I was just about to pay for my LastPass subscription (after years on being on free tier), given the recent price changes. This made me change my mind - why a password manager, which I entrust with my personal passwords, notes and credit card info, needs to dial home to 7 different trackers is just beyond relief.
I like LastPass because it works across my phone and multiple machines / browsers (I use Firefox). Can anyone please shed some light on good alternatives? I will happily pay for it.
Bitwarden is open source (with $10/year for some extra nice-to-haves if you use their hosted cloud service) and better than LastPass for me personally in pretty much every respect.
I switched approx 2 years ago after the LogMeIn acquisition and haven't regretted it.
Been hearing good things about bitwarden, just switched in about 2 minutes. As a password manager, Lastpass hasn't really improved with the times, infact it's been getting buggier and buggier with Chrome as times goes on.
It's bee a couple years but the web browser plugins for BitWarden were unreliable. Our power users made it work but our average office user complained non-stop and moved back to using notepad. Maybe BitWarden has improved since then but it was too immature to rollout to the average office user.
I started using BitWarden during their rough phase and can agree it was a struggle. On the computer it is now flawless except for the very occasional web site that codes far enough out of standards that any normal heuristic cannot detect that there is a prompt for credentials being shown. On mobile, it is still a bit hit or miss. I'm on Android 10 (awaiting the OnePlus release of Oxygen OS 11 for my model) and the Firefox Add-on is really good, but there are still places where detection of logins isn't quite right. And in apps on Android, it's also hit or miss. Venmo, for example, required me to do a long press, hit the ellipsis and choose autofill. That's fine for a power user and generally a bit beyond what an average office user would find acceptable. Though I don't have comparison to alternatives - it may just be that these apps aren't "behaving" well with the Android autofill service, and you can't blame BitWarden for that.
Recently, my spouse started using BitWarden on her computer, and she did almost all of the set up and migrating her passwords, and updating weak passwords (we paid the $10/year for the reports) without any help from me. She is above average knowledgeable with software, but having her ask me almost no questions made me think that the software for computer use is ready.
I've been using Bitwarden for a few years and have never had to tweak it. It's not as good as LP was at detecting new logins and the mobile app sometimes doesn't detect password fields but overall it has worked fine. In the cases when it doesn't detect it's not hard to copy / paste.
I know this topic is old by now, but the official bitwarden server is pretty heavy-weight for selfhosting (mssql db, needs >1gb just to start),so some people thought they could do better. This seems to go well because bitwarden is completely open source. But bitwarden_rs is not affiliated with bitwarden and is missing some features from the official version. The bitwarden team seems to also look out for those alternative solutions a bit, notifying them about breaking APIs and so on.
It seems a fair place to ask about it, IMO. I doubt they are expecting that only the OP will answer, there seems to be plenty of rust proponents on here.
I also switched from LastPass. I find the Firefox Extension and Android experiences in Bitwarden much more intuitive. The autofill on Android works far better in my experience too.
Bitwarden also supports self-hosting their service.
I was an (on and off) paying LastPass user until 4 or so years ago, not because I had to, but because I felt like supporting it.
Switched to Bitwarden after Lastpass were bought and started tightening the grip I think (yep, I'm fairly sure they were testing the waters already 4 years ago).
Still pay Bitwarden (why not, the price is trivial for me at this point and they deserve it).
> Can anyone please shed some light on good alternatives?
I have been happily using Firefox's built-in password manager. Syncs seamlessly with Firefox Lockwise to provide complete integration with Android OS and presumably similar integration with iOS devices.
I wouldn't recommend it for casual users as there are definitely things that are less polished about the way it works, but for power-users it is great. The SSH key integration is really good.
I keep my locked file mirrored in Google Drive and have an Android app to pull passwords. I really don't see how a casual user would find Keepass harder to use than LastPass.
I don't understand how Keepass is not more popular other than marketing. If you have a file with all your passwords for everything you really want to keep a local copy that won't expire. The current status quo seems like a disaster waiting to happen on the day LastPass closes down.
Sadly the simple act of choosing where to save a file, understanding where that is, and remembering that, is more than many people feel they should need to do. Signing in with an email address and guessing their own password (typically one of the three passwords they share across all of their online services) is the norm.
The way the browser integration works means it just sometimes doesn't pick up that the app is open.
