LastPass vs BitWarden

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
get_g0ing
Posts: 265
Joined: Sat Dec 09, 2017 11:09 am

LastPass vs BitWarden

Post by get_g0ing » Sat Nov 17, 2018 2:42 pm

Hi,

I was researching password mangers. Lastpass looks to be one of the most popular ones, whereas Bitwarden is open-source with similar features.

I came across an interesting comparison of the two:

"Bitwarden uses end-to-end encryption (e2ee) ... there is no way to recover your data if you lose your master passphrase. This is in contrast to services such as LastPass, which do not use e2ee, and can therefore recover your account if you lose your password. But they can also hand over your data to government agencies, which Bitwarden can’t."
https://www.bestvpn.com/privacy-news/bitwarden-review

Does anyone know if this really is a difference between the two?

Thanks.

mhalley
Posts: 6848
Joined: Tue Nov 20, 2007 6:02 am

Re: LastPass vs BitWarden

Post by mhalley » Sat Nov 17, 2018 3:48 pm

I like KEEpass. Open source, free, local storage instead of cloud.

sparksfly
Posts: 27
Joined: Mon Oct 16, 2017 9:57 pm

Re: LastPass vs BitWarden

Post by sparksfly » Sat Nov 17, 2018 4:01 pm

mhalley wrote:
Sat Nov 17, 2018 3:48 pm
I like KEEpass. Open source, free, local storage instead of cloud.
+1 for Keepass. using for 2+ years. there are windows and Mac versions and iphone apps as well. I have set it up on my Mac such that the database is auto synced to one drive cloud (secured with a very strong master password). I then sync it from my onedrive app to the minikeepass app on iphone. That way I have access to my passwords on all devices but I'm not sharing my passwords with any third party service.

brad.clarkston
Posts: 673
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: LastPass vs BitWarden

Post by brad.clarkston » Sat Nov 17, 2018 4:04 pm

Functionally there the same if your just looking for a decent password manager.

LastPass has very good support for free or paid users while BitWarden is e-mail support only but it is open source if that's your thing.
As far as the open source versions go BitWarden is hands down the best in that department. My only pet peeve with all of the talk about how great BitWarden is .. it's in Jacksonville Fl with no warrant canary so there's no difference between them and LastPass when it comes to the federal government issuing warrants (all black box).

I'm still a LastPass user mostly due to how long I've been on the platform and my YubiKey setup that would be a pain to transfer but I'm still a happy LastPass customer. If I was starting out I'd have to really consider BitWarden.

Lacrocious
Posts: 327
Joined: Thu Mar 22, 2007 9:45 pm
Location: Wisconsin

Re: LastPass vs BitWarden

Post by Lacrocious » Sun Nov 18, 2018 12:42 pm

get_g0ing wrote:
Sat Nov 17, 2018 2:42 pm
..."Bitwarden uses end-to-end encryption (e2ee) ... there is no way to recover your data if you lose your master passphrase. This is in contrast to services such as LastPass, which do not use e2ee, and can therefore recover your account if you lose your password. But they can also hand over your data to government agencies, which Bitwarden can’t."
https://www.bestvpn.com/privacy-news/bitwarden-review
...
Disclaimer - I know nothing about Bitwarden other than what is in the review - although it sounds/looks interesting. Long time LastPass user - so I could have some bias :) - but I will try to not let bias interfere...

It appears that both use similar encryption techniques - see https://www.lastpass.com/how-lastpass-works & https://www.lastpass.com/enterprise/security - they both appear to encrypt locally and use a secure TLS connection to transmit data. In my mind, the comment about not using e2ee allows LastPass to recover your account is incorrect. e2ee doesn't have anything to do with account recovery - it is used to protect data in transport between two computers - eliminating risk of bad guys intercepting your info. Since the data being sent is encrypted before being sent via a secure protocol - you are doubly protected. This is the same for both LastPass and BitWarden.

Does LastPass provide you tools to recover your password - Yes. Does LastPass ever know your password - no - if you can believe their support articles.
https://support.logmeininc.com/lastpass ... d-lp020010 for information on their various password recovery options. There are things you can do to help yourself recover from a forgotten password - but it isn't the fact that LastPass knows your password and can decrypt your data for you (or for any government agency). I do like the fact that I could recover my account, but nobody else can.

So - my comments are not here to bash BitWarden, but discuss questions I have about statements in the review. The one thing in the review that concerns me about BitWarden is the fact that there is "Only one dev" in the "Not So Sure About" section. Not a show stopper, but something to give some thought to.

There are many viable password managers out there. Figure out what is important to you and then find the product that matches your needs.
- L

User avatar
oldcomputerguy
Moderator
Posts: 4370
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods in East Tennessee

Re: LastPass vs BitWarden

Post by oldcomputerguy » Sun Nov 18, 2018 12:48 pm

mhalley wrote:
Sat Nov 17, 2018 3:48 pm
I like KEEpass. Open source, free, local storage instead of cloud.
+1. Perhaps it classifies me as a Luddite, and if so, so be it, but I resist putting personal information in the cloud to the extent possible. I certainly have no desire to have the passwords to my retirement accounts floating out there, especially on platforms touted for just that purpose and therefore that may draw attacks.
It’s taken me a lot of years, but I’ve come around to this: If you’re dumb, surround yourself with smart people. And if you’re smart, surround yourself with smart people who disagree with you.

