I am using `pass` (https://www.passwordstore.org/) with an encrypted git repository and this works well enough for my use cases. I do not have a complex threat model though, nor I need to share my passwords with other people or organizations.
Yes after using Roboform and Lastpass I switched to Bitwarden. I pay the 10 bucks a year for convenience but folks I know self host it and are really pleased with it.
I moved to bitwarden a few years ago from Lastpass..Primarily because of persistent sync issues with lastpass. It seemed they kept trying to see "features" and the core product took a dive with the logmein aquisition. They were pushing things like credit monitoring, but the password syncing would get wonky from time to time with a specific browser or on my phone or vice versa.
You can self host your bitwarden (though i dont). And you can, even with a free account, create a single "org" to share passwords with. In this case that org was my wife so now all our shared accounts reside in bitwarden and the password doesnt matter.
Ive even gotten to the point of using their passphrase generator for manual sign-ins like my work computers.
The title is slightly off. The limit is to a single device type, not device.
If you only use LastPass on 2 devices of the same type (on your desktop and your laptop or if you only use it on your Mobile and your Tablet) you will be fine to stay on Free, However if you use it on your Desktop and your Mobile (like me) you will need to swap password managers or pay up for the service.
Before LogMeIn brought them the service was free on "Computers" but you had to pay up for Mobile (Although you were able to access your vault via their website, the mobile app just made it easier).
Guess it's time for me to invest my time into actually settings up and exporting my passwords to something like KeePass (I've been meaning to do it ever since LogMeIn brought them, I was just far too lazy to do it until now).
$30~ for a year (the offer they included in the notice) aint that bad, but I just don't like having the rug pulled from under me and would rather support something like KeePass than support LastPass.
Maybe I will change my mind after I've had some time to digest the news and play with KeePass (and its alt's).
FYI Bitwarden is only $10 a year. Before Bitwarden I used a combination of Keepass and Google Drive to sync all my passwords between devices. That was a workable solution, but Bitwarden is certainly easier, and I think more polished too.
Cheers for the info, I'll look into it. I'm not against paying for the service (I've used the hell out of LastPass) I just not a fan them pulling my use case from under me.
That will always be a risk, as long as you rely on cloud services.
I started using Lastpass as well, but moved to Keepass as soon as they were eaten up by Logmein. I moved to Keepass and I keep the keyfile on OwnCloud. It works very well, and even better than Lastpass (at least as it was when I last used it). Keepass has actual desktop clients, so you don't have to use a janky web-app.
>That will always be a risk, as long as you rely on cloud services.
True, but it seems that Bitwarden offers the option to self host which could help mitigate that. However as a paying customer you have more of a leg to stand on if the company does try and pull the rug from under you.
As for LastPass, I rarely used the "WebApp Vault" (Only to copy my passwords for native apps on my desktop) and did it all via the context menu / LastPass button injected into the User/Password fields in the browser.
Their iOS app was very handy (As my local supermarket self scan app keeps logging me out) as for most app's it would offer autocomplete. So I'm going to be looking more into the mobile intergration then the Desktop intergration (as its far easier for me to C+P between things on Desktop then it is for me on Mobile.)
I am going to give KeePass a try but I've not settled on which system I will actually switch to yet.
I should also note that the free bitwarden does support syncing across unlimited devices (and device types), and can be self-hosted if you like that kind of thing. The premium version unlocks additional features like 1GB of encrypted file storage, a built-in TOTP authenticator, and priority support - but I was using the free version for multiple years prior to paying and it was great.
To me, the unbeatable feature of Keepass is the fact that I'm not limited to user/password combination. I use it to store important notes and even files.
Bitwarden is awesome. I use the free version and it covers all that I need. All the clients and the server are open-source, you can self-host it for free, and there are even alternative server implementations like https://github.com/dani-garcia/bitwarden_rs
I've been using KeePassXC for a few years now. Before this, I was using LastPass and then before that, the original KeePass. Feature-wise, KeePassXC does a really good job replacing and going beyond LastPass.
It can have folders, it generates passwords, it can hold TOTP (2FA) tokens and it can even hold SSH keys acting as your SSH agent. Having your password safe be an SSH agent is a really nice feature which means less copying passwords around. The browser plug-ins have worked well for me as well.
I like that it can use any file sync tool for storing the key database - similar to why I like Joplin for note taking. I also like that there are many different clients for it since it is an open standard. To keep things secure you can use a password plus a key file. As long as you keep the keyfile only on the devices or on separate sync services, it raises the bar of security quite a lot.
There are KeePass clients on Andriod (Keepass2Android and KeePassDX) as well as iOS (Keepassium and another that I forgot the name of). All of the mobile clients support filling passwords. I have them all looking at the same file share and have not had any issues with corruption or file sync. I have it configured to immediately save all changes to disk and it writes and merges conflict files automatically as needed.
There are a few areas that it isn't as strong. First is sharing passwords - it has a feature for it but I haven't actually tried it out yet. Since you need to have the shared file ahead of time, you're really relying on your file sync provider to share that part of things. Second, the integration between programs works well but it isn't as seamless as a cloud service would be. For example, prompts will pop up in KeePassXC when there is a request to access a new password by a website. I believe this is probably more secure but it is an extra thing to come up when auto-filling passwords.
I have yet to try bitwarden but I would guess that sharing and lower-friction in web browsers would work better with it since those were the key benefits of LastPass when I'd used it.
At this moment in time, I'm not against paying for my password manager as it has been handy to me. However because I feel that LastPass has pulled their product from me with a demand to pay up to continue to use it, it feels different to me then it would be for me to opt into a paid account because I liked the service but the free account would probally work just fine for my use case (The current free tier of Bitwarden for example).
So at this point in time I would rather switch providers and give them the 30 bucks LastPass are now demanding for my use case out of the sheer principle of the matter.
So If I do Swap to KeePass or KeePassXC I will be donating that 30 bucks to them. If I swap to something like Bitwarden I'll pay them for what ever package is as close to that $30.
The whole distinction between mobile and computer is such a frustratingly artificial concept, a concept that has been imposed for monetization and control.
LastPass is making a huge change to their Free product and giving users only a month to adjust. This is irresponsible at best. I completely empathize with the notion that good software is worth paying for, but a widely-used password manager needs to provide more time for users to transition into another product if they choose not to convert to paid.
The emptor's counterpart, the venditor, also has a responsibility. I wouldn't dream of offering a free product that handles one of the most important aspects of consumer data security and then drastically altering it with only four weeks' notice. Many were introduced to LastPass, probably reluctantly, by more security-literate friends and family. These are the folks most likely to be squeezed in this very short transition period because they won't necessarily know how to navigate to a different product and would probably be more likely to do something risky in response.
Not sure i agree, they make it very easy to export your info/passwords and are just returning to a previous business model. As another user here commented, it only took 15 min to switch to another option.
> but a widely-used password manager needs to provide more time for users to transition into another product if they choose not to convert to paid
I'm sure some users will find an alternative solution and switch easily. I'm also sure that some users will not. My assumption - take it or leave it - is that the folks who would find this more inconvenient are those who were introduced to LastPass by more security-minded friend or family member. They aren't necessarily inclined or well-equipped to transition their devices over from one password manager to another. This may cause them to abandon password management altogether or do something dangerous like temporarily store their passwords in plain text while they find someone to help them transition to another product.
I think 3 months is much more reasonable, at least. Doing this in the middle of a pandemic is actively hostile. My parents are using lastpass. I'm going to pay for a license for them until the pandemic is over for simplicity.
As soon as I can physically visit them again I'm switching them over to something else in principle, and I'm changing to something else today (which includes cancelling my personal paid-for lastpass account).
During one of their previous price-hikes when the yearly membership cost doubled, I reached out to their support and asked if I could renew my membership before the price-hike took effect. They refused.
Just switched to Bitwarden. Took me ~15 minutes to get the browser extension + app installed and to complete the migration using the export/import features.
I've performed the switch as well, however, a couple of things to consider about Bitwarden:
- field detection is much poorer in Bitwarden (ie. it will fill both signup and login fields in some websites... including HN)
- Bitwarden timeout doesn't survive browser restarts (at least, this was the last time I've tried it), making it difficult to use for people with a complex password and frequent browser closing/opening
How does it do with sites that insist on using a 'password' type field for both username and password? This is my biggest pet peeve on the internet today!
I don't like using browser extensions for password managers (I read in the past these are usually the easier attacks, might not be true nowadays) and switched from LastPass to Bitwarden.
The feature I miss is that LastPass has a Mac MenuBar app which provided a global shortcut to search my wallet, for Bitwarden I always have to open the app.
Also, the iPhone app doesn't let you view attached images in the app, you have to first download them to the phone's storage.