There is a ton of little polish stuff like that which makes it way harder to use for people with little tech experience, and I've had normal people struggle with more streamlined experiences like BitWarden.
1Password is the best I've seen out of several alternatives. Works flawlessly on all devices, great syncing, great UI. Highly recommended, well worth its price. Easy enough to set up that I've helped a few relatives around age 80 to get it running.
have you actually tried to use their support, it was a single guy, who wasn't helpful, when I asked for a different rep, he copped an attitude.
I still use bitwarden for personal use, but I didn't find the product (2 years ago) to be really enterprise ready. [biggest issue, when you share, you aren't sharing, you transfer your password to a group, this password is then no longer backed up, if you make a personal backup.]
The support issue was we had something go wrong with a group, and a dept. lost the passwords entered, but all the shares still pointed to it, so attempting to use it error'ed out.
It integrates with the system password manager interface but it's sometimes a bit slow to start. I think the problem is that it updates the passwords every time it is opened instead of relying on cached copies. Other than that it works fine.
Firefox has been a great web browser for me, as the synced tabs over devices has been useful. And while Google still likely has some of my data, I've switched to DuckDuckGo and Firefox full time now.
I moved from LastPass to 1Password some time in early 2020 and never looked back. The browser add-in alone on 1Password is SO much faster that I feel it alone has saved me a bunch of time.
I did the same, however I wish 1password would keep my extension logged in instead of asking me to type up a convoluted password every time I open the browser.
You can update your settings for it to turn off locking (while using the browser, idle, or sleep). However, if you quit the browser completely you'll have to re-login.
How does one realistically type in the master password on a phone keyboard [1]? A secure password would be like 20 characters long with a mix of alphanumeric and special characters.
[1] Do these password managers even use their own keyboard, or rely on whatever insecure keyboard is installed on the mobile OS?
My MP is more than 40 chars long, but it's not really a chore to type it in considering we are texting much longer strings than that literally all the time.
Many of them support biometric authentication using Android's API.
Also, to enter the master password, all of them use whatever keyboard is installed, some of them send a message to them to work in "incognito mode" for what good that it. That said, for Keepass2Android and KeePassDX, they offer their own keyboard to enter secure credentials on sites you log into once your password manager is unlocked. That allows you to circumvent the system clipboard entirely, which is a major attack surface. Some apps also support the android autofill feature.
> [...] considering we are texting much longer strings than that literally all the time.
Without typos? Typing a tweet or text message into your phone, your thumbs hit somewhere near the right characters and your phone figures out what words you meant as you type. The uncorrected characters are often gibberish. This is a very different use case from having to get the case and special characters right for a 40 character password.
Without typos. I use a keyboard that has no predictive features, swiping, or suggestions. But I understand your point. Personally I found training myself to type accurately worth it but most people may not.
Because it takes a long time. On the rare occasion I log into something on my phone, it takes almost a minute to type in the random passwords that Keepassxc on my computer generates.
On Android you should not copy/paste as all apps can read the clipboard. Use either a keyboard that comes with the password manager, or system auto-fill support that gets the values from the manager. Both modes are supported at least by Keepass2Android.
Personally, I don't trust Android and all the crap installed in it at all. So, I do very limited secure activities on my phone. I have never logged into my email on my phone, for instance [1]. The only thing private is messenger apps, which is an unfortunate minimum requirement on social life. Always looking for a way out.
I use Simple Keyboard (based on the AOSP keyboard), which is a very basic FOSS keyboard with no logging, suggestions or any of that. Other good options with more features most people want are OpenBoard and AnySoft. Hacker's Keyboard is a decent one too.
Related question: Does anyone have any suggestions for an OSS keyboard with suggestions and (good) swipe functionality? I currently use Gboard and it's great, but, well, it's a Google product.
The FOSS keyboard with the best swipe functionality is AnySoft. But it is miles behind SwiftKey and Gboard in my experience. With some patience and training it is serviceable though.
This is why I stick with SwiftKey. Nothing beats it, and although it got bought by Microsoft, they did not Frankenstein it. If you look for the app start with the 'M' of Microsoft though.
Yeah, I think SwiftKey with a firewall blocking outgoing requests is the most feature-rich keyboard experience on Android which isn't outrageously privacy invasive
Personally, I still like using Simple Keyboard. It's the complete opposite of something like Swiftkey. does one thing and does it well, is super light too.