Topic Author
get_g0ing
Posts: 265
Joined: Sat Dec 09, 2017 11:09 am

Re: LastPass vs BitWarden

Post by get_g0ing » Sun Nov 18, 2018 2:22 pm

Lacrocious wrote:
Sun Nov 18, 2018 12:42 pm
get_g0ing wrote:
Sat Nov 17, 2018 2:42 pm
..."Bitwarden uses end-to-end encryption (e2ee) ... there is no way to recover your data if you lose your master passphrase. This is in contrast to services such as LastPass, which do not use e2ee, and can therefore recover your account if you lose your password. But they can also hand over your data to government agencies, which Bitwarden can’t."
https://www.bestvpn.com/privacy-news/bitwarden-review
...
Disclaimer - I know nothing about Bitwarden other than what is in the review - although it sounds/looks interesting. Long time LastPass user - so I could have some bias :) - but I will try to not let bias interfere...

It appears that both use similar encryption techniques - see https://www.lastpass.com/how-lastpass-works & https://www.lastpass.com/enterprise/security - they both appear to encrypt locally and use a secure TLS connection to transmit data. In my mind, the comment about not using e2ee allows LastPass to recover your account is incorrect. e2ee doesn't have anything to do with account recovery - it is used to protect data in transport between two computers - eliminating risk of bad guys intercepting your info. Since the data being sent is encrypted before being sent via a secure protocol - you are doubly protected. This is the same for both LastPass and BitWarden.

Does LastPass provide you tools to recover your password - Yes. Does LastPass ever know your password - no - if you can believe their support articles.
https://support.logmeininc.com/lastpass ... d-lp020010 for information on their various password recovery options. There are things you can do to help yourself recover from a forgotten password - but it isn't the fact that LastPass knows your password and can decrypt your data for you (or for any government agency). I do like the fact that I could recover my account, but nobody else can.

So - my comments are not here to bash BitWarden, but discuss questions I have about statements in the review. The one thing in the review that concerns me about BitWarden is the fact that there is "Only one dev" in the "Not So Sure About" section. Not a show stopper, but something to give some thought to.

There are many viable password managers out there. Figure out what is important to you and then find the product that matches your needs.
- L
Thanks

Lacrocious
Posts: 327
Joined: Thu Mar 22, 2007 9:45 pm
Location: Wisconsin

Re: LastPass vs BitWarden

Post by Lacrocious » Sun Nov 18, 2018 9:57 pm

get_g0ing wrote:
Sun Nov 18, 2018 2:22 pm
Thanks
Your welcome. I would also say that I am also looking at other products at this time. LastPass works great. We use it for 100's passwords, credit cards, and secure notes. We also store security questions & answers (as I can't remember that one site my favorite color is BlueBubbleGum while it is OrangePaperClips on another site) in the notes field for each logon entry. LastPass stores those answers in the notes field for the login. We use the Secure Notes field to store family information like my parents computer info, travel info, etc.

Both my wife and I share a single account. This way we share all passwords - email, etc. We respect each others privacy for email, etc. but they are available to be accessed if needed. One area that LastPass is weak for this usage is that when I go to our email provider, I see multiple entries in LastPass to use. There are some ways to segregate entries into multiple profiles, but I don't like how that works in LastPass. I have been looking at 1Password because it seems more flexible with the way you can create multiple vaults and show/hide the vaults more like you can show/hide calendars in your calendar app. It also seems like it handles the security questions better - in that it has the ability to have separate fields to store these entries. I don't know if these things that seem important to me now, are enough to talk my wife into switching to something new - but we'll see. I am doing some testing and will determine a directly at some point. My default answer is to not change - as LastPass does everything we need. 1Password may do some things a bit more elegantly, but I haven't used it enough to determine where it doesn't fit how we use a password manager.

I also haven't looked at DashLane - the 3rd big gun in commercial products. Then there are all the other open source/smaller commercial/ and other products such as KeePass, BitWarden, etc. I am a similar thing you are in determining if my needs have really changed, and if so, have they changed enough to cause us to change products.
- L

tananaev
Posts: 7
Joined: Thu Jun 14, 2018 5:40 pm

Re: LastPass vs BitWarden

Post by tananaev » Sun Nov 18, 2018 10:42 pm

I was a long time Lastpass user before it was bought by some other company. Shortly after that I switched to Bitwarden because of the uncertainty about future of Lastpass. Both are good. I think Bitwarden was originally made as an open source clone of Lastpass, so the functionality is very similar. I think Lastpass is good and well worth the price in terms of the value that you get, but, on the other hand, why would you pay anything if you can get same functionality for free with Bitwarden?

are_cynic
Posts: 99
Joined: Wed Jul 25, 2018 8:14 am

Re: LastPass vs BitWarden

Post by are_cynic » Mon Nov 19, 2018 5:20 am

For account recovery LastPass can only revert the current password to your previous one (I found this out the hard way- entirely my fault). They can provide you with neither your current nor your previous password because they don’t know them. All they have is an encrypted blob of usernames, passwords, etc that they can’t read.

