Review: LastPass for Mac protects your passwords but needs polish

The gold standard for password vaults on the Mac is 1Password. Now in its fifth major release, 1Password has matured along with its userbase. One of its most stalwart longtime competitors, LastPass, has had an iOS version, but OS X customers have had to work through browser plug-ins or its website, putting it at a disadvantage.

The release of the free LastPass for Mac puts the two popular secrets-protection packages head to head. And LastPass comes out reasonably well in aspects of the comparison: the two apps carve out different spaces, which will vary in importance by users' specific security preferences and access needs. But in most respects, LastPass feels unfinished and clunky--a work in progress that works, but needs more work. The Mac version is free. A $12-per-year subscription adds mobile app synchronization, second-factor login support, and a family-based secure password sharing option.

Access your passwords anywhere

The central theme of LastPass is accessibility everywhere: your passwords are stored in a local vault on your Mac (or other platforms) and always synced with LastPass's storehouse. This has the advantage that you can log into the LastPass website to access passwords anywhere, and the disadvantage that anyone with your credentials can log into the LastPass website to access your passwords anywhere.

Having direct access with a login increases the "risk surface," although you can mitigate that with a premium subscription by using one of several two-factor authentication methods it supports, including Yubikey (a USB key generator) and Google Authenticator, to prevent logins without possession of or access to a unique second verification code or device. (1Password syncs via Dropbox and iCloud Drive, but doesn't allow access to its encrypted vaults without syncing to a local copy and using its software.)

The new Mac app feels more like a better extension of the plug-ins than a fully freestanding app, but it gets the job done. The Mac app is primarily the Vault window, a locally synchronized and updated version of the data stored in your LastPass web account. The Vault offers access to site logins, secure notes, and "form fills," the company's term for identities that can contain credit-card information, an address, and more. But you can't generate passwords on their own in the Vault window, even though you can in the browser plug-ins.

The site login seems quite primitive compared to 1Password, only storing a username and password, where 1Password can capture all form elements and store previously used passwords, among other features. The FormFill feature puts different categories of items in a single profile, so to define multiple credit cards, you have to create a profile for each, and there's no duplicate option to avoid re-entering address and other personal data.

The Vault pseudo-app's menus are almost empty, and there's no way to customize the way in which entries are shown. Choosing Undo after creating a new entry crashed the app. Buttons in the Vault and other dialog boxes are odd--like they belong on another platform, but which one? I'm not sure.

The browser plug-ins are better designed and seem more mature, although they also have a very technical field and are rather chatty. When logging into a site, the plug-in alerts you about using a stored login, and also displays an overlaid box on the page that says a page is loading, and then that it's loaded and the login data has been submitted.

Applicable form fields have the LastPass asterisk icon in them, which you can click to bring up matching entries or perform other tasks. After manually entering or using a browser-stored account login, LastPass shows a subtle but persistent bar along the page's top offering to store the login, as well as temporarily or permanently ignore it.

A little more polish, please

In testing, the app seemed unfortunately unstable. Fine for long periods, it would sometimes cycle through logins, logging itself out and then, when logged back in, launching the vault window and pushing it foremost in OS X. This seemed to affect syncing as well. There are polish problems all over: form fill is sometimes called FormFill, sometimes Form Fill, and sometimes (lowercase) form fill.

The app has the surface feeling of ported software, instead of a native OS X program. This starts with the menu options. After installing, you can launch it, which opens the Vault window, but closing the window removes the app's icon from the Dock. A menu bar item is persistent, from which you can select Vault. Choosing Preferences from the menu or from the Preferences item that appears, and then clicking Cancel bafflingly closes the Vault.

From a security standpoint, after an interval you specify has passed during which the vault remains unlocked, a master password request appears. However, it comes up without blanking the vault main display, allowing account names and other information to be viewed, unlike 1Password, which secures the display when the timeout occurs.

Bottom line

LastPass for OS X isn't ready for general use without additional polish, user-interface design, and debugging. It does store and fill in site logins as promised, but unless you need its web-based access or already use LastPass via plug-ins or mobile apps, I cannot recommend its use yet.

Join the CSO newsletter!

Error: Please check your email address.

Tags MacLastPass1Passwordsecuritypasswordssecurity software

More about DropboxGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place