Researcher Says Don't Trust LastPass, Unless You're OK With Being Tracked

Remembering a bunch of different passwords for multiple websites can be difficult, and that is especially true if you are using hard-to-guess ones that mix letters, numbers, symbols, and capitalization, as is good practice. Password managers offer to handle the remembering part for you, and a for a long time, LastPass has been one of the most popular options. However, a security researcher says you should look elsewhere after discovering LastPass engages in "extremely questionable" tracking habits.

The recommendation comes on the heels of LastPass announcing last week that it plans to hobble its free tier by making users choose between either "computers" or "mobile devices," rather than continuing to allow the password managing service to work on all types of devices without paying a subscription fee. The new policy goes live on March 16.

That alone has undoubtedly pushed some people away from using LastPass and seeking an alternative password manager. According to security researcher Mike Kuketz, there's another reason to look for a different solution, that being the use of more than half a dozen trackers in LastPass.

"I briefly checked whether the app contains known tracker signatures. A total of seven trackers were found. For an app that processes extremely sensitive data (passwords), this is simply an indictment. Advertising and analytics modules simply have no place in this—it is completely out of the question to integrate them into password manager apps," Kuketz said.

Four of the six trackers are from Google. The full list includes...
  • AppsFlyer
  • Google Analytics
  • Google CrashLytics
  • Google Firebase Analytics
  • Google Tag Manager
  • MixPanel
  • Segment
According to Kuketz, it is concerning to have non-transparent external code integrated into an app that handles sensitive data—in this case, login credentials. Kuketz also takes issue with the lack of user consent to transferring certain data to third parties, through the use of various trackers.

"If you actually use LastPass, I recommend changing the password manager. There are solutions that do not permanently send data to third parties and record user behavior," Kuketz says.

Is Kuketz making a mountain out of a molehill? A LastPass spokesperson told The Register that users can opt-out of analytics easy enough by going to Account Settings > Show Advanced Settings > Privacy. The spokesperson also said LastPass continuously reviews its policies and is constantly "working to make them better to comply, and exceed, the requirements of current applicable data protection standards."

That said, there are some password managers that do not have trackers, including 1Password and KeePass. A few others have trackers, though not quite as many. The popular Bitwarden password manager, for example, uses two trackers (Google Firebase for analytics and Microsoft Visual Studio for crash reporting).