Bitwarden looks promising, but LastPass has the advantage of having been hammered on for years by security researchers and third party auditors, and having incorporated all the lessons learned. Bitwarden is relatively new and has only one audit I’m aware of https://www.macobserver.com/news/bitwar ... ity-audit/
"Invert, always invert" ~Carl Jacobi

roadPilot
Posts: 7
Joined: Mon Nov 19, 2018 3:58 pm

Re: LastPass vs BitWarden

Post by roadPilot » Mon Nov 19, 2018 4:47 pm

Been using 1Password for many years. Couldn't be happier. I do use LastPass for work, though. I pay for it just so my staff and I can use it as a shared repository for nerdy passwords (IT).

Topic Author
get_g0ing
Posts: 265
Joined: Sat Dec 09, 2017 11:09 am

Re: LastPass vs BitWarden

Post by get_g0ing » Mon Nov 19, 2018 11:47 pm

Lacrocious wrote:
Sun Nov 18, 2018 9:57 pm
get_g0ing wrote:
Sun Nov 18, 2018 2:22 pm
Thanks
Your welcome. I would also say that I am also looking at other products at this time. LastPass works great. We use it for 100's passwords, credit cards, and secure notes. We also store security questions & answers (as I can't remember that one site my favorite color is BlueBubbleGum while it is OrangePaperClips on another site) in the notes field for each logon entry. LastPass stores those answers in the notes field for the login. We use the Secure Notes field to store family information like my parents computer info, travel info, etc.

Both my wife and I share a single account. This way we share all passwords - email, etc. We respect each others privacy for email, etc. but they are available to be accessed if needed. One area that LastPass is weak for this usage is that when I go to our email provider, I see multiple entries in LastPass to use. There are some ways to segregate entries into multiple profiles, but I don't like how that works in LastPass. I have been looking at 1Password because it seems more flexible with the way you can create multiple vaults and show/hide the vaults more like you can show/hide calendars in your calendar app. It also seems like it handles the security questions better - in that it has the ability to have separate fields to store these entries. I don't know if these things that seem important to me now, are enough to talk my wife into switching to something new - but we'll see. I am doing some testing and will determine a directly at some point. My default answer is to not change - as LastPass does everything we need. 1Password may do some things a bit more elegantly, but I haven't used it enough to determine where it doesn't fit how we use a password manager.

I also haven't looked at DashLane - the 3rd big gun in commercial products. Then there are all the other open source/smaller commercial/ and other products such as KeePass, BitWarden, etc. I am a similar thing you are in determining if my needs have really changed, and if so, have they changed enough to cause us to change products.
- L
I remember some years ago, so many websites were forcing security questions and it was considered important. Recently, I've come across some sites removing security question with the recommendation to not use this feature.

Topic Author
get_g0ing
Posts: 265
Joined: Sat Dec 09, 2017 11:09 am

Re: LastPass vs BitWarden

Post by get_g0ing » Mon Nov 19, 2018 11:50 pm

are_cynic wrote:
Mon Nov 19, 2018 5:20 am
For account recovery LastPass can only revert the current password to your previous one (I found this out the hard way- entirely my fault). They can provide you with neither your current nor your previous password because they don’t know them. All they have is an encrypted blob of usernames, passwords, etc that they can’t read.

Bitwarden looks promising, but LastPass has the advantage of having been hammered on for years by security researchers and third party auditors, and having incorporated all the lessons learned. Bitwarden is relatively new and has only one audit I’m aware of https://www.macobserver.com/news/bitwar ... ity-audit/
roadPilot wrote:
Mon Nov 19, 2018 4:47 pm
Been using 1Password for many years. Couldn't be happier. I do use LastPass for work, though. I pay for it just so my staff and I can use it as a shared repository for nerdy passwords (IT).
One thing I'm liking about BitWarden is that it is open-source. I hear that's a good thing. But I'm not sure how important it is for a security app to be open-source. Does Lastpass being closed-source put it at a disadvantage?

TravelGeek
Posts: 2967
Joined: Sat Oct 25, 2014 3:23 pm

Re: LastPass vs BitWarden

Post by TravelGeek » Tue Nov 20, 2018 2:52 am

get_g0ing wrote:
Mon Nov 19, 2018 11:50 pm
One thing I'm liking about BitWarden is that it is open-source. I hear that's a good thing. But I'm not sure how important it is for a security app to be open-source. Does Lastpass being closed-source put it at a disadvantage?
It depends.

Open source means that anyone can download the source code and inspect it. That includes hackers looking for a weakness, security auditors or interested open source coders who want to learn how it works or want to help develop it or adapt it for their own use. Bugs could be discovered through code inspection and lead to better quality if people report them. That requires a community of skilled delevopers interested in the tool. I don’t know anything about BitWarden, so I don’t know if they have such a community.