Also bit wardens enterprise feature is very different than anyone else’s enterprise feature.
It’s in my opinion a bad system. The issue revolves around that you always have a personal account, that has work access. Well.... for enterprise, I want to be able to help user reset their password, override there to MFA, revoke access to a share, audit what shares they have access to.
I REALLY wanted to use Bitwarden company wide, but the enterprise product is just not there.
The concept is that you have your personal vault, and then you can also be a member of multiple organisations, each with a vault.
If you want, you can choose to disable the "personal ownership" option, so that employees lose their personal vault and can only use the organisation's vault. You can also select the "single organisation" option to prevent an employee from joining a second organisation.
Once you have done that, you can audit all of the shared "collections" in an organisation and revoke access to specific "collections" for specific employees.
And if you want enterprise-y control, then you can manage employee credentials using LDAP, etc.
It is a bit confusing to be fair, but I think you can do the things you mention?
Oof, this is a rough one! Id rather have a device number limit than a device type limit.
Main Takeaway:
"We’re making changes to how Free users access LastPass across device types. LastPass offers access across two device types – computers (including all browsers running on desktops and laptops) or mobile devices (including mobile phones, smart watches, and tablets). Starting March 16th, 2021, LastPass Free will only include access on unlimited devices of one type. "
"I'd rather have" == "this is what I need to stay within the limits of the free tier"
Lastpass reasons for doing this are perfectly clear. They want people to use and trust their platform, and there's no better way for doing that than allowing users to use the full version of their product. At the same time, they want revenue, and targeting the people that use Lastpass as an integral part of their workflow (e.g. myself) is a valid strategy.
I've used Lastpass for years. I was a premium user, but at some point the free tier started covering my use case, so I stopped paying. Now I'm probably back at the point where I'll start paying again. I could definitely live without mobile access, but it's a convenient thing to have and I can easily afford it. Maybe I'll look for an alternative too, but it has to be just as convenient.
I was previously a paying member but when they doubled their price, I realized the free tier worked for me and I move to it. Id gladly pay $15 a year for the service and not hassle with moving. But I might as well try out bitwarden for $10 now.
It would also be easier for me to recommend to less technical users like my family if I knew they could sync 1 mobile device and 1 computer. Its already hard enough to get any of them to use password managers to begin with.
Agreed, Syncthing has been rock solid no matter what I throw at it. 500gb of music files? source code directory with 100's of 1000's of files from npm_modules accidentally included? Photos? It just works. It also plays well with other sync providers (I sync a subset of dirs into iCloud files so phone/iPad can access things)
Those of you looking for an alternative, consider moving your data to a Keepass database. Its a more or less open file format, which a lot of different tools can read.
My goto tool currently is Keeweb - https://keeweb.info/. Its basically a SPA, can be used offline or online.
Keeweb + a google drive hosted keepass database file keeps my passwords available and synced across 5-6 different devices.
Never again on Keepass. The dollar savings is not worth the hassle of it.
You have to use a different client on every device because the official client is Windows only, and I’ve even experienced bugs a client I used that caused me to lose data entered into secure notes.
And while a single page app client is nice, it’s not good for password managers. 1Password integrates with the iOS password management API and browsers to fill in passwords and even credit card info, and I’m guessing most competitors like Bitwarden (open source just like Keepass!) do the same.
Saving ~$10-50 a year on something as useful and vital as a password manager in order to “roll your own” is such a bad tradeoff.
I switched off of Keepass when I almost accidentally lost data due to a client sync conflict. I had to go back to my Dropbox history and do a bunch of surgery to repair the damage. It’s just not worth it.
So you voluntarily prevent yourself from updating passwords when you’re on your phone or tablet just so that your password manager doesn’t lose data?
Isn’t that a ridiculous design oversight? To completely handicap any situation involving more than one computer? That’s exactly why I stopped using Keepass.
My use case is different. My all passwords are in Chrome. Simple. Keypass has some specific passwords like Chrome Sync Phrase, some zip file passwords, some other things. Plus initially I used to use keypass when i started using any password management instead of same password everywhere.
At that time, & still now, I use Dropbox to sync PC KP db with Dropbox. Then FolderSync to sync one way (read only) from Dropbox to Phone. If i need to add password, I wanted to make sure I can add only on PC. PC had the official Keypass, phones had the Offline Keypass App.
$10 now is nothing for me, but few years ago in India it is about 2 days salary of a manual laborour. About 5 meals. Or about 10 litres of Petrol.
I am always wary of anything online which has my passwords. The same reason Chrome does not have all my passwords, but still I trust Google more than any other relatively smaller software like Lastpass or bit warden or anything.
>Saving ~$10-50 a year on something as useful and vital as a password manager in order to “roll your own” is such a bad tradeoff.
This. I find it really strange that tech-savvy folks---who almost certainly have thousands of dollars worth of equipment---would cheap out on a password manager. You want a password manager that's secure, reliable, well-maintained, and usable. And doubly so if you want your less tech-savvy family to get the benefits and conveniences of using a password manager. Those things cost money. And $60/year (on the high end of things) is a bargain for what you're getting.
And doubly so if you want your less tech-savvy family to get the benefits and conveniences of using a password manager.
Definitely agree with this. I might consider setting up Keepass for myself (though I actually just pay for 1Password), but my lay friends would bounce off the setup and maintenance work of rolling your own Keepass setup immediately, and then I'd be on the hook to help them troubleshoot. I'd rather just point them at Bitwarden or 1Password. It works well enough and has good enough support that they get an operational password manager with minimal hassle and I don't have to spend time supporting it. Sure, you don't control their clouds, and 1Password isn't open source, but even so it's a dramatic improvement on a lay user's account security.
> All that hassle so that you can save $10 a year.
You are talking as if KeePass's only advantage is being free and it is only preferred by people who cheapen out. That's not true, just as it's not true for similar arguments for Android vs iOS, or Linux vs Windows, or Windows vs MacOS. People have different preferences and priorities.
Even if the pricing was reversed, I am sure many people would prefer KeePass, as I do, just as in general preferring paid desktop programs to free online services.
> something as useful and vital as a password manager
Indeed, even if one day I give in and start using those online services for everything, something as vital as a password manager would be one of the last places where I would cave in.
I understand that KeePass wasn't for you, and it probably isn't for heavy mobile users as it is primarily a desktop program (official KeePass client works on macOS and Linux by the way, though it feels more at home in Windows). I am sure you could find excellent mobile clients too (I wouldn't know as I never had the need), but I understand that lack of official clients and having to choose among non-official clients, some of whom might be buggy, can be frustrating. But it is perfect for my use case, and for my non-technical parents that I introduced it to, regardless of price.
Keepass is simply not the best solution anymore, even if you want to stay in the FOSS realm. It’s just clunky old software that makes it far too easy to accidentally lose data.
Second on this. I've been using it for almost six years now, never had any issues on my desktop or Android. Probably requires a bit more setup than LastPass, but it has been able to do anything I've ever wanted to do, including apps/plugins for Android, Chrome, Firefox, SmartFTP, and more.
Keeweb looks nice. On macOS I use KeePassXC[0] but I'm not a huge fan of it. Will give Keeweb a try.
On iOS I switched to KeePassium[1] for my database a while back and its very nice. It integrates with biometric unlock and iOS password management so I can get at easily from anywhere and it stays in sync with the stored database (via a self-hosted Seafile[2] instance) nicely.
The setup has served us (two users) well with few hiccups and good support for dealing with the rare conflicts that do arise.
LastPass costs $36 per year. Operating on the principle of being the customer and not the product, that seems very reasonable for a secure way to store and share the keys to my digital life.
That said, it does make it a little bit harder for me to onboard my friends and family when they ask. One of the selling points has always been "Yes, you can use it on your phone and laptop" and "no, it doesn't cost anything".
On the flip side they offered very little value in premium compared to free (for me) so there was no reason to upgrade even when I wanted to pay (I did pay for 2FA but TBH o could live without it)
LastPass is a commodity. There are many free or open-source alternatives that are as reliable and as secure as LastPass that provide similar functionality. It's hard to justify even the small price for a commodity service unless you provide the best possible solution, and sometimes even that is not enough.
I switched from LastPass premium that costed 15$ per year a few years ago to Bitwarden because LastPass could recognize password fields on all web pages, while free Bitwarden just works everywhere.
The functionality is a commodity but what about the UX? MP3 players were fairly common when the iPod came out but the iPod crushed all the competition? Why because the UX was simply better.
Without a doubt the password manager with the best UX is 1Password. Last year ago I got my tech-averse partner to set it up on her phone, the entire process took about 10 minutes and then it was done. She's never asked for me help or support, once she got things working its simply continued to work.
