Lastpass has been going downhill with every acquisition and had gotten to the point where autofill failed on the majority of sites and the "copy password" menu item disappeared, bringing clicks-to-login from 1 to ~10.
A few weeks ago I saw bitwarden finish their third party security audit and took the opportunity to jump. Couldn't be happier. Autofill fails less, the "copy password" menu works, the mobile experience isn't intentionally broken to sell an app, and export->import went without a hitch. Better, actually: it is the first time I have done an export/import and had the resulting data immediately work better in the second app. There's also the hope-springs-eternal factor of bitwarden giving me the option to host the sensitive stuff myself once I get off my butt and set up that server I've been meaning to for a while now.
If you're thinking about lastpass, save yourself the trouble and try bitwarden first. Or something else, but bitwarden has been good to me and lastpass, well, hasn't, to put it politely :)
LastPass is one of my least liked most used tools. Everything about the implentation feels second rate; slow, unreliable login capture, unreliable form fill, occasional inability to edit records, buried password copy, clunky UI, inappropriate modal nagging in browser and app... Most times I use it I am cursing it.
I tried to switch to pass, and I'm not sure if it was something to do with how I imported but it didn't list my passwords and the browser plugin was clunky and didn't work. Anyone had success with pass/gopass.
Bitwarden seems like a happy Medium, I'd rather not do my password ops. The pricing seems fair (and rather optional). I'll try it, thanks.
It is puzzling. My feeling is that for quite some time they had a lead on features (cross-platform, browser overlay, secret sharing) - particularly the combination of features whereas competitors always seemed to have a subset. That's what reluctantly kept me with them. The software quality does just seem quite bad though.
Check out Keepass! Rather than syncing directly into a Cloud, it allows you to store a database file into any location. It supports MFA (e.g. by combining a password with a secret file, or a Yubikey). And everything is open-source.
I like the model a lot, because it solves the "database ownership" issue, where your Password provider (be it LastPass, 1Password, etc) becomes in itself a weak link.
I used to use KeePass but the lack of a proper crossplatform UI eventually broke it for me; KeePassX on linux looked and performed terribly, the Android app was just bad, etc etc etc.
I switched to 1password which - at least at the time - offered a web-based fallback hosted from your own dropbox. Plus at the time you owned the data and were responsible for storing and syncing it. Dropbox support came out of the box but if you want you can use a local file.
Yeah you're right, I believe it's based on .NET so on Linux you'll have to use Mono. For the plugin ecosystem, that's suboptimal because you'll have to rebuild a lot of plugins from scratch.
I used to be a 1password user, but they were pushing their premium, cloud-based offering a lot and lacked Yubikey support so I switched away.
I'm in the same boat. The user experience on it is terrible now.
The worse thing that happens to me is if I generate a password, and then Lastpass doesn't save it! It feels like a 50% shot it will actually save the generated password.
I have nearly 1000 passwords stored in it now, so it's going to be a huge pain to migrate.
This is by far the worst. I have LP set up with a shortcut + fingerprint tap on my MBP, which works great until I'm generating a password, which never gets saved. I have to remember to get my vault page open ready to fill in before I generate the password, because if I generate one from the toolbar dropdown I'll never see it again. Ugh.
LastPass Mobile UI seems to be intentionally crippled ( https://vgy.me/9r29bm.jpg ) I assume because they want you to download the app, pushing you to purchase their license.
If you load the same site using "load desktop site" the UI gets fixed.
Bitwarden is best. I hope they will not get bankrupt from free users. Its funny it is cheapes but also works the best out off all managers i tried. Dashlane is good but its so much more expensive. Bitwarden will slowly kill most of the managers if they keep up the great work.
I will add this to my password manager binge (because I know how to party). I did find the NPM build a bit frightening though - module 956/1xxx built...
Also that site looks like it should be selling something but I see no money hole - should I be worried?
We have a tendency to compare opaque with transparent and balk at what we find, but I question what you would feel if you could see through the opaque.
That is true, but at least they have code review and multiple people ;) I'm just estimating from my experience that after a certain point, most companies start writing automated tests.
And if you look at their jobs page, one of the job description points is "Create unit tests for existing code to run faster and more reliably.": https://1password.com/jobs/droid-builder/
They might even have a few QA people AFAIK!
I understand why the single founder / engineer of bitwarden doesn't have tests. When you're a startup not writing tests can speed you up significantly. But after a certain point they are going to need automated testing, especially for something as vital as this.
For me, the lack of open source in 1p has been a sticking point, and I was planning to migrate after the audit. But seeing no tests, 1p documenting their security model and bitwarden not being good enough compared to 1p in UI has me sticking to 1p for now. I have high hopes that bitwarden will get to that maturity point one day.
I found the same thing with their client apps, should have checked core to see if there weren't any there as well.
I switched over about a week ago and find it pretty solid, but it's missing alot of the quality of life features that last pass had. You can't just hit command + c whilst on a entry and have it copy the password, they haven't implemented the new ios 12 features that make password managers much better on ios.
I'm running them both right now as I'm not fully committed to the switch over, but I'll see how the features get added over time.
I moved from LastPass to 1Password recently. Had been using LastPass for several years, but filling failures, the lack of copy password in FF (and no binary workaround for Linux), and generally unhelpful support when I contacted them prompted me to move.
Very happy with 1PasswordX (the browser-only version) - filling is much better, copy is supported out of the box, support have been very helpful when I've reached out. Much better customer experience.