The other benefit of open source is that the fate of the tool isn’t tied to a single company and their business success and plans. Anyone can take the code and continue to develop it if the original developers stop working on it. Anyone can fork the code and take it in a new direction if they have this inclination and/or the original developers have no desire to go that way,

User avatar
tuningfork
Posts: 442
Joined: Wed Oct 30, 2013 8:30 pm

Re: LastPass vs BitWarden

Post by tuningfork » Tue Nov 20, 2018 12:30 pm

get_g0ing wrote:
Sat Nov 17, 2018 2:42 pm
"Bitwarden uses end-to-end encryption (e2ee) ... there is no way to recover your data if you lose your master passphrase. This is in contrast to services such as LastPass, which do not use e2ee, and can therefore recover your account if you lose your password. But they can also hand over your data to government agencies, which Bitwarden can’t."
https://www.bestvpn.com/privacy-news/bitwarden-review

Does anyone know if this really is a difference between the two?
This is incorrect. I wouldn't pay much attention to the source of this comparison if they can't get such a fundamental fact of LastPass correct.

Glockenspiel
Posts: 772
Joined: Thu Feb 08, 2018 1:20 pm

Re: LastPass vs BitWarden

Post by Glockenspiel » Tue Nov 20, 2018 12:37 pm

I've been using LastPass for the last 6 months after researching on this board and I've found it to be incredibly useful, easy to manage, automatically updates if you change your password to any website, easily creates secure password, etc.

jumbopapa
Posts: 46
Joined: Thu Aug 30, 2018 7:56 am

Re: LastPass vs BitWarden

Post by jumbopapa » Tue Nov 20, 2018 1:48 pm

I would use BitWarden. I switched about a year ago from LastPass and I have been very happy. I like that it is FOSS. You don't have to worry about what BitWarden does with your data because you can go see for yourself! The short answer is nothing, they have no access to your data because it is encrypted.

Some are uncomfortable with a cloud based solution, but BitWarden does allow you to self-host.

It's packed with all the features you could ever need in a password manager and everything syncs seamlessly.

Topic Author
get_g0ing
Posts: 265
Joined: Sat Dec 09, 2017 11:09 am

Re: LastPass vs BitWarden

Post by get_g0ing » Tue Nov 20, 2018 2:53 pm

tuningfork wrote:
Tue Nov 20, 2018 12:30 pm
get_g0ing wrote:
Sat Nov 17, 2018 2:42 pm
"Bitwarden uses end-to-end encryption (e2ee) ... there is no way to recover your data if you lose your master passphrase. This is in contrast to services such as LastPass, which do not use e2ee, and can therefore recover your account if you lose your password. But they can also hand over your data to government agencies, which Bitwarden can’t."
https://www.bestvpn.com/privacy-news/bitwarden-review

Does anyone know if this really is a difference between the two?
This is incorrect. I wouldn't pay much attention to the source of this comparison if they can't get such a fundamental fact of LastPass correct.
So Lastpass can't access your decrypted passwords if it wanted to?

Recently I've come across the concept of "zero knowledge", where the company doesn't have your unencrypted keys so they can't access your data even if they wanted to. I'm not sure how important this is but it sounds good.

Topic Author
get_g0ing
Posts: 265
Joined: Sat Dec 09, 2017 11:09 am

Re: LastPass vs BitWarden

Post by get_g0ing » Tue Nov 20, 2018 2:54 pm

jumbopapa wrote:
Tue Nov 20, 2018 1:48 pm
I would use BitWarden. I switched about a year ago from LastPass and I have been very happy. I like that it is FOSS. You don't have to worry about what BitWarden does with your data because you can go see for yourself! The short answer is nothing, they have no access to your data because it is encrypted.

Some are uncomfortable with a cloud based solution, but BitWarden does allow you to self-host.

It's packed with all the features you could ever need in a password manager and everything syncs seamlessly.
Yea, I'm hearing good things about it, that's why I posted.

One concern I've come across that it only has one developer and is fairly new, but Lastpass has been around longer.

Broken Man 1999
Posts: 2302
Joined: Wed Apr 08, 2015 11:31 am

Re: LastPass vs BitWarden

Post by Broken Man 1999 » Tue Nov 20, 2018 3:17 pm

Another happy user of LastPass.

If LastPass can retrieve your password, it is news to me.

I had to rebuild a complete database when I lost my very long password. :oops:

I am using the free version of LastPass, perhaps the paid version offers the recapture of your lost/forgotten master password.

FWIW, my master password has 41 characters; possibilities include uppercase/lowercase letters, numbers, special characters. I think it is fairly secure, but can't be sure.

Broken Man 1999

ETA: From LastPass website:Local-only encryption.

Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass.
“If I cannot drink Bourbon and smoke cigars in Heaven than I shall not go. " -Mark Twain

Topic Author
get_g0ing
Posts: 265
Joined: Sat Dec 09, 2017 11:09 am

Re: LastPass vs BitWarden

Post by get_g0ing » Tue Nov 20, 2018 3:36 pm

Broken Man 1999 wrote:
Tue Nov 20, 2018 3:17 pm
Another happy user of LastPass.