I've since setup it up across my family and my pre-teen child is also using it without a hitch.
From a holistic perspective I love that I can manage multiple vaults. Everyone has a private personal vault that is only available to them and we have a bunch of shared vaults for things like xbox and netflix passwords.
I've never used BitWarden so I cant comment on the UX but $60 a year for 1password is well worth it. I can rest easy knowing that everyone in my family has good password hygiene.
I was a paid Lastpass user who switched to Bitwarden a few years back because of the UX/functionality issues Lastpass had been developing. I've heard 1password has better UX; I'd describe Bitwarden's UX as similar to the Lastpass of 5-7 years ago.
I transitioned to 1Password after many years of LastPass and have been quite pleased.
I continue to harbor some concerns about the emergency workflows (what happens in case of death or disablement) but otherwise it's just been solid. LastPass felt, on the other hand, like it was increasingly neglected.
They had self hosted sync with the old vault format. They removed it when they switched to the new vault format. Dropbox always worked. Now they push their own service.
No, it didn't. I don't remember the details, but the local sync (starting a sync server on the phone) did not work for me with a normal home network, and Dropbox didn't work across all devices, either.
> Without a doubt the password manager with the best UX is 1Password.
I would agree for the macOS and iOS versions but the Windows version could get some polish. The default title and menu bars still hang around, the font choice isn’t that great, and all in all it feels less nice to use.
>Without a doubt the password manager with the best UX is 1Password
My experience is about 1 year old, but I have to disagree, as a paid 1Password user, my browser plugins and mobile client would fail to fill in the forms I used at least 50% of the time. That's horrible UX, but I agree, their UI looks nice.
I've been debating making this switch myself. How time consuming was the transition? Did you have to do much manual data entry or does bitwarden have the ability to reliably import lastpass data?
Bitwarden is more reliable at importing data exported from Lastpass than Lastpass is at exporting your data. Export bugs happen, but their forum and /r/lastpass are always quick to come up with workarounds for Lastpass bugs.
Shared passwords aren't included in the Lastpass export, at least at the time I last exported from Lastpass.
The only functionality I do miss from Lastpass is the option to generate the short pronounceable strings I use to create usernames, like the one I'm using now.
The most annoying thing for me is that Bitwarden doesn't have support for all of the extra "credential types" that LastPass has. They are still imported, but everything that isn't supported is imported as a secure note.
So far the only issues I have had logging in anywhere has been logging into my firefox account (in a new browser), and home assistant.
I used to subscribe, then the service was acquired and the price doubled so I stopped subscribing and relied on the free tier. With this announcement I think it's time to move on (probably to Bitwarden)
I kinda feel like the price point for these things is set wrong, though. What you want is a higher price point which gets you /everything/. I pay $1200 per year for bandwidth. If I needed to pay a couple hundred bucks more for access to everything (online newspapers, LastPass, online office suites, etc.), I'd gladly do so.
LastPass should have 250 million customers, not 25 million, each paying $3.60 each, not $36. Most should be inactive, as part of some kind of subscription bundle.
Kinda like a more democratic, decentralized version of Prime.
From posts here, though, Bitwarden seems more reasonable. I trust open source more, and it's cheaper.
It’s ridiculously expensive. I get Office 365 with 1TB of storage for €6 per month. Office is just as secure as lastpass. I bought Enpass(wouldn’t recommend as they moved to a subscription model) and store everything on OneDrive. Paying $3 per month to store tiny text files is crazy.
I often see comments like this one that misunderstand value for how something is achieved.
Value is decided by the market according to the utility of the service. I happily pay $22 per year for Pinboard to keep a few bookmarks with tags. That's also storing "tiny text files" but I could not care less. I could even implement something similar myself. And yet, I find the value it provides worth paying.
Another, more extreme example. I am part of a $5000 business program. Last week, I got a single piece of advice that I consider already paid for the entire program. The delivery was 20 minutes long. It was not even something original invented by the lecturer, but it can be found in some books. And again, I don't care. The value is in the impact, not in how the advice that was discovered or delivered.
Conglomerates that do B2C for money will always beat upstarts as their customer unit average cost will be lower and per unit attributable revenue will be higher.
If the only thing that a customer cares about is paying the minimum amount, the customer should not be surprised that their choices would be limited to conglomerates.
Independent restaurants are a lot more expensive than national chains and make a lot less money than the national chains. If one's only goal is to feed oneself in a restaurant, one is better off going to chain one.
Fine but that’s not the parent’s point. You shouldn’t buy from local stores, local restaurants, or small shops because of some notion that you’re sticking it to large companies. You do when, for you, their products and services they offer have better value for you.
If you choose a worse or more expensive product because it’s from a small business then you’re only making yourself worse off.
> Fine but that’s not the parent’s point. You shouldn’t buy from local stores, local restaurants, or small shops because of some notion that you’re sticking it to large companies. You do when, for you, their products and services they offer have better value for you.
That's not correct: the part of the value that you get from buying from local small businesses rather than conglomerates is that you are not buying from a conglomerate, even if the local product could be considered inferior by some measure.
That's true for people who try to politicize every aspect of their lives, but this is a toxic attitude and, as the grandparent post said, you are only hurting yourself.
> misunderstand value for how something is achieved.
I find this line of reasoning offensive as it assumes that people who genuinely disagree with me don’t understand.
I think it’s more likely that people understand and genuinely disagree. It’s dismissive to just not respond to someone’s values and rationing and I think leads to less discussion and thus more disagreement.
It’s very likely that people place different values on things and I think to have conversation we have to get to common ground and then build from there. If different people miss the meat of an argument then I think it’s not as interesting or useful.
I was a happy user of that workflow until I started working for an organization that blocked Dropbox but not any of the browser plugin based password managers.
Also while free, arguably the UX is not very good especially on mobile, unless Keepass integrates the way Lastpass, 1Password, et al do. I cannot imagine convincing any of my non-tech friends to go this route.
Interestingly this is basically how 1Password did password sync for years - not a Keepass database, but a 1Password folder structure stored within Dropbox saving a bunch of little text files. They added other synced storage options over time before turning up their own cloud service, but third party sync was where they started.
I mean the value prop is the software functionality, not the storage. You think lastpass/1password are funding their development with a markup on storage?
I can get the argument that it’s not worth $36 but not because of storage costs.
I agree with other comments that in the current market, Lastpass is not worth it at $36/y. The way they increased the price is arguably more annoying than the price tag.
I happily paid for Lastpass at $12/y. Logmein raised price and I switched to free. Logmein limited free capabilities and I will switch to Bitwarden or 1Password and pay them. I'm not staying with Lastpass to get the rug pulled out under me the third time.
I switched to Bitwarden in early 2019. The migration was really easy, and I was surprised to find that it was accurate, too. Bitwarden has its flaws, but I'm happy with it.
It was definitely starting to feel a little pricey for how terrible their UI is and how little interest they seemed to have in fixing it. What really got me to switch to Bitwarden though was how it started "recommending" that I change my master password with a modal popup every single time I unlocked my account.
Bitwarden is a F/OSS software that you can install its server on premise [1]. I hope it to be lighter, though (its minimal memory requirement is quite large).
either Keepass2Android or KeepassDX. They both have virtual keyboard support[1] and at least one of them has android auto-fill support.
[1] to use it you have to open/unlock the database, select the entry (although I think it's also possible to associate to android package ids so you don't have to do this), switch back to the app, change your keyboard to the keepass keyboard which will have buttons for entering user and password.
I'm using Keepass2Android Offline; it supports the auto-fill service that was introduced in Android 8, so it shows up anywhere a password manager is supposed to show up and yes, works with Firefox for Android.
The only problem I had with BitWarden was you cannot add/update entries on mobile when you're offline. This might not be a big issue for many, but it was a deal-breaker for me. I'm now rocking a local KeepassXC (PC) + Keepass2Android + Syncthing setup that syncs when I'm on my home network.
Using it for about the same time. On mobile (Android), deskop Linux in GUI, on some servers to hold the ansible-vault- and superuser passwords and in my browser.
Migrated from keepass and seahorse. Migrating did require some time and effort, mostly because seahorse had no proper export function.
I still need to dive into what features premium offers over free, I'll gladly pay, just never had the need for that.
The last bit of motivation I needed to finally make a switch! I know there are a lot of threads about this, but what do people recommend? Ease of use/transition is key or I won't be able to convince my partner to switch!
I've been on 1Password since 2007. Unfortunately, software quality seems to have taken a nosedive since version 7 came out (disregarding the subscription issue). Random beachballs and slowdowns, annoying 2FA and duplicate password warnings, and decoupling of stored files from login entries.
