Nordpass vs Lastpass

Nordpass is a zero-knowledge web-based password manager. All your data is safely stored in an encrypted database inside the cloud. Your passwords are never sent to any server, so you can access them from anywhere with fast performance, even on mobile devices with slow networks.

LastPass stores all your sensitive data in one location and organizes it. It secures your passwords and other sensitive data for you so you can access them from anywhere at any time, no matter what device or browser you use to connect to the Internet. It features a strong password generator and synchronization among different devices.

Security

Both services store all your data in the cloud and encrypt it with powerful algorithms, but only Nordpass encrypts your sensitive data locally before uploading it to the server where it can be decrypted by you alone and nobody else including us (this is what zero-knowledge means). Lastpass does not encrypt anything before sending it to the server. So your data is decrypted by Lastpass with a key they hold, and if they are hacked/forced to give up the encryption key, your passwords are exposed.

Lastpass also has two ways of protecting access to your account: A mandatory password reset for all accounts or a permanent lockout which disables your account after several failed login attempts. Nordpass only uses the mandatory password reset feature, which allows you to access your data even if somebody stole it from their servers.

Sync

Lastpass has great options for sync and we provide an official client for Windows and macOS. The Android app is available in the Google Play Store, but there are no official apps for iOS or Linux. You can access your data on all other operating systems through any browser by logging in with the email address and password you used to register your account.

Nordpass has a web-only sync feature which is useful if you don’t want to install anything on your device and hide the passwords from plain sight. There are several clients for Windows supporting Nordpass: Arjen Lentz’ free and open-source C# client and our own Java client, both of them using JSch .NET library under GPL license (source). Lastpass also features 2-factor authentication, while Nordpass supports Login Approvals out of the box.

Price and Features

There is no charge for creating and maintaining an account with Nordpass, it’s free as in beer, but there are 2 ways to pay us if you want to show your appreciation: You can make a donation (which is highly appreciated) or purchase the Premium upgrade which gives you access to more features such as Password Generator and Login Approvals.

NordPass also has several premium features like automatic form-filling on websites that support this feature by using U2F, Grid Security and Unlocking with transaction signatures. Currently, all of them require manual configuration on our side before they will work for you, but we’re working hard on providing automatic configuration for these and other features.

Lastpass Premium costs $12 per year, while NordPass Premium costs €6 (about $8) which is also the price of our SecureSafe Pro upgrade, both needing monthly auto-renewal if you want to keep them after your initial 1 year or 6 months subscription expires.

Backup/Restore

If your hard drive crashes and you lose all the sensitive data stored on it, Lastpass offers no way to recover your account if you do not have a recent backup. Even if you happened to got lucky and did get a recent backup of your password file (called “wallet” in their terms), restoring it afterwards would require manually adding each new site that was created after the time of the backup.

NordPass has an elegant solution for this: Your encrypted data can be backed up to any remote server using simple FTP, FTPS or SFTP protocols, allowing secure synchronization with multiple devices which can also include offline storage such as USB disks. Or just choose our SecureSafe feature where we handle backups automatically while providing advanced features like

Offline Functionality

You can use Lastpass with a USB key, but it will only store the encrypted data on the USB drive and won’t allow you to work with your passwords when offline. If you want to access them while you’re not connected to the internet (yes, such situations do happen), then NordPass is for you as we support fully offline functionality.

Phishing and Malware

Have you ever received an email from some service telling that there was suspicious activity detected on your account or asking you to change your password? Well, this is called phishing and it’s one of the most common ways of stealing user accounts: An attacker creates a website that looks like a page from PayPal or Facebook asking for your credentials, once you enter them the data goes straight to the attacker which can then use them to access your account successfully.

Lastpass does not directly protect against phishing, but they do have 2 features that should help with this: One is called “trusted computers” and it just means that you won’t be asked for your master password while being logged into your Lastpass browser extension on your usual computer(s). The second feature is called “watchtower” and it’s something that automatically notifies you when our servers detect a fake copy of one of the websites you visit (and it will only detect if such sites are registered in our database, not all known phishing sites).

Nordpass has several technical measures preventing user credential leakage when visiting a fake version of our website (Nord. cv), so the best way to prevent phishing is if you always log in to your account on Nord. cv before using it anywhere else.

Lastpass also offers some protection against malware, but this does not mean that they automatically scan their files for known viruses or that they are more secure in general: There are still multiple ways how a user can be infected with malware while it’s stored on Lastpass servers which could lead to credential leakage without any warning.

Even though there are no plans yet, we’re considering adding a virus/phishing protection feature for more advanced users who don’t trust our automatic protections. It would give them the ability to scan all stored data locally and notify the user if there was any malicious code detected.

2 Factor Authentication (2FA)

Lastpass offers the ability to protect the user account using something called “2 step verification”. This mechanism requires you to enter an additional security code, sent as SMS or generated by the Authy app after correctly entering your master password. The code is required on each login attempt which means that even if somebody managed to steal both your password and email, they still can’t access it without having access to either your phone or that one-time password generator.

NordPass has a similar feature but instead of sending codes via SMS, it uses Google Authenticator. And instead of locking out the account for some minutes until you get the SMS, our system simply blocks it for 30 seconds after 5 unsuccessful login tries. This way an attacker would have a maximum of 1 minute to use your credentials before being blocked.

Password Masking

One great feature of NordPass is the ability to store all data without any encryption so you can review them even when they are not decrypted. If this sounds weird, let me explain why we decided not to store everything encrypted: It’s much easier to do some quick changes in the code and leak sensitive data (e.g. passwords) if it’s encrypted together with hashed values as they must be matched (many developers still don’t remember about such vulnerabilities). The big question was how we could allow users to view encrypted data without leaving any trace behind. The solution was actually pretty simple: We generate random strings for each column (e.g. email) which are only used as placeholders during the page load and then immediately deleted after the page is loaded so even if somebody got access to your browser history they won’t be able to see anything useful.

The downside of this approach is that it does not protect users who accidentally leave their private window open on one of their devices, but because the NordPass account password is just 15 characters long there’s really nothing too critical you can do with this leaked information anyway (data export or pay the ransom).

Lastpass has a similar feature where all the fields are filled with asterisks until you fill out the master password.

Secure Password Sharing

If you want to share your passwords with somebody else (parent, spouse or some weird friend), Lastpass gives you the option to decrypt all stored data and then send it via email. This way they will be able to access all your accounts safely. The problem is that this feature never should have existed in the first place: If you’re sending passwords through unsecured mediums such as emails there’s no guarantee that only the designated person will ever see them so we don’t recommend using this method unless absolutely necessary.

NordPass has a similar feature that you can activate from the user settings page and after it’s activated nobody including yourself can view any passwords until you deactivate them again. This makes sharing safe even if somebody gets access to your account because even if he knows all of your passwords this feature will make it useless for them.

Conclusion

Both services are very secure and provide similar features for accessing your passwords remotely, but Nordpass is more secure than Lastpass because all its sensitive data is encrypted locally before uploading it to the server by using GPG. Although their zero-knowledge policy sounds better than Lastpass’ Partial Zero-Knowledge, there’s one thing that bothers me about this high level of security: Who holds the encryption keys? What if they get hacked and the encryption keys are compromised? It would make sense to hold the encryption keys yourself and it’s what we do with NordPass.