If LastPass can retrieve your password, it is news to me.

I had to rebuild a complete database when I lost my very long password. :oops:

I am using the free version of LastPass, perhaps the paid version offers the recapture of your lost/forgotten master password.

FWIW, my master password has 41 characters; possibilities include uppercase/lowercase letters, numbers, special characters. I think it is fairly secure, but can't be sure.

Broken Man 1999

ETA: From LastPass website:Local-only encryption.

Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass.
41 !! Do you manually type that in every time? Or maybe another password manager to fill it :p
I'm guessing you use a pass-phrase, I've seen this approach being recommended.

Btw, my thinking on length is that for static situations like zipped files, it's good to have a long password if it's stored on the cloud. To protect from brute forcing. But for online/server/web type situations like email, bank accounts, the password can be of comparatively shorter (still long overall, but shorter than the 1st scenario). Because online servers won't allow constant brute force attempts. For example, Yahoo or Hotmail won't allow unlimited password attempts and will block automatically.

User avatar
tuningfork
Posts: 442
Joined: Wed Oct 30, 2013 8:30 pm

Re: LastPass vs BitWarden

Post by tuningfork » Tue Nov 20, 2018 4:49 pm

get_g0ing wrote:
Tue Nov 20, 2018 3:36 pm
Btw, my thinking on length is that for static situations like zipped files, it's good to have a long password if it's stored on the cloud. To protect from brute forcing. But for online/server/web type situations like email, bank accounts, the password can be of comparatively shorter (still long overall, but shorter than the 1st scenario). Because online servers won't allow constant brute force attempts. For example, Yahoo or Hotmail won't allow unlimited password attempts and will block automatically.
Password hacks generally occur against a stolen copy of a password database, so any password attempt limits imposed by the server are irrelevant. Yahoo, in fact, suffered two security breaches involving billions of compromised account credentials.

Topic Author
get_g0ing
Posts: 265
Joined: Sat Dec 09, 2017 11:09 am

Re: LastPass vs BitWarden

Post by get_g0ing » Tue Nov 20, 2018 5:48 pm

tuningfork wrote:
Tue Nov 20, 2018 4:49 pm
get_g0ing wrote:
Tue Nov 20, 2018 3:36 pm
Btw, my thinking on length is that for static situations like zipped files, it's good to have a long password if it's stored on the cloud. To protect from brute forcing. But for online/server/web type situations like email, bank accounts, the password can be of comparatively shorter (still long overall, but shorter than the 1st scenario). Because online servers won't allow constant brute force attempts. For example, Yahoo or Hotmail won't allow unlimited password attempts and will block automatically.
Password hacks generally occur against a stolen copy of a password database, so any password attempt limits imposed by the server are irrelevant. Yahoo, in fact, suffered two security breaches involving billions of compromised account credentials.
Interesting. Do you know why they didn't or don't keep the credentials encrypted?

This also reminds on importance of 2FA.

Calygos
Posts: 595
Joined: Tue Jan 13, 2015 3:48 pm

Re: LastPass vs BitWarden

Post by Calygos » Tue Nov 20, 2018 6:24 pm

+1 for 1Password. I pay for their cloud sync service, 2.99/month so a one-time 35.88/year fee, and it syncs to my Mac, PC, and iPhone, and gets reasonably frequent updates and improvements. Been incredibly happy with it!

MrJones
Posts: 295
Joined: Sat Mar 18, 2017 2:23 am

Re: LastPass vs BitWarden

Post by MrJones » Tue Nov 20, 2018 6:26 pm

get_g0ing wrote:
Tue Nov 20, 2018 2:54 pm
jumbopapa wrote:
Tue Nov 20, 2018 1:48 pm
I would use BitWarden. I switched about a year ago from LastPass and I have been very happy. I like that it is FOSS. You don't have to worry about what BitWarden does with your data because you can go see for yourself! The short answer is nothing, they have no access to your data because it is encrypted.

Some are uncomfortable with a cloud based solution, but BitWarden does allow you to self-host.

It's packed with all the features you could ever need in a password manager and everything syncs seamlessly.
Yea, I'm hearing good things about it, that's why I posted.

One concern I've come across that it only has one developer and is fairly new, but Lastpass has been around longer.
Yes, and in anything security related, the maturity that comes with age is a benefit. On the other hand, I'm glad you posted because in anything security-related, open source is also a great benefit, and it takes a critical mass of users for a software to catch on and continue to develop and evolve, and get to an age where it is considered mature and secure. I'm going to give it a try and I really hope BitWarden becomes a strong choice.

weltschmerz
Posts: 402
Joined: Thu Jul 30, 2009 9:17 pm

Re: LastPass vs BitWarden

Post by weltschmerz » Tue Nov 20, 2018 7:06 pm

deleted
Last edited by weltschmerz on Tue Jan 01, 2019 12:53 pm, edited 1 time in total.