I have been considering a replacement but haven't found anything up to the ease of use and Mac/iOS integration of 1Password yet.
Same boat here. 1Password is now the slowest piece of software I use on a daily basis. 15-30 seconds to get a password out of 1Password mini, laggy and unresponsive keyboard navigation, TouchID prompts that stack under other modals or windows so they don't work, random beachballs, ... the list goes on.
1Password browser and Mac app work for me without the issues you mention, paying user since version 5. I'm on a late 2013 MacBook with Catalina. I had the beachball issue in Safari but it went way after I restarted once.
I tried LastPass but on the first day it didn't save a password I generated like 5 seconds earlier, and I stopped trying it immediately.
Yup. Since 7.7 my 1Password looks like this (https://imgur.com/a/Zz4WSdx) on my external screen, with the scaling of the background inexplicably broken. I also see other graphical glitches here and there. Meanwhile 1Password 7 for Windows every few months forgets that I registered it and I have to go find the license file (within 1Password!) again.
The paternalistic Watchtower "feature" is a whole other set of annoyances I wish I could disable.
I dont like the new safari web extension that adds little in page pop-ups everywhere. When I enter my master password, how can I be sure that the pop-ups are coming from the 1-password web extension and not from the website or another extension? Is it sharing the DOM with the website? If not, how are they separated? I realise I don’t understand how web extensions work but even so I don’t see why these pop-ups couldn’t easily be imitated by the site I’m on and I feel that it’s just asking for trouble doing stuff like that. After a bit of googling I realised that its possible to turn off, so I have.
1password has been feature complete for years now, I think they are changing things for no reason at this point. Just charge me for an update when operating system upgrades break the software. Sounds harsh I know, but TBH I wouldn’t mind if apple added family sharing to passwords and finally finished sherlocking them.
Why would you type a 90 character password instead of copy / paste or have the manager fill it in?
Also why 90 characters when 2FA would be the safer option? Or half that is already infeasibly long to brute force?
Also what do you mean 'reading the password', like via a screen reader? I mean that would be pretty bad for accessibility, but if you mean displaying the password, my version has buttons for it (regular inline, and a popup with the password pasted large on the screen).
This is the password for the password manager (e.g. 1Password/ lastpass master password). The password to rule them all. It should be extra secure. I also have 2FA, but you must have heard of defense in depth.
Anyway, I want to be able to see the password and check for typos before entering it to unlock the vault. I don't want to retype the whole password in when I only mistyped 1 character.
When I say read, I don't mean screen reader. I mean read with my eyes, I didn't think this would be a sticking point.
I choose to have the highest level of security I can afford, of course there are diminishing returns with each layer of security. Im happy to see evidence that a long password is only secure "in theory", until then I will keep my strategy. I can type 100WPM and this password is based off ~uncommon words, so I'm not uncomfortable: I didn't complain about entering, I claimed the issue is 1 wrong character requiring typing the whole thing password. It only takes a few seconds, but it is frustrating to type the whole thing again (regardless of length).
Well, considering the LastPass master password is stored as a 256bit string on the servers, your 90 character master password has 720 bits making it considerably more its that make up the hash thats stored on the servers! 1 ASCII character is 8 bits!
Price aside, last I checked LastPass was terrible software compared to 1Password.
I had all kinds of syncing problems with the browser extension. And LastPass had a huge breach in the past, which its competitors didn’t. I don’t trust that it’s quality software - especially because it doesn’t “look and feel” like quality software.
Plus, they’re owned by LogMeIn, which is basically a crappy software conglomerate that includes GoToMeeting, and is owned by a private equity firm.
My experience was was ~2017 as an admin for their enterprise offering, so take that with a grain of salt. But my point is: compare all the options. Competitors like 1Password, Dashlane, and Bitwarden, and probably many others are worth looking into, and are almost certainly better than LastPass.
Those issues were ironed out years ago, at least in my case, and they were very very short-lived issues, though perhaps I was lucky. 2FA/Yubico support is nice as well. My main gripes are the lack of subdomain support e.g. if you have multiple subdomains, LP will offer ALL passwords for that domain and you have to scroll through the list to find the right one. #2: when you want to copy a password from one of the drop-down menus, sometimes "Copy Password" is above "Copy Username" and other times it's reversed, adding some extra cognitive load and just annoying due to lack of consistency.
I completely agree–LastPass is absolute garbage compared to alternatives. Genuinely one of my least favorite pieces of software I've ever had to use with any regularity, and my threshold for frustration is higher than most.
Lastpass is very popular but has had a very unfortunate security track record, with several security incidents that make one worry about their whole approach to security. Information on these is widely available and IMHO, the details would've sunk a less successful product. May be worth reviewing those if you're considering it, or if this change in the free service is making you reconsider using it.
At the same time, it's probably true that for many users, Lastpass is better than no password manager at all, with one reused password on a postit.
Free and open-source, keep control in your own hands, forever. Encryption with gpg, sync with git. Compatible with pass, which means better support and easy migration.
I'm a happy `pass` user and I'm glad I found your work!, My only complaint with `pass` was how slow it is, and `prs` is pretty fast and completely compatible with `pass` plus some extra useful additions which is great!, I hope that the `otp` subcommand support is on your road-map. Cheers!
The basics are similar but it has many annoyances fixed, has a nice and quick interactive interface that doesn't get in your way and it is quite fast.
It also provides features like syncing with multiple machines, multiple (gpg) recipients, aliases, property selection, Windows support and more. And I might add gpg alternatives such as age soon. See the README for a better overview.
You might like to give it a try. It automatically uses your pass store.
1. No inbuilt syncs. Dealing with sync conflicts manually eventually gets frustrating.
2. No multiple URL support. I had to have three entries for roll20 to support their app.roll20.net, roll20.net and forum domains. These duplicated entries also make rotation a pain and reduces the value of duplicate password tests when migrating to a password manager approach initially.
3. Poor Android apps. Apps don't support auto fill, have a UI from the gingerbread era, don't sync well even given the above caveats, and the android file system permission tightening has made using a seperate unrelated app to do the sync more painful.
4. Lack of a standard for identifying apps. Do they use the URL field and put the store ID in there? Do they use a custom field to allow having app + website login use the same entry? Does your next mobile app use the same field or even support that field?
Tell you what, I’ll give you my moms phone number and you have her set up keypass remotely with only quick basic instructions. No? Because she was able to set up and run Lastpass fine.
And now she'll have to export and migrate away from Lastpass. So the complexity was basically tail-loaded.
One of the major advantages of an app like Keepass{whatever} is that once it's set up it keeps working without subscription or keeping an eye on your inbox for changes to the Terms of Use.
Can you export the data from keychain? I am a macos/ios user, but at one point i will probably move to something new or better. That's why im using lastpass (considering 1password or bitwarden now).
Except for those times you have to use a Windows computer. Or have to share those passwords across multiple devices that don't belong to the same person.
I used Keychain for a long time. A dedicated password manager is a vast improvement.
My team has been using Passbolt for a few years. Not amazing, not terrible, does all the things you'd expect. Hard cost $60/yr. Soft cost maybe $1000/yr
Good to hear, I want to make the jump myself some day. At the moment I have a personal (paid) LastPass merged with my companies enterprise Lastpass and for sanity sake I get both in one UI with Youbikey support.
It's probably tough to find a thorough review where someone put basically all their passwords in different password management tools and lived with them for long enough to compare them. Then again, people have undertaken more arduous tasks before.
For a while, I had the horrible practice of using the same username and very simple password everywhere. Eventually my "one true password" became slightly more complex, but I still had some bad habits. I eventually started letting Chrome save all my passwords except for, of course, my Google one.
I switched to LastPass (free) for a while. (My memory of this is a bit fuzzy.) At some point I wanted to switch to something less, eh... corporate? So I got BitWarden. I really like the password generator, and use it exclusively now. (There was a web site I used to use for this, but of course this is much more convenient.)
It was a bit rocky in the earlier days. Integration with the browser on Android could sometimes be a little shaky. It's still not perfect, but I don't have good comparisons there. I use Firefox on Android, Windows and Linux. It works really well on the desktop and mostly really well on Android, though with the browser it's unreliable if you rely on the Android app, so I install the Firefox Add-On for BitWarden, and that works reliably.
My spouse set up her own account, and we share some of our important passwords via a free organization. This is a great feature and gives us both some peace of mind if we were ever required to get into each other's accounts. We also paid the $10/year so she could see reports on her passwords, and get rid of breached, insecure and duplicate passwords. She has adapted readily to using the password manager though she mostly just uses it on the computer, not on the phone.
Overall we are very happy with it and I believe it's an excellent option. I cannot, however, compare it to 1Password.
