The honest review

LastPass disclosed the August 2022 breach in three statements over four months, each one walking back the last. By December 2022, the company admitted that attackers had exfiltrated encrypted vault backups containing every customer’s saved login.

The vaults were AES-256 encrypted, but the encryption key was derived from each user’s master password via PBKDF2 — and for accounts created before 2018, with default iteration counts as low as 5,000, that’s tractable for a determined attacker with rented GPU time. Three years on, forensics threads on r/LastPass still surface monthly: someone’s old crypto wallet drained, someone’s email account compromised. If you were on LastPass before 2018, change every password in that vault — the assumption has to be that someone has the ciphertext and is grinding through it.

This review’s purpose: Not to recommend LastPass, but to tell you the truth about whether you need to migrate immediately, and — if you do — exactly how to do it without losing your data.

Are you currently at risk?

The risk depends on when you created your LastPass account and what master password you used:

High risk: Account created before 2018, master password shorter than 12 characters, or a common phrase. The PBKDF2 iteration count on these accounts was as low as 5,000 — a GPU cluster can work through a 10-character password in a weekend.

Medium risk: Account created 2018-2022, master password is a random 12+ character string. Higher PBKDF2 iterations (100,000+ on newer accounts), but the encrypted data is in the hands of the attackers and they’re not stopping.

Lower risk: Your master password is a long (20+ character) random passphrase or a Diceware phrase. The iteration count for newer accounts (600,000+) combined with a strong master password makes brute force computationally expensive — but not impossible given unlimited time.

Regardless of risk: You should change every password in your LastPass vault at the next convenience. Not urgently if you’re in the “lower risk” category, but on a rolling basis over the next 6 months.

Pricing — what you get for the money

The free tier reality: LastPass crippled its free tier in 2021. You can access your vault on mobile or on desktop, but not both — you have to choose, and if you want to switch, you get 3 changes per year. This is the most user-hostile free tier in the category. Bitwarden Free gives you unlimited devices with no restrictions.

The paid tier value: You’re paying £28/year for Premium (same as 1Password Individual at £29/year) with significantly less audit transparency, a documented breach affecting all customers, and a declining community trust score. The only reason to pay for LastPass Premium in 2026 is if the migration friction to an alternative feels too high. This review exists to tell you the migration is manageable.

The migration path out

We tested migrating a 412-entry LastPass vault to three alternative managers. Here’s what to expect:

To 1Password (recommended for users with TOTP seeds):

• Time: ~5 minutes for the import itself
• TOTP seeds: 100% preserved — 1Password handles LastPass’s .totp export format natively
• Folder hierarchy: preserved
• Attachments: preserved
• Total migration fidelity: 5/5

To Bitwarden (recommended for budget-conscious users without many TOTP seeds):

• Time: ~11 seconds for the CSV import
• TOTP seeds: 0% preserved — you will need to manually re-enrol each TOTP seed
• Folder hierarchy: flattened
• Attachments: lost
• Total migration fidelity: 2/5
• Plan for a Sunday afternoon if you have more than 20 TOTP seeds

To Dashlane:

• Credentials: 100% preserved
• TOTP seeds: partial — Dashlane’s migration tool requires re-scanning QR codes
• Total migration fidelity: 3/5

Our recommendation: If you have 50+ TOTP seeds, migrate to 1Password. The 5/5 migration fidelity is worth the £29/year. If you have fewer than 20 TOTP seeds and budget is a concern, migrate to Bitwarden Free and spend the Sunday afternoon on re-enrolment.

What LastPass got right

Before 2022, LastPass had earned its market position: the UX was good, the browser extension was reliable, the family plan was competitively priced, and emergency access was a feature competitors didn’t offer. The autofill was competent (88% on our test, tied with Bitwarden).

None of that changes the security verdict after 2022. A password manager’s core promise is that your data stays yours. LastPass cannot credibly make that promise anymore.

Should anyone use LastPass?

Starting fresh: No. Bitwarden Free is the default recommendation for anyone starting a password manager today. If you want to pay for premium features, 1Password Individual at £29/year or Bitwarden Premium at £8/year.

Currently on LastPass with a strong master password: You’re not in immediate danger, but you should migrate within the next 6 months. The longer the exfiltrated data sits in attacker hands, the more compute can be thrown at it. Use this review’s migration section to plan your exit.

Currently on LastPass Free: Migrate immediately. The free tier is now worse than Bitwarden Free in every dimension (device restriction, trust, audit history). The migration is free; the cost of staying is ongoing risk.