Topic Author
get_g0ing
Posts: 265
Joined: Sat Dec 09, 2017 11:09 am

Re: LastPass vs BitWarden

Post by get_g0ing » Tue Nov 20, 2018 8:47 pm

MrJones wrote:
Tue Nov 20, 2018 6:26 pm
get_g0ing wrote:
Tue Nov 20, 2018 2:54 pm
jumbopapa wrote:
Tue Nov 20, 2018 1:48 pm
I would use BitWarden. I switched about a year ago from LastPass and I have been very happy. I like that it is FOSS. You don't have to worry about what BitWarden does with your data because you can go see for yourself! The short answer is nothing, they have no access to your data because it is encrypted.

Some are uncomfortable with a cloud based solution, but BitWarden does allow you to self-host.

It's packed with all the features you could ever need in a password manager and everything syncs seamlessly.
Yea, I'm hearing good things about it, that's why I posted.

One concern I've come across that it only has one developer and is fairly new, but Lastpass has been around longer.
Yes, and in anything security related, the maturity that comes with age is a benefit. On the other hand, I'm glad you posted because in anything security-related, open source is also a great benefit, and it takes a critical mass of users for a software to catch on and continue to develop and evolve, and get to an age where it is considered mature and secure. I'm going to give it a try and I really hope BitWarden becomes a strong choice.
Agree with your sentiment.

Topic Author
get_g0ing
Posts: 265
Joined: Sat Dec 09, 2017 11:09 am

Re: LastPass vs BitWarden

Post by get_g0ing » Tue Nov 20, 2018 8:49 pm

weltschmerz wrote:
Tue Nov 20, 2018 7:06 pm
For those of you that responded to say you are happy with LastPass, I'm guessing you did not try to log on today to get your passwords? LastPass was offline for about 5 hours, very frustrating for those who rely on the service.
No kidding. I wasn't aware of this. There's a long reddit on it:
https://www.reddit.com/r/Lastpass/comme ... s_my_vault

3-20Characters
Posts: 377
Joined: Tue Jun 19, 2018 2:20 pm

Re: LastPass vs BitWarden

Post by 3-20Characters » Tue Nov 20, 2018 8:56 pm

I’ve been using 1Password for years and can find no complaints. I use the free version but I’d gladly pay if the extra features of the pay version mattered to me. Regarding security, straight from the horse’s mouth.
If you forgot your Master Password or you can't unlock 1Password

For your security, your Master Password is:
* never transmitted over the Internet
* never logged locally
* never known to us at AgileBits
* only known to you
* the only way to decrypt your data
This ensures that your data is safe from intruders, but it also means that no one can reset your Master Password.

https://support.1password.com/forgot-master-password/
Due to the way 1Password is designed, I feel very comfortable storing my data on the cloud and and having all my devices update in what seems instantaneously to me. With the free version, I don’t get storage at AgileBits, which is fine. I store my data on my iCloud account.

User avatar
tuningfork
Posts: 442
Joined: Wed Oct 30, 2013 8:30 pm

Re: LastPass vs BitWarden

Post by tuningfork » Tue Nov 20, 2018 11:37 pm

get_g0ing wrote:
Tue Nov 20, 2018 5:48 pm
tuningfork wrote:
Tue Nov 20, 2018 4:49 pm
get_g0ing wrote:
Tue Nov 20, 2018 3:36 pm
Btw, my thinking on length is that for static situations like zipped files, it's good to have a long password if it's stored on the cloud. To protect from brute forcing. But for online/server/web type situations like email, bank accounts, the password can be of comparatively shorter (still long overall, but shorter than the 1st scenario). Because online servers won't allow constant brute force attempts. For example, Yahoo or Hotmail won't allow unlimited password attempts and will block automatically.
Password hacks generally occur against a stolen copy of a password database, so any password attempt limits imposed by the server are irrelevant. Yahoo, in fact, suffered two security breaches involving billions of compromised account credentials.
Interesting. Do you know why they didn't or don't keep the credentials encrypted?

This also reminds on importance of 2FA.
They do encrypt the credentials (when I said compromised, I meant the encrypted passwords were obtained, not that they all had been decrypted).

If a hacker manages to obtain a copy of the encrypted credentials, they can spend as much time and effort as they desire to attempt to decrypt them. Here's a fascinating article from 5 years ago about three hackers/researchers describing how they each cracked thousands of passwords in a few hours on an ordinary PC. Many of these were passwords that mere mortals might think were secure. It really makes the case for using long, truly random passwords.
https://arstechnica.com/information-tec ... passwords/

Horsefly
Posts: 419
Joined: Sat Oct 24, 2015 8:13 am
Location: Colorado, mostly

Re: LastPass vs BitWarden

Post by Horsefly » Wed Nov 21, 2018 12:25 pm

Although I'm happy with Lastpass, I both love and fear the cloud aspect. I like that I can be updating passwords on my desktop and know that the next time I use my phone or chromebook the correct password will be there.