I think Bitwarden's UX is pretty poor. A few examples off the top of my head:
- 1Password's TOTP support is much better. 1Password autofills the code and the password, Bitwarden only copies the code. 1Password will scan pages for QR codes.
> Rotating your account’s encryption key will render an Encrypted Export impossible to decrypt. If you rotate your account encryption key, replace the old backup with one that uses the new encryption key.
All password managers have issues but as a user of 1Password I have a lot of gripes with the product:
- Fails to fill out passwords around 2% of the time (Firefox account for example)
- Sometimes I mash the "CMD+/" shortcut and nothing happens. It's very unstable.
- Password generator is rigid. I have to edit the generated password about 90% of the time to add capital letters, numbers etc. I made a comment a while back on how we should be using HTML data attrs on the password field to hint how a password should look for password generators. Perfect password every time.
- Can't remove a single item from the trash. It's empty all or nothing.
- The shift to the web. Introduction of Keepass X extension whilst supporting the legacy. No feature parity between them. It's a bit of a mess to be honest.
Unless you have strong opinions about either one's UX, the most significant difference that matters to most users between Bitwarden and 1Password is that Bitwarden has a free plan and 1Password doesn't. Sometimes the "free" price tag is the difference between being able to convince someone (or yourself) to use a password manager and not being able to convince them.
About UX: between BitWarden and 1Password, I haven't seen any actually compelling discussion of the two password managers' UX that goes beyond just the typical way in which anonymous internet commenters enthusiastically assert preferences. They both do their jobs well enough the vast majority of the time. If you're genuinely in doubt about the UX, try Bitwarden for free and then try 1Password if you can't stand Bitwarden's UX.
Bitwarden doesn't have a Safari extension anymore since Safari's extensions are their own format... Safari since said they'd allow Chrome's extension api but I haven't heard if Bitwarden will start developing the Safari extension again.
That's not true. If you install it from the Mac App store, you do then get the extension and can activate it within Safari. I just switched from LastPass to Bitwarden and by all accounts it seems better than LastPass (for my basic usage) and the Safari extension is working fine for me.
Thanks for this, by the way. There was a time where the author had announced that he wouldn't be supporting the Safari extension for Catalina and beyond, and I never realized it came back. My work life is better now ;)
I did the same switch too a while back, Bitwarden has been really solid.
Interesting thing: I just now remembered to delete my LastPass account, but the delete account flow breaks totally. Just end up in a modal without any content in it, both Firefox and Chrome.
I'm wondering if they are even deliberately blocking deleting accounts for damage mitigation?
Honesty, I’ve been using LastPass for years and lately the chrome and Firefox extensions have been really buggy for me. Especially the chrome one. So I’m not sure it’s nefarious.
Huh, you reminded me that I used LastPass for a while and still had that account. I went and deleted any passwords still in there, and then had to do a web search and found https://lastpass.com/delete_account.php which worked for me. I just had to confirm 2 or 3 times and then it claims it deleted my account. This is in Firefox on Windows.
Same here, I'm happy to pay Bitwarden because they have a highly functional firefox addon. LastPass was garbage for like two years before I dropped them and that was itself years ago. It's been bad for a while.
I definitely don't trust LastPass with my information, definitely don't trust that it will actually work in my browser, and if you export your lastpass vault bitwarden imported it perfectly.
Take my advice at your own risk of course, I had both for a few months before I was confident it was safe to close my lastpass account.
Import features alone should work, but if you’re absolutely desperate you can roll your own import process with bitwarden-cli (it’s on github and various package managers).
I've tried really, _really_ hard to like Bitwarden. But I ran into 2 huge issues, that ended up being blockers for me:
1. Sharing is super-confusing. I was trying to organize things for my mom, as well for my wife and I. And you have to create these "organizations". And they makes things really confusing for a variety of reasons. They are a different pricing/SKU. And the UX around them is not good. It's not clear where things are being created a lot of the time, and who may or may not have access. It just was a really bad experience.
2. It was outrageously slow for me. I use Enpass otherwise, and it comes up right away, and searching is relatively fast. But Bitwarden always had this delay. And it was a huge pain point because it wasn't clear immediately if there were just no results, or if I just had to wait a few seconds. And sometimes things would pop up unexpectedly.
So I've continued using Enpass. It has _by far_ been my favorite password manager. It's no open source, but it uses Sqlite and SqlCipher under-the-hood, and I have full control over where it syncs my data to. Sharing is still a problem (mainly because of the architecture decisions - there is no "central server"), but everything else is so great that I'm fine making that tradeoff.
I'd be a bit afraid of this. Secure key derivation takes time. Remember, you want to be able to defend against people with a few GPUs or the ability to configure a cheap FPGA at least and the ability to build custom ASICs or employ a GPU botnet at worst. Taking ~5 seconds to derive your key securely on your phone is a near inevitability.
re:2 - interesting. I've used bitwarden regularly over the last year or so across windows and mac laptops and iOS devices. I can't recall ever having a notable delay. I wonder what this implies about configuration.
Having just set up a free organization the other day, I agree it was slightly confusing. Mostly because I was kind of hoping to combine costs for an organization with the per user $10/year plan. In the end, I set up a FREE organization for two people, and paid for the per-user upgrade for one of us, for now, to get the reports on bad passwords.
If you're trying to set it up for three users, you'd need to pay for a organization, which starts at $9/month. On the other hand, I believe you could set up two free organizations where you are a member in each, and you add your mom to one and your wife to the other.
I don't think it was a particularly difficult process, but I did it on my computer, and once it was all figured out, helped my spouse with the rest. I don't find the sharing process confusing. You click Share on a saved password, choose the organization, and then you choose the collection you put it in (which can simply be Default.)
I haven't found BitWarden to be slow, but my laptop is a Ryzen 7 4800H and my old phone was a Pixel 3, so neither are slouches. Not sure how many records I have but I'd estimate about 500.
Agreed on the sharing - I was trying to arrange a family plan for 5 people, and happy to pay $10*5 a year (coming from a shared lastpass instance), but have given up trying to figure out how sharing works. Ideally every person would have their own personal vault and there would be a shared vault for "family" accounts, that you don't explicitly have to switch to in order to use. We just share master passwords and manually sync things, but it seems like a missed opportunity to upsell individuals into family or small team plans with just a few new sharing features..
Honestly I pay for the premium even though I use absolutely none of their premium features. At €10/year, it's the cheapest subscription I've ever encountered, and I don't want to store OTP at the same place as my passwords to avoid single point of failure for my most important stuff.
I wonder if this was forced by the moves that Microsoft is making.
If you have a Microsoft authenticator app on your phone, you'll likely have noticed that they started offering regular password management through the same app to all users for free.
427 comments
[ 5.4 ms ] story [ 279 ms ] threadStill sad and I'll have to look at options again, it's been 5+ years since I looked.
Anyone enjoying bitwarden https://bitwarden.com/ ?
You can self host your bitwarden (though i dont). And you can, even with a free account, create a single "org" to share passwords with. In this case that org was my wife so now all our shared accounts reside in bitwarden and the password doesnt matter.
Ive even gotten to the point of using their passphrase generator for manual sign-ins like my work computers.
If you only use LastPass on 2 devices of the same type (on your desktop and your laptop or if you only use it on your Mobile and your Tablet) you will be fine to stay on Free, However if you use it on your Desktop and your Mobile (like me) you will need to swap password managers or pay up for the service.
Before LogMeIn brought them the service was free on "Computers" but you had to pay up for Mobile (Although you were able to access your vault via their website, the mobile app just made it easier).
Guess it's time for me to invest my time into actually settings up and exporting my passwords to something like KeePass (I've been meaning to do it ever since LogMeIn brought them, I was just far too lazy to do it until now).
$30~ for a year (the offer they included in the notice) aint that bad, but I just don't like having the rug pulled from under me and would rather support something like KeePass than support LastPass.
Maybe I will change my mind after I've had some time to digest the news and play with KeePass (and its alt's).
I started using Lastpass as well, but moved to Keepass as soon as they were eaten up by Logmein. I moved to Keepass and I keep the keyfile on OwnCloud. It works very well, and even better than Lastpass (at least as it was when I last used it). Keepass has actual desktop clients, so you don't have to use a janky web-app.
True, but it seems that Bitwarden offers the option to self host which could help mitigate that. However as a paying customer you have more of a leg to stand on if the company does try and pull the rug from under you.
As for LastPass, I rarely used the "WebApp Vault" (Only to copy my passwords for native apps on my desktop) and did it all via the context menu / LastPass button injected into the User/Password fields in the browser.
Their iOS app was very handy (As my local supermarket self scan app keeps logging me out) as for most app's it would offer autocomplete. So I'm going to be looking more into the mobile intergration then the Desktop intergration (as its far easier for me to C+P between things on Desktop then it is for me on Mobile.)
