Is LastPass: Free Password Manager safe to use?

LastPass: Free Password Manager has a risk level of CRITICAL with an overall risk score of 9.3/10. Our scan detected 156 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does LastPass: Free Password Manager request?

LastPass: Free Password Manager requests the following permissions: scripting, tabs, notifications, contextMenus, storage, unlimitedStorage, webNavigation, webRequest, webRequestAuthProvider, offscreen, alarms, privacy, clipboardWrite. It also requests host access to: http://*/*, https://*/*, https://lastpass.com/vault/*, https://lastpass.com/migrate/*, https://lastpass.com/*, https://backoffice.lastpass.com/*.

What is LastPass: Free Password Manager's risk score?

LastPass: Free Password Manager has an overall risk score of 9.3/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 3.3/10.

ExtSafe

LastPass: Free Password ManagerSecurity Analysis

Chromev4.151.3MV3February 16, 2026 at 12:54 PM

Known Security Incidents(2)

Critical2022-12Resolved

Major data breach — encrypted vaults stolen

Attackers stole encrypted password vaults and unencrypted metadata for millions of users. Weak master passwords remain at risk of brute-force decryption.

View source →

High2023-02Resolved

Follow-up breach via developer machine

Attackers exploited a compromised developer's home computer to steal decryption keys for cloud storage backups containing vault data from the 2022 breach.

View source →

9.3CRITICAL

9.3 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 19 permissions including high-risk ones, 144 code findings, 3 dangerous combinations.

Dangerous Combinations(3)

HIGHTab tracking + external communication

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

tabs+external network request

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

3.3/10

Permissions(19 analyzed)

Code Findings(24 patterns, 144 total)

Libraries(3 detected)

3 libraries detected

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(1 finding)

Resolved from __MSG_* i18n placeholders:

Description: LastPass is an award-winning password manager for secure credential management on any device.

MEDIUM

web_accessible_resourcesJS files exposed to web pages

JavaScript files are exposed as web-accessible resources. Matched websites can load and interact with extension scripts.

External Domains(35)

${k(e${r**.okta-emea.com*.okta.comaaccounts.google.comaccounts.lastpass.comaddons.mozilla.orgbackoffice.lastpass.comcontent.googleapis.comd20xtzwzcl0ceb.cloudfront.netd3uc069fcn7uxw.cloudfront.netdocs.datadoghq.comfb.megithub.comlastpass.comlink.lastpass.comlocalhostlogmeinlastpass.okta.commomentjs.commozilla.github.iooutlook.live.compasskeyreactjs.orgredux.js.orgsntestwww.amazon.comwww.datad0g-browser-agent.comwww.datadoghq-browser-agent.comwww.facebook.comwww.googleapis.comwww.lastpass.comwww.linkedin.com