The gold standard for password vaults on the Mac is 1Password. Now in its fifth major release, 1Password has matured along with its userbase. One of its most stalwart longtime competitors, LastPass, has had an iOS version, but OS X customers have had to work through browser plug-ins or its website, putting it at a disadvantage.
The release of the free LastPass for Mac puts the two popular secrets-protection packages head to head. And LastPass comes out reasonably well in aspects of the comparison: the two apps carve out different spaces, which will vary in importance by users’ specific security preferences and access needs. But in most respects, LastPass feels unfinished and clunky—a work in progress that works, but needs more work. The Mac version is free. A $12-per-year subscription adds mobile app synchronization, hardware-based and biometric two-factor login support, and a family-based secure password sharing option.
Access your passwords anywhere
The central theme of LastPass is accessibility everywhere: your passwords are stored in a local vault on your Mac (or other platforms) and always synced with LastPass’s storehouse. This has the advantage that you can log into the LastPass website to access passwords anywhere, and the disadvantage that anyone with your credentials can log into the LastPass website to access your passwords anywhere.
Having direct access with a login increases the “risk surface,” although you can mitigate that with a premium subscription by using one of several two-factor authentication methods it supports, including Yubikey (a USB key generator) and Google Authenticator, to prevent logins without possession of or access to a unique second verification code or device. (1Password syncs via Dropbox and iCloud Drive, but doesn’t allow access to its encrypted vaults without syncing to a local copy and using its software.)
The new Mac app feels more like a better extension of the plug-ins than a fully freestanding app, but it gets the job done. The Mac app is primarily the Vault window, a locally synchronized and updated version of the data stored in your LastPass web account. The Vault offers access to site logins, secure notes, and “form fills,” the company’s term for identities that can contain credit-card information, an address, and more. But you can’t generate passwords on their own in the Vault window, even though you can in the browser plug-ins.
The site login seems quite primitive compared to 1Password, only storing a username and password, where 1Password can capture all form elements and store previously used passwords, among other features. The FormFill feature puts different categories of items in a single profile, so to define multiple credit cards, you have to create a profile for each, and there’s no duplicate option to avoid re-entering address and other personal data.
The Vault pseudo-app’s menus are almost empty, and there’s no way to customize the way in which entries are shown. Choosing Undo after creating a new entry crashed the app. Buttons in the Vault and other dialog boxes are odd—like they belong on another platform, but which one? I’m not sure.
The browser plug-ins are better designed and seem more mature, although they also have a very technical field and are rather chatty. When logging into a site, the plug-in alerts you about using a stored login, and also displays an overlaid box on the page that says a page is loading, and then that it’s loaded and the login data has been submitted.
Applicable form fields have the LastPass asterisk icon in them, which you can click to bring up matching entries or perform other tasks. After manually entering or using a browser-stored account login, LastPass shows a subtle but persistent bar along the page’s top offering to store the login, as well as temporarily or permanently ignore it.
A little more polish, please
In testing, the app seemed unfortunately unstable. Fine for long periods, it would sometimes cycle through logins, logging itself out and then, when logged back in, launching the vault window and pushing it foremost in OS X. This seemed to affect syncing as well. There are polish problems all over: form fill is sometimes called FormFill, sometimes Form Fill, and sometimes (lowercase) form fill.
The app has the surface feeling of ported software, instead of a native OS X program. This starts with the menu options. After installing, you can launch it, which opens the Vault window, but closing the window removes the app’s icon from the Dock. A menu bar item is persistent, from which you can select Vault. Choosing Preferences from the menu or from the Preferences item that appears, and then clicking Cancel bafflingly closes the Vault.
From a security standpoint, after an interval you specify has passed during which the vault remains unlocked, a master password request appears. However, it comes up without blanking the vault main display, allowing account names and other information to be viewed, unlike 1Password, which secures the display when the timeout occurs.
LastPass for OS X isn’t ready for general use without additional polish, user-interface design, and debugging. It does store and fill in site logins as promised, but unless you need its web-based access or already use LastPass via plug-ins or mobile apps, I cannot recommend its use yet.