I am going to give KeePass a try but I've not settled on which system I will actually switch to yet.
> Starting March 16, 2021, LastPass Free will only include access on unlimited devices of one type.
It can have folders, it generates passwords, it can hold TOTP (2FA) tokens and it can even hold SSH keys acting as your SSH agent. Having your password safe be an SSH agent is a really nice feature which means less copying passwords around. The browser plug-ins have worked well for me as well.
I like that it can use any file sync tool for storing the key database - similar to why I like Joplin for note taking. I also like that there are many different clients for it since it is an open standard. To keep things secure you can use a password plus a key file. As long as you keep the keyfile only on the devices or on separate sync services, it raises the bar of security quite a lot.
There are KeePass clients on Andriod (Keepass2Android and KeePassDX) as well as iOS (Keepassium and another that I forgot the name of). All of the mobile clients support filling passwords. I have them all looking at the same file share and have not had any issues with corruption or file sync. I have it configured to immediately save all changes to disk and it writes and merges conflict files automatically as needed.
There are a few areas that it isn't as strong. First is sharing passwords - it has a feature for it but I haven't actually tried it out yet. Since you need to have the shared file ahead of time, you're really relying on your file sync provider to share that part of things. Second, the integration between programs works well but it isn't as seamless as a cloud service would be. For example, prompts will pop up in KeePassXC when there is a request to access a new password by a website. I believe this is probably more secure but it is an extra thing to come up when auto-filling passwords.
I have yet to try bitwarden but I would guess that sharing and lower-friction in web browsers would work better with it since those were the key benefits of LastPass when I'd used it.
curious what "support" means in this context, as keepass is free. do you donate or otherwise contribute to the project, or does support just mean use?
So at this point in time I would rather switch providers and give them the 30 bucks LastPass are now demanding for my use case out of the sheer principle of the matter.
So If I do Swap to KeePass or KeePassXC I will be donating that 30 bucks to them. If I swap to something like Bitwarden I'll pay them for what ever package is as close to that $30.
Caveat Liberum?
Not sure i agree, they make it very easy to export your info/passwords and are just returning to a previous business model. As another user here commented, it only took 15 min to switch to another option.
> but a widely-used password manager needs to provide more time for users to transition into another product if they choose not to convert to paid
curious how much time that would be
As soon as I can physically visit them again I'm switching them over to something else in principle, and I'm changing to something else today (which includes cancelling my personal paid-for lastpass account).
During one of their previous price-hikes when the yearly membership cost doubled, I reached out to their support and asked if I could renew my membership before the price-hike took effect. They refused.
Guess it's time to switch to bitwarden?
I can’t get off Lastpass because I have 100 paid users on Enterprise, but why on earth would I recommend my family use LP now?
When I read the title, I just assumed that they were limiting to one mobile device which seems more reasonable.
... My mom will be effected by this on Lastpass, she is hardly a power user.
This is a mistake Lastpass.
- field detection is much poorer in Bitwarden (ie. it will fill both signup and login fields in some websites... including HN)
- Bitwarden timeout doesn't survive browser restarts (at least, this was the last time I've tried it), making it difficult to use for people with a complex password and frequent browser closing/opening
How does it do with sites that insist on using a 'password' type field for both username and password? This is my biggest pet peeve on the internet today!
Firefox on the other hand used to want to save my username as ****ABC
The feature I miss is that LastPass has a Mac MenuBar app which provided a global shortcut to search my wallet, for Bitwarden I always have to open the app.
Also, the iPhone app doesn't let you view attached images in the app, you have to first download them to the phone's storage.
It’s in my opinion a bad system. The issue revolves around that you always have a personal account, that has work access. Well.... for enterprise, I want to be able to help user reset their password, override there to MFA, revoke access to a share, audit what shares they have access to.
I REALLY wanted to use Bitwarden company wide, but the enterprise product is just not there.
If you want, you can choose to disable the "personal ownership" option, so that employees lose their personal vault and can only use the organisation's vault. You can also select the "single organisation" option to prevent an employee from joining a second organisation.
Once you have done that, you can audit all of the shared "collections" in an organisation and revoke access to specific "collections" for specific employees.
And if you want enterprise-y control, then you can manage employee credentials using LDAP, etc.
It is a bit confusing to be fair, but I think you can do the things you mention?
Amazingly painless import of literally hundreds of accounts including my "Secure notes" and credit cards and such that I also had in Lastpass.
Works great on iOS, Firefox and native that I've tried so far.
Main Takeaway:
"We’re making changes to how Free users access LastPass across device types. LastPass offers access across two device types – computers (including all browsers running on desktops and laptops) or mobile devices (including mobile phones, smart watches, and tablets). Starting March 16th, 2021, LastPass Free will only include access on unlimited devices of one type. "
Lastpass reasons for doing this are perfectly clear. They want people to use and trust their platform, and there's no better way for doing that than allowing users to use the full version of their product. At the same time, they want revenue, and targeting the people that use Lastpass as an integral part of their workflow (e.g. myself) is a valid strategy.
I've used Lastpass for years. I was a premium user, but at some point the free tier started covering my use case, so I stopped paying. Now I'm probably back at the point where I'll start paying again. I could definitely live without mobile access, but it's a convenient thing to have and I can easily afford it. Maybe I'll look for an alternative too, but it has to be just as convenient.
It would also be easier for me to recommend to less technical users like my family if I knew they could sync 1 mobile device and 1 computer. Its already hard enough to get any of them to use password managers to begin with.
My goto tool currently is Keeweb - https://keeweb.info/. Its basically a SPA, can be used offline or online.
Keeweb + a google drive hosted keepass database file keeps my passwords available and synced across 5-6 different devices.
You have to use a different client on every device because the official client is Windows only, and I’ve even experienced bugs a client I used that caused me to lose data entered into secure notes.
And while a single page app client is nice, it’s not good for password managers. 1Password integrates with the iOS password management API and browsers to fill in passwords and even credit card info, and I’m guessing most competitors like Bitwarden (open source just like Keepass!) do the same.
Saving ~$10-50 a year on something as useful and vital as a password manager in order to “roll your own” is such a bad tradeoff.
I switched off of Keepass when I almost accidentally lost data due to a client sync conflict. I had to go back to my Dropbox history and do a bunch of surgery to repair the damage. It’s just not worth it.
Isn’t that a ridiculous design oversight? To completely handicap any situation involving more than one computer? That’s exactly why I stopped using Keepass.
All that hassle so that you can save $10 a year.
https://bitwarden.com/pricing/
At that time, & still now, I use Dropbox to sync PC KP db with Dropbox. Then FolderSync to sync one way (read only) from Dropbox to Phone. If i need to add password, I wanted to make sure I can add only on PC. PC had the official Keypass, phones had the Offline Keypass App.
$10 now is nothing for me, but few years ago in India it is about 2 days salary of a manual laborour. About 5 meals. Or about 10 litres of Petrol.
I am always wary of anything online which has my passwords. The same reason Chrome does not have all my passwords, but still I trust Google more than any other relatively smaller software like Lastpass or bit warden or anything.
This. I find it really strange that tech-savvy folks---who almost certainly have thousands of dollars worth of equipment---would cheap out on a password manager. You want a password manager that's secure, reliable, well-maintained, and usable. And doubly so if you want your less tech-savvy family to get the benefits and conveniences of using a password manager. Those things cost money. And $60/year (on the high end of things) is a bargain for what you're getting.
Definitely agree with this. I might consider setting up Keepass for myself (though I actually just pay for 1Password), but my lay friends would bounce off the setup and maintenance work of rolling your own Keepass setup immediately, and then I'd be on the hook to help them troubleshoot. I'd rather just point them at Bitwarden or 1Password. It works well enough and has good enough support that they get an operational password manager with minimal hassle and I don't have to spend time supporting it. Sure, you don't control their clouds, and 1Password isn't open source, but even so it's a dramatic improvement on a lay user's account security.
You are talking as if KeePass's only advantage is being free and it is only preferred by people who cheapen out. That's not true, just as it's not true for similar arguments for Android vs iOS, or Linux vs Windows, or Windows vs MacOS. People have different preferences and priorities.
Even if the pricing was reversed, I am sure many people would prefer KeePass, as I do, just as in general preferring paid desktop programs to free online services.
> something as useful and vital as a password manager
Indeed, even if one day I give in and start using those online services for everything, something as vital as a password manager would be one of the last places where I would cave in.