The problem is, most if not all Android devices do not provide some secure-enclave like architecture where the crypto key to unlock is secured by hardware design, but rather simple software solutions where the master unlock key resides in memory. So if you happen to have any malware combined with a security exploit, they might access your vault without requiring a fingerprint.
I do not trust any android device with my vault for exactly that reason.
>The problem is, most if not all Android devices do not provide some secure-enclave like architecture where the crypto key to unlock is secured by hardware design, but rather simple software solutions where the master unlock key resides in memory
Why is this relevant? Even if you do have secure enclave, if you can do arbitrary memory reads a malicious app can simply wait until your database is unlocked and dump your database when it's unencrypted in memory. Moreover, if you have some sort of exploit that gives you operating system level access, you can simply impersonate the password manager app (eg. changing uids, or patching the executable in-memory) and get the secure enclave to do the decryption.
This is incorrect. There are multiple ways of running tasks in the background eg. https://www.raywenderlich.com/5817-background-modes-tutorial.... Moreover, if you have sandbox escape (probably a prerequisite for getting arbitrary memory reads) you don't have to wait because you can use the other methods I've mentioned in the second half of my prior comment.
It says that secure enclave is optional. Do you know of any vendor that ship hardware based secure enclave? AFAIK there are no major vendors that actually do this, so this is just operating system level protection, not hardware based.
I moved to 1Password last month after LastPass sync got corrupted and the data would not populate my Firefox extension or my iOS app. 1Password has been an excellent replacement. I had a paid family account with LastPass previously.
Some more back story. I tried to get help from LastPass when I noticed fields for saved accounts were blank or included strange characters. After 1 week of only getting an automated reply with how to clear your local cache (which did not work) and several more attempts from my side to get help without a response, I decided to cancel. I was locked out of my bank account until I realized that I could log into my web client directly on the LastPass website (stupid panicked me). This allowed me to easily export all my data and move to 1Password. Thanks LastPass.
I've been using Keepass for years now, combined with Keepass2Android on my phone. I recently (finally) got that setup working perfectly by setting up Syncthing between my phone and computers.
Combined with an InputStick which emulates a keyboard to type a password from my phone into a computer it's plugged into, and I can efficiently get all my secrets around without involving anyone's cloud in an unencrypted capacity.
EDIT: I will note I've never bothered having browser integration though.
Be very careful with the keepass Syncthing combo. If you're not monitoring which one had changes, you could get it overwritten when you don't want it to.
Controlled for! Keepass2Android prompts and merges if the file changes out underneath it. Regular keepass each machine uses its own file in send only mode, and synchronises to the main file which is in send-receive mode on save.
I'm not strictly sure this is entirely necessary these days because Syncthing will do collision detection and make copies, and keepass will prompt to merge if the file changes as well.
In addition to sibling poster, and while they've gone in an unfortunate cloud sub direction overall, it's still possible to buy an entirely standalone non-subscription normal license for 1Password and sync vaults via Dropbox, iCloud for those in the Apple ecosystem, a folder, or manually via WiFi. You can then use an application firewall or anything similar to monitor all network connections. At least from what I've seen 1Password makes only the expected connections needed for their own services for things like auto update checks, Watchtower (a typical local compromise check system with k-anonymity, their page here [0]), and sync. All of them can be disabled with no effect beyond the expected of those functions not happening.
I do wish we lived in a world where things had gone a bit differently and LAN had gained more of a role in all this, and one could pay for and run their own 1Password server. Of course for that matter passwords and they exist now shouldn't exist at all, it should all be public keys. Password managers themselves are a form of collective madness and horrible path dependency. And in principle 1P could maybe do some form of exclusive first party tracking and simply give up on whomever didn't talk to them. But for now at the least they still have the option to avoid dependencies on them pretty well.
> ...silly SaaS services like LastPass or Bitwarden?
...rather off-putting considering Bitwarden is nothing like LastPass in execution. For starters you don't need to pay for Bitwarden and you can run your own backend for self-host. Some of us use our password managers with others and would like to share things. I'm happy to pay for this feature.
So no, you're not required to leverage Bitwarden as SaaS like LastPass. They're not the same in that respect.
I have no affiliation with Bitwarden other than being a customer who dropped LastPass after the acquisition years ago.