Having said that, the cloud storage of those passwords does present some problems. I'm less worried about the security aspects than I am with them not being available due to any infrastructure issues. I didn't notice the Lastpass outage yesterday (which seems odd, as I was logging into my bank and credit card accounts at that time), but I could imagine it being a real problem.

So, I was wondering. Has anyone tried to use two password managers at once, with one using cloud storage and one using local storage? Seems like if you worked at it you could keep them in sync, and if the cloud ever got messed up you could fall back to using the other one.

3-20Characters
Posts: 377
Joined: Tue Jun 19, 2018 2:20 pm

Re: LastPass vs BitWarden

Post by 3-20Characters » Wed Nov 21, 2018 2:15 pm

Horsefly wrote:
Wed Nov 21, 2018 12:25 pm
Although I'm happy with Lastpass, I both love and fear the cloud aspect. I like that I can be updating passwords on my desktop and know that the next time I use my phone or chromebook the correct password will be there.

Having said that, the cloud storage of those passwords does present some problems. I'm less worried about the security aspects than I am with them not being available due to any infrastructure issues. I didn't notice the Lastpass outage yesterday (which seems odd, as I was logging into my bank and credit card accounts at that time), but I could imagine it being a real problem.

So, I was wondering. Has anyone tried to use two password managers at once, with one using cloud storage and one using local storage? Seems like if you worked at it you could keep them in sync, and if the cloud ever got messed up you could fall back to using the other one.
I don’t know about lastpass but “cloud” is a syncing aspect of 1Password so your data is stored on your devices already—even if the cloud is inaccessible for a time. Apple iCloud works the same way.
Making your data available even when you’re offline. 1Password stores your data on your devices, so your logins, notes, and other information can be accessed even if you aren’t connected to the Internet. This means you aren’t dependent on access to your sync provider; your data will always be available when you need it.

https://support.1password.com/sync-options-security/
I would not under any circumstance, want to keep two password managers going simultaneously. If you’re that worried, consider that your tool of choice is not right for you and switch managers altogether.

My 2¢.

Lacrocious
Posts: 327
Joined: Thu Mar 22, 2007 9:45 pm
Location: Wisconsin

Re: LastPass vs BitWarden

Post by Lacrocious » Wed Nov 21, 2018 4:52 pm

get_g0ing wrote:
Mon Nov 19, 2018 11:47 pm
I remember some years ago, so many websites were forcing security questions and it was considered important. Recently, I've come across some sites removing security question with the recommendation to not use this feature.
Yes, I have seen less security questions, except at financial sites. One big risk is how many sites have you entered your mother's maiden name? Are they all keeping it secure? Any breaches that could mean it is known by hackers? I don't use my mother's maiden name, even when asked. Make something up, they don't verify it, they don’t know my mom! My son felt odd answering a security question over the phone for a bank he called to resolve an issue. Agent: What is your favorite color? Son: Purple Bubblegum Gummyworm. Followed by a slight laugh. I know he has no other website with "Purple Bubblegum Gummyworm" as his favorite color. It is a different passphrase. All are stored in the appropriate Password card in his password manager of choice. Just do what you can to keep yourself safe.
- L
*** No, that isn' his real favorite color.... :beer

MisterMister
Posts: 239
Joined: Thu Nov 01, 2018 9:50 pm

Re: LastPass vs BitWarden

Post by MisterMister » Wed Nov 21, 2018 5:08 pm

I haven't used either of the two you mentioned.

I do use Dashlane's free version and I'm pretty pleased with it (not sure they have a free version anymore). I do not use the cloud because I'm not crazy about having all my credentials stored in these services.

If you are willing to live with simple password database (rather than something that integrates with your browser), look at Password Safe.

https://pwsafe.org/

It has been around a long time (I use it extensively) and is quite secure as long as your password is secure. There is no cloud component, so cross-device sharing of passwords is not possible, though there are some mobile apps which can use a cloud-stored copy of your database (e.g. in DropBox). Whether it is wise to trust those mobile apps is another issue. Most purists would say no.

Some of the browser-based managers have been hacked or compromised in various ways. I don't have details but caveat emptor. Do the research and decide if you're comfortable.

Good luck.

Gadget
Posts: 229
Joined: Fri Mar 17, 2017 1:38 pm

Re: LastPass vs BitWarden

Post by Gadget » Wed Nov 21, 2018 7:06 pm

As a disclaimer, I use Lastpass. I've been happy with their service, and I like their independent audits and honesty about breaches. Any company that claims they haven't been breached is most likely just not being honest or worse, not looking. I do have some experience in the cybersecurity area of software development, not that you should trust a random guy on the internet for that.

I just wanted to chime in about the notion that because BitWarden is open source, that means it is more secure. That is not true. It is possible, but only with a very active community of developers working on it. All the developers at Lastpass are paid to actively make the service secure and test against vulnerabilities. They probably actively analyze updates from software assurance programs to help maintain good cybersecurity. Cybersecurity is a constantly moving target. It is not a static thing you can protect against.

