signing key) etc”. basically this helps confirm the download is good and that it’s not been modified by any shady person. this ‘gpg’ stuff is not absolutely necessary (since chances are the download will be fine as is), but it helps ensure your download is legit and has not been modified by a shady person. NOTE: you will see the “WARNING: This key is not certified with a trusted signature!” message etc but don’t let that bother you as it’s normal for that to appear. NOTE: for those running Linux Mint v20.x (which is one of the more popular versions of Linux in general) the file you want to download currently is “passwordsafe-ubuntu20-1.13-amd64.deb” as it’s the newest. but for those who prefer to stay within the ‘Software Manager’ (i.e. the official Linux repositories) to get Password Safe you can do that also but it’s a older version as you simply search for ‘passwordsafe’ (without the ‘) as two options appear but it’s the first one with the brown looking icon as the other is NOT Password Safe from pwsafe dot org, so I would avoid that one personally.
I use PasswordMakerPro. It’s be an older solution that you don’t hear about much, which is actually a good thing for my security. (Leo’s memory goes back to the Stone Age of computers so he might know about it). It’s a different model than other password managers which might address some peoples’ concerns with password vaults.
Not clear from Leo’s article whether the new options allowed by LastPass are for multiple PC/laptops or just one.
Multiple.
I have been using and recommending KeePass for years. It is free, open-source and multi-platform. You can choose to put it in a Dropbox or equivalent for cloud access, but you can also choose to keep it local. You can export from it. I do agree that a good password manager is worth paying for, which is why I made a donation, but that’s not required in order to use it. There are no restrictions on functionality if you don’t pay. I can’t imagine anything that could be missing from it – certainly, nothing I’ve ever needed.
The advantage of paid LastPass over KeePass is full online synchronization between all your computers and devices.
You can do that with KeePass. I don’t know if there’s a way to do it automatically – I’ve never tried – but it’s just a couple of clicks to synchronize your databases.
I have been using LastPass free, PC & mobile, for several years. It does not bother me that they suddenly decide I need to pay for the ride I have enjoyed for so long. I have often wondered how the providers justify offering free services to public consumers, but letting commercial support the costs. Maybe if everyone contributes they could lower the cost for everyone a little. No I am not smoking anything strange.
So I’m curious, as a Google user, is it NOT safe to be using their ‘save password’ functionality?
I assume you mean Google Chrome. I have this on that: Is It Safe to Let Your Browser Remember Passwords?
I have been using Sticky Password for years now, even bought a lifetime subscription very cheaply via Ashampoo and tbh, it works absolutely fine synched over my various pc/laptop combinations (6 of them). It also syncs to my three mobiles but it doesn’t work well on mobiles as you have to continually login to it when you move apps, so I have been thinking over the last few months (based on Leo’s continual pushes partly) to move to LastPass despite having already paid for SP.
I am glad I didn’t now and I guess I will stay with SP and hope they improve their mobile application.
I’ve been using LastPass & been paid subscriber for a long time. It’s an excellent utility. I was a bit concerned when they sold to LogMeIn & immediately tripled their fee. But, aside from a few glitches, they’ve managed to keep things running well. To me it’s definitely worth having a utility that’s available on all devices with minimal hassle.
I’ve been paying for them for over 10 years. For whatever reason, my fee did not triple when LogMeIn took over, but I felt that service has gone way downhill.
Years ago, LastPass did something similar to what they are doing now. I don’t remember exactly what they did, but something like allow the same LastPass login to work on one machine. At that time, they only charged $10 a year. Then when LogMeIn took over they upped it to $30 a year but for some reason the one device restriction was lifted. I don’t remember the scenario exactly but it was something like that.
Do you have any opinion/advice on the password manager which comes as part of Dropbox? I have found it useful and helpful while considering to leave Lastpass.
I don’t have any experience with it, to be honest. I trust DropBox, but don’t have enough of a feel for how well they’ve done password management, or how well it works across all devices.
Try Myki. I never heard of it until the last few days. I found it a bit fiddly to setup (because I don’t read instructions).
Anyway, I am very happy with it so far and the free version has more options than one would expect.
I will NOT pay Lastpass. The way they handled this is change is appalling. I guess they were/are hoping for people to just pay as it is too hard to change.