I understand that KeePass wasn't for you, and it probably isn't for heavy mobile users as it is primarily a desktop program (official KeePass client works on macOS and Linux by the way, though it feels more at home in Windows). I am sure you could find excellent mobile clients too (I wouldn't know as I never had the need), but I understand that lack of official clients and having to choose among non-official clients, some of whom might be buggy, can be frustrating. But it is perfect for my use case, and for my non-technical parents that I introduced it to, regardless of price.
Keepass is simply not the best solution anymore, even if you want to stay in the FOSS realm. It’s just clunky old software that makes it far too easy to accidentally lose data.
On iOS I switched to KeePassium[1] for my database a while back and its very nice. It integrates with biometric unlock and iOS password management so I can get at easily from anywhere and it stays in sync with the stored database (via a self-hosted Seafile[2] instance) nicely.
The setup has served us (two users) well with few hiccups and good support for dealing with the rare conflicts that do arise.
[0] https://keepassxc.org/ [1] https://keepassium.com/ [2] https://www.seafile.com/en/home/
https://support.logmeininc.com/lastpass/help/how-do-i-nbsp-e...
Importing to bitwarden:
https://bitwarden.com/help/article/import-data/
That said, it does make it a little bit harder for me to onboard my friends and family when they ask. One of the selling points has always been "Yes, you can use it on your phone and laptop" and "no, it doesn't cost anything".
I switched from LastPass premium that costed 15$ per year a few years ago to Bitwarden because LastPass could recognize password fields on all web pages, while free Bitwarden just works everywhere.
Without a doubt the password manager with the best UX is 1Password. Last year ago I got my tech-averse partner to set it up on her phone, the entire process took about 10 minutes and then it was done. She's never asked for me help or support, once she got things working its simply continued to work.
I've since setup it up across my family and my pre-teen child is also using it without a hitch.
From a holistic perspective I love that I can manage multiple vaults. Everyone has a private personal vault that is only available to them and we have a bunch of shared vaults for things like xbox and netflix passwords.
I've never used BitWarden so I cant comment on the UX but $60 a year for 1password is well worth it. I can rest easy knowing that everyone in my family has good password hygiene.
I continue to harbor some concerns about the emergency workflows (what happens in case of death or disablement) but otherwise it's just been solid. LastPass felt, on the other hand, like it was increasingly neglected.
I doubt that. Navigating the sync options and finding one that works with Android phone, iPad and Windows PC was impossible.
Throw in two vault formats (with implications for which sync option can work), and it's a mess.
That was the paid standalone version, not the subscription model (that was when I finally jumped ship).
I would pay more for greater simplicity.
No, it didn't. I don't remember the details, but the local sync (starting a sync server on the phone) did not work for me with a normal home network, and Dropbox didn't work across all devices, either.
I would agree for the macOS and iOS versions but the Windows version could get some polish. The default title and menu bars still hang around, the font choice isn’t that great, and all in all it feels less nice to use.
My experience is about 1 year old, but I have to disagree, as a paid 1Password user, my browser plugins and mobile client would fail to fill in the forms I used at least 50% of the time. That's horrible UX, but I agree, their UI looks nice.
At most I want a prompt for my unlock password when the password manager sees I’m on a site or in an app it has a password for.
We still externalize way too much orthogonal effort on users.
One of the reasons I like 1pwd is their cli tool. I can put such a call to it in a script, authenticate and stop giving a crap about 1pwd
https://bitwarden.com/help/article/import-from-lastpass/
Shared passwords aren't included in the Lastpass export, at least at the time I last exported from Lastpass.
The only functionality I do miss from Lastpass is the option to generate the short pronounceable strings I use to create usernames, like the one I'm using now.
There is a [KB article](https://bitwarden.com/help/article/import-from-lastpass/) about exporting your LastPass vault and then importing it into Bitwarden.
It only took a minute or 2.
The most annoying thing for me is that Bitwarden doesn't have support for all of the extra "credential types" that LastPass has. They are still imported, but everything that isn't supported is imported as a secure note.
So far the only issues I have had logging in anywhere has been logging into my firefox account (in a new browser), and home assistant.
I kinda feel like the price point for these things is set wrong, though. What you want is a higher price point which gets you /everything/. I pay $1200 per year for bandwidth. If I needed to pay a couple hundred bucks more for access to everything (online newspapers, LastPass, online office suites, etc.), I'd gladly do so.
LastPass should have 250 million customers, not 25 million, each paying $3.60 each, not $36. Most should be inactive, as part of some kind of subscription bundle.
Kinda like a more democratic, decentralized version of Prime.
From posts here, though, Bitwarden seems more reasonable. I trust open source more, and it's cheaper.
Value is decided by the market according to the utility of the service. I happily pay $22 per year for Pinboard to keep a few bookmarks with tags. That's also storing "tiny text files" but I could not care less. I could even implement something similar myself. And yet, I find the value it provides worth paying.
Another, more extreme example. I am part of a $5000 business program. Last week, I got a single piece of advice that I consider already paid for the entire program. The delivery was 20 minutes long. It was not even something original invented by the lecturer, but it can be found in some books. And again, I don't care. The value is in the impact, not in how the advice that was discovered or delivered.
https://www.theverge.com/2020/12/16/22178026/microsoft-authe...
Microsoft have launched a beta password manager
-------------------------------
Lastpass (€3 per month)
- Password Manager
- 1GB of encrypted file storage
-------------------------------
Office 365 (€6 per month)
- Beta Password Manager
- Office Suite
- 1 TB Storage
"I do not understand why the only companies that exist are Google, Apple and Microsoft? Where is the competition?"
If the only thing that a customer cares about is paying the minimum amount, the customer should not be surprised that their choices would be limited to conglomerates.
Independent restaurants are a lot more expensive than national chains and make a lot less money than the national chains. If one's only goal is to feed oneself in a restaurant, one is better off going to chain one.
If you choose a worse or more expensive product because it’s from a small business then you’re only making yourself worse off.
That's not correct: the part of the value that you get from buying from local small businesses rather than conglomerates is that you are not buying from a conglomerate, even if the local product could be considered inferior by some measure.
I find this line of reasoning offensive as it assumes that people who genuinely disagree with me don’t understand.
I think it’s more likely that people understand and genuinely disagree. It’s dismissive to just not respond to someone’s values and rationing and I think leads to less discussion and thus more disagreement.
It’s very likely that people place different values on things and I think to have conversation we have to get to common ground and then build from there. If different people miss the meat of an argument then I think it’s not as interesting or useful.
Also while free, arguably the UX is not very good especially on mobile, unless Keepass integrates the way Lastpass, 1Password, et al do. I cannot imagine convincing any of my non-tech friends to go this route.
I would've been happy to continue paying 12 USD / year for that service, but at triple the cost? I'm now on BitWarden.
That said, you're not really paying for the storage, you're paying for the apps and plugins.
I can get the argument that it’s not worth $36 but not because of storage costs.
I happily paid for Lastpass at $12/y. Logmein raised price and I switched to free. Logmein limited free capabilities and I will switch to Bitwarden or 1Password and pay them. I'm not staying with Lastpass to get the rug pulled out under me the third time.
Something to consider, however, is the alternatives. Bitwarden seems cheaper[0]. Anyone has a preference for either?
[0] https://bitwarden.com/pricing/
[1] https://bitwarden.com/help/article/install-on-premise/
[1] https://github.com/dani-garcia/bitwarden_rs
[1] to use it you have to open/unlock the database, select the entry (although I think it's also possible to associate to android package ids so you don't have to do this), switch back to the app, change your keyboard to the keepass keyboard which will have buttons for entering user and password.
On my mobile device (One Plus 3T) it's rather slow, but that might be due to the device age.
This move to limit to a device type is shitty marketing trying to convert more people to buy.
It will fail by angering existing free users and pushing them to alternatives, while also reducing new users signup.
This is a sad post-acquisition state for a product, trying to make the most possible money out of it instead of focusing on real value.
Migrated from keepass and seahorse. Migrating did require some time and effort, mostly because seahorse had no proper export function.
I still need to dive into what features premium offers over free, I'll gladly pay, just never had the need for that.
I have been considering a replacement but haven't found anything up to the ease of use and Mac/iOS integration of 1Password yet.
At least sync still works flawlessly?
I tried LastPass but on the first day it didn't save a password I generated like 5 seconds earlier, and I stopped trying it immediately.
The paternalistic Watchtower "feature" is a whole other set of annoyances I wish I could disable.
1password has been feature complete for years now, I think they are changing things for no reason at this point. Just charge me for an update when operating system upgrades break the software. Sounds harsh I know, but TBH I wouldn’t mind if apple added family sharing to passwords and finally finished sherlocking them.
This was a deal breaker for me when I have a ~90 character password (I often mistype one specific key everytime).
Bitwarden doesn't have this problem.