I was a 1Password fan for many years, until the big push to go subscription. For now I'm just using Apple's keychain until I decide what tool to use next. If you're in Apple's ecosystem, keychain actually works pretty well.
You can still purchase a standalone license, even for v7. Sure they want you to rent access to your data, but that's not the only path. I also recently taught KeePassXC to read the 1P on-disk vault format, so you can continue to use 1P even in Linux, and even if AgileBits goes under.
I have been using Pass [0] with passff [1] and been pretty happy about it. Simple and offline password management where passwords live in gpg encrypted files. Additional features I like are tracking changes with git, bash completion and copying passwords to clipboard for few seconds temporarily, and a few very useful extensions.
Pass is awesome. I use it in combination with a YubiKey to store the pgp key. Because every password is stored in an independent encrypted file and every decryption needs a press on the YubiKey even a stolen database and keylogger does not provide access to all passwords.
I use pass with keyboard Maestro on the mac it just gets a autofill input for the password I want, them opens a terminal and asks for the master password if needed and puts in the clipboard. Very friendly way to use it.
Yep, I use KeePass synced over my selfhosted nginx server. But you can use Dropbox/Google Drive/etc. just as easily.
I would like to also recommend the Firefox extension 'Kee' for autofill. On Android there is the 'Keepass2Android' app. Both are open source and work well.
I also recommend the KeePass plugin 'Yet Another Favicon Downloader'. It downloads favicons from websites for your password entries.
Also 'Keebuntu' is a plugin that makes 'minimize to tray icon' work for me on Linux.
I've thought about setting up a personal NAS for this purpose.
But I'm concerned about having a single point of failure/loss in the event of a house fire or burglary.
Any chance you've addressed this risk in your implementation?
I'm also a happy Bitwarden customer. I especially like that it is all Free Software (combination of GPL 3 and AGPL across various parts), which to me is important for security and privacy related software. I've also had good experiences with Bitwarden support from Kyle, the lead developer and founder.
I tried that on Win10, and it didn't work for me. It was the last straw. Honestly, why on earth do they need it anyway? HTML5 has had a Clipboard API for a while now.
I've used both extensively and Bitwarden is just a dramatically higher-quality app it's not even funny.
I recall that the initial release of the Web Extension support was a bit threadbare, and/or that they had to change the extension ID or something of that sort, but it's also possible it was left out for existing design reasons/as a cudgel. In either case this whole thread has been useful for alerting me that I should re-evaluate if Lastpass is the optimal solution for me.
I switched to LastPass from 1Password because I hated their whole mobile sync thing where you had to be on the same wifi and start your Mac app to sync etc. I understand that it's more secure that way, but that trade-off was not worth for me. Has that changed in the meantime?
I migrated over from Lastpass to Dashlane a few years ago. Couldn't be happier. It integrates with everything and as far as I understand their encryption is better than Lastpass, although I couldn't say how.
I do love lastpass but since switching to Firefox 100% away from Chrome, the lack of copying a password to the clipboard without seeing it first really stings. What if someone is sitting next to me, or someone is grabbing screenshots or streaming my screen? It's like having this super secure electrified iron door installed but neglecting to lock it.
Is anyone aware of a technical reason that copy to clipboard is absent in Firefox, or is just laziness? If laziness, I'll dump them tomorrow.
I'm using lastpass with firefox nightly and I don't have this issue. copying the password to clipboard without seeing it works out of the box using the browser extension.
I've never used any other password manager but just wanted to say I love Lastpass. It very rarely fails on autofill for me, it saves all my passowords nicely, has secure notes, organizational sharing for teams. I find it to be really great.
Hmmm, I have been using the Keepass + Dropbox combo. Wanted to change to a more streamlined experience. The current choices of 1Password, LastPass and Dashlane didn't seem to attract me.
This is what I do too. Biggest complaint is the lack of official apps for mobile devices. I’ve used MiniKeePass in the past but am hesitant because there doesn’t seem to be much active development and I don’t see the source code anywhere.
Do you access kbdx files on mobile devices? If so, what do you use?
The biggest problem with MiniKeePass, in my opinion, is that it doesn't support the new iOS autofill API and that it doesn't support even basic syncing. You always have to make a manual copy of the database file and you can't really create logins on mobile because of that.
There's a fork of MiniKeePass called KeePass Touch, but they don't publically host the source code anywhere. You have to email them to ask for a copy of the source code, which is technically GPL-compliant, but a bit annoying.
+1 for bitwarden. Not a security professional, but it seems to be a good tradeoff between security and usability. Definitely better than lastpass on both counts.
I've been looking into password managers for my team/department, and bitwarden has some good looking stuff, but they seem to only invoice in USD, which creates constant friction for recurring IT bills at my company.
A few weeks ago I saw bitwarden finish their third party security audit and took the opportunity to jump. Couldn't be happier. Autofill fails less, the "copy password" menu works, the mobile experience isn't intentionally broken to sell an app, and export->import went without a hitch. Better, actually: it is the first time I have done an export/import and had the resulting data immediately work better in the second app. There's also the hope-springs-eternal factor of bitwarden giving me the option to host the sensitive stuff myself once I get off my butt and set up that server I've been meaning to for a while now.
If you're thinking about lastpass, save yourself the trouble and try bitwarden first. Or something else, but bitwarden has been good to me and lastpass, well, hasn't, to put it politely :)