Vey happy to continue with a four-tier approach. My main (and paid for) security comes from Avast with whom I have a VPN but, every time I log out of the Internet, I select history, Ctrl A and delete all the history, go to Ccleaner, Analyse and run cleaner. I then go to SUPERAntiSpyware and remove all trackers. Once a week I run MalwareBytes to get rid of any PUPs.
Works for me.
I use SSE to manage my passwords. SSE periodically backs up all my passwords to a pwv file or you can back them manually to the pwv file. I can copy this file to a flash drive and restore it if needed. I’ve used it for years and it’s free.
Thanks for your customary clear and complete summary Leo. I was already investigating alternatives to LastPass and had selected BitWarden as a contender. It is free for use on computer and phone.
I can now confirm that I have BitWarden running as a browser extension in Firefox and as an app on my Android phone. It took me less than an hour to export from LastPass, import to and learn how to use BitWarden on both. I did need to manually turn on Autofill on my phone [BitWarden|Settings].
The only error so far turned out to be LastPass not exporting a password correctly (removing a leading zero)
Far from an exhaustive test but so far I can thoroughly recommend BitWarden as an alternative to LastPass. I also like the open-source philosophy, but hey, that’s just me. :)
I was a lastpass paying customer. I am concerned with the tracking feature. Even though it can be turned off. Also concerned with LogMeIn being sold to a venture capital firm. They usually pull value out of a company and then sell it. For the above reasons I moved to 1password. I have warmed up to 1password. Very easy to import lastpass into 1password.
Techrepublic.com has some info and suggestions on possible replacements.
https://www.techrepublic.com/article/free-password-manager-alternatives-to-lastpass/
I received my notification but I don’t intend to change. I’m still very much a computer person although I actually have a smartphone now. I started my LastPass account in 2014 on a computer, and anything important I do in life, I’d never dream of doing on a phone. I install the browser extension every time I add a new browser or set up a new computer, and I log in to LastPass through the web on the rare occasion that I need it on a strange computer.
Regarding changes to Customer Support, I don’t remember actually needing support in the almost 7 years I’ve been using it, so that’s likely a non-issue for me.
I was unsure whether my Chromebook would be considered a computer or a mobile device. The Logmein Support confirmed that Chromebook willl be a Mobile Device. I hope this will be useful info for Chromebook users!
That is good to know, thank you for the clarification.
I have also been a paying user of LastPass for several years and generally like the service. However, I will probably look for an alternative when my current annual subscription is up. I feel that they have become price uncompetitive. When I first started as a paying customer, it was $12/year, then it went to $24/year and then a year or so ago it went to $36/year. I fully understand that companies need to get income for their services, but I don’t see how anyone can justify a 300% increase over a 5 year span.
I started using LassPass, primarily because Leo seems so pleased with it, and I find it to be unintuitive, clumsy to use and just generally not a pleasant experience. Now all that is in comparison to RoboForm which I have been using for several years. RoboForm has a one time fee also in comparison to LastPass which wants an annual fee. I will continue to use it on my phone but I took it off my desktop and will continue with RoboForm on it.
What’s most important is that you’re using something that works for you.
Used to pay £10 a year to sync LastPass between PC and mobile, but then they removed that charge, only to now more than triple it. Logmein had form in changing from free to affordable to expensive so it got dumped for team viewer. Now they are owned by zombie capitalists (asset stripping and debt loading) it is incumbent to change to the excellent bitwarden
Another workaround just occurred to me as I was playing around with a new browser which didn’t have LastPass installed. I went to the LastPass website and logged in. It’s a bit more of a pain than using the LastPass browser extension, but it’s a way of using it on all devices.
So one solution could be, Install LastPass on your phone and tablet and use the web version on your computer.
As an alternative while I consider other password managers, I simply stopped updating LastPass on my iPhone back in March. I’m still running LastPass 4.8.15 on the phone and so far is works fine, I just ignore all the reminders that there are new versions available. For now, I can still use LastPass Free on all of my desktop and laptop computers as well as my phone.
I assume that someday, this will either fail because of an iOS change, or become a poor choice (since I’m not installing any updates to LastPass on the phone). But for now…