Also why 90 characters when 2FA would be the safer option? Or half that is already infeasibly long to brute force?
Also what do you mean 'reading the password', like via a screen reader? I mean that would be pretty bad for accessibility, but if you mean displaying the password, my version has buttons for it (regular inline, and a popup with the password pasted large on the screen).
I have so many questions.
This is the password for the password manager (e.g. 1Password/ lastpass master password). The password to rule them all. It should be extra secure. I also have 2FA, but you must have heard of defense in depth.
Anyway, I want to be able to see the password and check for typos before entering it to unlock the vault. I don't want to retype the whole password in when I only mistyped 1 character.
When I say read, I don't mean screen reader. I mean read with my eyes, I didn't think this would be a sticking point.
https://xkcd.com/936/
LastPass stores our master password hashes as a SHA-256 bit key.
All I was quipping at, was the fact that the password you enter in length is a whopping 720 bits!
I find it funny that this bit length gets reduced to a hash which is only 256 bits in length.
Your password has more entropy than the hash that gets produced from it.
I had all kinds of syncing problems with the browser extension. And LastPass had a huge breach in the past, which its competitors didn’t. I don’t trust that it’s quality software - especially because it doesn’t “look and feel” like quality software.
Plus, they’re owned by LogMeIn, which is basically a crappy software conglomerate that includes GoToMeeting, and is owned by a private equity firm.
My experience was was ~2017 as an admin for their enterprise offering, so take that with a grain of salt. But my point is: compare all the options. Competitors like 1Password, Dashlane, and Bitwarden, and probably many others are worth looking into, and are almost certainly better than LastPass.
LastPass was a mess, and I was a very happy new 1Password customer. LastPass customer service is some of the worst I ever experienced.
The mobile 1Password experience is excellent as well.
https://github.com/timvisee/prs
Free and open-source, keep control in your own hands, forever. Encryption with gpg, sync with git. Compatible with pass, which means better support and easy migration.
It also provides features like syncing with multiple machines, multiple (gpg) recipients, aliases, property selection, Windows support and more. And I might add gpg alternatives such as age soon. See the README for a better overview.
You might like to give it a try. It automatically uses your pass store.
http://www.lastpass.com/buy-premium?cp=LPP2021-DT-25CS
500
2. No multiple URL support. I had to have three entries for roll20 to support their app.roll20.net, roll20.net and forum domains. These duplicated entries also make rotation a pain and reduces the value of duplicate password tests when migrating to a password manager approach initially.
3. Poor Android apps. Apps don't support auto fill, have a UI from the gingerbread era, don't sync well even given the above caveats, and the android file system permission tightening has made using a seperate unrelated app to do the sync more painful.
4. Lack of a standard for identifying apps. Do they use the URL field and put the store ID in there? Do they use a custom field to allow having app + website login use the same entry? Does your next mobile app use the same field or even support that field?
One of the major advantages of an app like Keepass{whatever} is that once it's set up it keeps working without subscription or keeping an eye on your inbox for changes to the Terms of Use.
I used Keychain for a long time. A dedicated password manager is a vast improvement.
Very insecure, buts that’s my fault and a password manager would be a big step up.
For a while, I had the horrible practice of using the same username and very simple password everywhere. Eventually my "one true password" became slightly more complex, but I still had some bad habits. I eventually started letting Chrome save all my passwords except for, of course, my Google one.
I switched to LastPass (free) for a while. (My memory of this is a bit fuzzy.) At some point I wanted to switch to something less, eh... corporate? So I got BitWarden. I really like the password generator, and use it exclusively now. (There was a web site I used to use for this, but of course this is much more convenient.)
It was a bit rocky in the earlier days. Integration with the browser on Android could sometimes be a little shaky. It's still not perfect, but I don't have good comparisons there. I use Firefox on Android, Windows and Linux. It works really well on the desktop and mostly really well on Android, though with the browser it's unreliable if you rely on the Android app, so I install the Firefox Add-On for BitWarden, and that works reliably.
My spouse set up her own account, and we share some of our important passwords via a free organization. This is a great feature and gives us both some peace of mind if we were ever required to get into each other's accounts. We also paid the $10/year so she could see reports on her passwords, and get rid of breached, insecure and duplicate passwords. She has adapted readily to using the password manager though she mostly just uses it on the computer, not on the phone.
Overall we are very happy with it and I believe it's an excellent option. I cannot, however, compare it to 1Password.
- 1Password's TOTP support is much better. 1Password autofills the code and the password, Bitwarden only copies the code. 1Password will scan pages for QR codes.
- They finally implemented encrypted backups but they half-assed it. From https://bitwarden.com/help/article/encrypted-export/:
> Warning
> Rotating your account’s encryption key will render an Encrypted Export impossible to decrypt. If you rotate your account encryption key, replace the old backup with one that uses the new encryption key.
- https://news.ycombinator.com/item?id=25868856
That said, I'm a Bitwarden user because I don't it's that bad and I don't think 1Password is worth 3.6 times as much.
https://www.nytimes.com/wirecutter/reviews/best-password-man...
- Fails to fill out passwords around 2% of the time (Firefox account for example)
- Sometimes I mash the "CMD+/" shortcut and nothing happens. It's very unstable.
- Password generator is rigid. I have to edit the generated password about 90% of the time to add capital letters, numbers etc. I made a comment a while back on how we should be using HTML data attrs on the password field to hint how a password should look for password generators. Perfect password every time.
- Can't remove a single item from the trash. It's empty all or nothing.
- The shift to the web. Introduction of Keepass X extension whilst supporting the legacy. No feature parity between them. It's a bit of a mess to be honest.
Some systems are already using it -- e.g. I know that Apple's generate-password helper reads it, and I believe that 1Password also does.
About UX: between BitWarden and 1Password, I haven't seen any actually compelling discussion of the two password managers' UX that goes beyond just the typical way in which anonymous internet commenters enthusiastically assert preferences. They both do their jobs well enough the vast majority of the time. If you're genuinely in doubt about the UX, try Bitwarden for free and then try 1Password if you can't stand Bitwarden's UX.
Interesting thing: I just now remembered to delete my LastPass account, but the delete account flow breaks totally. Just end up in a modal without any content in it, both Firefox and Chrome.
I'm wondering if they are even deliberately blocking deleting accounts for damage mitigation?
I definitely don't trust LastPass with my information, definitely don't trust that it will actually work in my browser, and if you export your lastpass vault bitwarden imported it perfectly.
Take my advice at your own risk of course, I had both for a few months before I was confident it was safe to close my lastpass account.
I think the issue before was w/ multi-line nodes and special characters.
For reference, I imported the data by pasting in the lastpass export rather than using the .csv import.
Good Luck!
1. Sharing is super-confusing. I was trying to organize things for my mom, as well for my wife and I. And you have to create these "organizations". And they makes things really confusing for a variety of reasons. They are a different pricing/SKU. And the UX around them is not good. It's not clear where things are being created a lot of the time, and who may or may not have access. It just was a really bad experience.
2. It was outrageously slow for me. I use Enpass otherwise, and it comes up right away, and searching is relatively fast. But Bitwarden always had this delay. And it was a huge pain point because it wasn't clear immediately if there were just no results, or if I just had to wait a few seconds. And sometimes things would pop up unexpectedly.
So I've continued using Enpass. It has _by far_ been my favorite password manager. It's no open source, but it uses Sqlite and SqlCipher under-the-hood, and I have full control over where it syncs my data to. Sharing is still a problem (mainly because of the architecture decisions - there is no "central server"), but everything else is so great that I'm fine making that tradeoff.
I'd be a bit afraid of this. Secure key derivation takes time. Remember, you want to be able to defend against people with a few GPUs or the ability to configure a cheap FPGA at least and the ability to build custom ASICs or employ a GPU botnet at worst. Taking ~5 seconds to derive your key securely on your phone is a near inevitability.
If you're trying to set it up for three users, you'd need to pay for a organization, which starts at $9/month. On the other hand, I believe you could set up two free organizations where you are a member in each, and you add your mom to one and your wife to the other.
https://bitwarden.com/help/article/getting-started-organizat...
https://bitwarden.com/pricing/business/
I don't think it was a particularly difficult process, but I did it on my computer, and once it was all figured out, helped my spouse with the rest. I don't find the sharing process confusing. You click Share on a saved password, choose the organization, and then you choose the collection you put it in (which can simply be Default.)
I haven't found BitWarden to be slow, but my laptop is a Ryzen 7 4800H and my old phone was a Pixel 3, so neither are slouches. Not sure how many records I have but I'd estimate about 500.
If you have a Microsoft authenticator app on your phone, you'll likely have noticed that they started offering regular password management through the same app to all users for free.