Ask HN: 1Password vs. LastPass vs. Bitwarden for teams ?
I know this question comes up frequently on HN but what do you all recommend for 2021 for a business with team size of less than 25. Using passwords in KeyPassX has been useful but it starts getting difficult with a growing team where user specific permissions would be a must.
47 comments
[ 1448 ms ] story [ 3315 ms ] thread1Password was a drop in replacement for me and my family and it even let's me save TOTP keys so that's very convenient.
It also has a printable backup key so it's beginner friendly and looks aesthetically pleasing so my partner is happier using it.
Meanwhile LastPass was still struggling with U2F/WebAuthn support when I last used them.
Good time to remind others to export your google Authenticator if you change phones and do the backup keys.
Former LastPass user here.
[1] https://macpassapp.org/
It works perfectly for team management, since you can categorize passwords by vaults and give individual members. or teams, access to specific vaults. You can give guests outside your organization access as well. Beyond passwords, you can also share company cards, credential files, and 2FA tokens.
In addition, 1Password does a great job of letting you know when you should rotate your passwords, when you've re-used passwords, and when any password you've used has been leaked (in conjunction with https://www.haveibeenpwned.com). This helps ensure better security practices across the team.
Only downsides I've come across: - Granular permissions are really hard. For example, at my last job, we had vaults per client we worked with. However, not everyone that works on that client needs access to all of those passwords. The only way around this was to make/manage hundreds of vaults for Client+Function variants. - There's no way to guarantee security of passwords stored in someone's personal vault. - Users can create a vault and remove owners/admins from it (unless this has changed).
However, this has a few downsides. All of those features I mentioned (alerts for re-used, leaked, weak, or old passwords) are visible to the owner of the private vault, but admins won't be aware of those issues. It requires trust and security training to make sure that those issues are handled appropriately for private passwords.
Also, if someone has edit access for a vault, there's no way to prevent them from moving credentials to their personal vault or exporting credentials. Most people won't know how to do that and won't bother... but it's always a risk.
This makes a lot more sense.
LastPass, 1pass, BitWarden, and most other password managers doubled down on good UX, but the security is pretty terrible. They help users avoid using the same password for every site, granted, but is that really good enough?
Consider that every time you go to login to Twitter you also expose say your AWS root password or any TOTP backups, etc.
Compare to Mooltipass, Trezor Password Manager, or Password Store + Yubikey which all decrypt a single password at a time with a physical touch on an external device.
If an adversary has malware on your system and wants to dump 100 passwords they must get you to physically consent 100 times on an external device.
Presumably you would notice.
Today I only recommend hardware password managers. Pay for the hardware once and there is no monthly fee or any such nonsense, as the client software is all local and open source. Also no company gets the list of services you use and analytics of how often you use them for added privacy.
All three of these alternatives let you backup your encrypted password database to a git repo or cloud storage of your choice.
For technical teams where sharing is needed I tend to setup Password Store which lets us set up per folder sharing permissions and the database is just a shared git repo.
There are multiple cli and gui front ends available for mobile and desktop.
https://blog.1password.com/just-in-time-decryption/
The only thing it lacks is a more powerful granular permissioning now that we've scaled. Ideally, there'd be a way for each new hire to automatically get an account and roles via LDAP, and immediately have access to necessary secrets based on that with no manual step.
I think it's totally insane to let a third party manage your passwords.
Open source. Using the hosted service though which is reasonably priced.
The UI/UX is a bit clunky, especially for sharing. But it does the job for the most part.
That said, for a team size < 25 I would recommend 1Password. The product is fantastic - best in class - and they are regularly pushing improvements across all platforms.
For teams 50+ I would choose LastPass which has better 'enterprise' features, but despite having used it at work for 7 years I still really dislike it. This could be because I've been using 1Password in a personal/family capacity for about 12 years!
I know people who think the exact opposite though, so give it a go and see what you think!
Automatically translated.
I've had some trouble with the BitWarden anrdoid app not wanting to help fill in login information, but I put that down to user error - it's close enough I just can't be bothered to dig deeper.