Bitwarden may have a large development community that works hard to make it secure. But it may not. Software being open source does not mean it is secure. It means that the bad guys can find the flaws just as easily as the good guys. And I don't know about you, but I work a lot harder on developing software that I am paid to develop. I may work on a free community project like Bitwarden if I like it, but for it to be as secure as Lastpass requires an extensive community of developers that are actively involved. Bitwarden may have this. But I know for a fact that numerous open source software programs do not.

Topic Author
get_g0ing
Posts: 265
Joined: Sat Dec 09, 2017 11:09 am

Re: LastPass vs BitWarden

Post by get_g0ing » Wed Nov 21, 2018 7:51 pm

Gadget wrote:
Wed Nov 21, 2018 7:06 pm
As a disclaimer, I use Lastpass. I've been happy with their service, and I like their independent audits and honesty about breaches. Any company that claims they haven't been breached is most likely just not being honest or worse, not looking. I do have some experience in the cybersecurity area of software development, not that you should trust a random guy on the internet for that.

I just wanted to chime in about the notion that because BitWarden is open source, that means it is more secure. That is not true. It is possible, but only with a very active community of developers working on it. All the developers at Lastpass are paid to actively make the service secure and test against vulnerabilities. They probably actively analyze updates from software assurance programs to help maintain good cybersecurity. Cybersecurity is a constantly moving target. It is not a static thing you can protect against.

Bitwarden may have a large development community that works hard to make it secure. But it may not. Software being open source does not mean it is secure. It means that the bad guys can find the flaws just as easily as the good guys. And I don't know about you, but I work a lot harder on developing software that I am paid to develop. I may work on a free community project like Bitwarden if I like it, but for it to be as secure as Lastpass requires an extensive community of developers that are actively involved. Bitwarden may have this. But I know for a fact that numerous open source software programs do not.
Good thoughts. I found this helpful.

User avatar
TripleGGG
Posts: 3
Joined: Sun Sep 02, 2018 7:27 am
Location: Lenoir City TN

Re: LastPass vs BitWarden

Post by TripleGGG » Wed Nov 21, 2018 8:16 pm

roadPilot wrote:
Mon Nov 19, 2018 4:47 pm
Been using 1Password for many years. Couldn't be happier. I do use LastPass for work, though. I pay for it just so my staff and I can use it as a shared repository for nerdy passwords (IT).
1Password user for years. I have tried most of them but have never left 1Password.

mkedst
Posts: 9
Joined: Sun Oct 07, 2018 11:14 am

Re: LastPass vs BitWarden

Post by mkedst » Wed Nov 21, 2018 8:42 pm

I've been a Roboform user for many years, starting back when it was considered a top choice, and I've just kept using it. But, now I've also been considering switching to either LastPass or BitWarden (or others), mostly because I'm thinking of adding a YubiKey for 2FA and Roboform doesn't support it. Roboform also costs about $20/year to have multiple device access. It's already been stated in this thread, but the maturity and mass usage of LastPass seems like a big plus.

I thought the following person's experience on switching from LastPass to BitWarden was interesting. Apparently FireFox isn't well supported by LastPass. He also lists a couple features he misses from LastPass (1) old password retrieval and (2) automatic password changing.

Update: 3 months with Bitwarden
https://www.ctrl.blog/entry/bitwarden-3m-update
Last edited by mkedst on Wed Nov 21, 2018 8:53 pm, edited 1 time in total.

User avatar
tuningfork
Posts: 442
Joined: Wed Oct 30, 2013 8:30 pm

Re: LastPass vs BitWarden

Post by tuningfork » Wed Nov 21, 2018 8:43 pm

Horsefly wrote:
Wed Nov 21, 2018 12:25 pm
Although I'm happy with Lastpass, I both love and fear the cloud aspect. I like that I can be updating passwords on my desktop and know that the next time I use my phone or chromebook the correct password will be there.

Having said that, the cloud storage of those passwords does present some problems. I'm less worried about the security aspects than I am with them not being available due to any infrastructure issues. I didn't notice the Lastpass outage yesterday (which seems odd, as I was logging into my bank and credit card accounts at that time), but I could imagine it being a real problem.

So, I was wondering. Has anyone tried to use two password managers at once, with one using cloud storage and one using local storage? Seems like if you worked at it you could keep them in sync, and if the cloud ever got messed up you could fall back to using the other one.
LastPass keeps a local copy of your passwords on your device, and has an offline mode that allows it to use the local copy when the server is unreachable. I'm pretty sure I used LastPass several times during yesterday's outage without being aware there was an outage. Evidently some people's browser extensions failed to enter offline mode, which caused them grief.

Response from LastPass about yesterday's outage: https://blog.lastpass.com/2018/11/lastp ... next.html/

I would never attempt to keep multiple password managers in sync. That's a recipe for confusion and a big waste of time.

Horsefly
Posts: 419
Joined: Sat Oct 24, 2015 8:13 am
Location: Colorado, mostly

Re: LastPass vs BitWarden

Post by Horsefly » Wed Nov 21, 2018 9:14 pm

mkedst wrote:
Wed Nov 21, 2018 8:42 pm
I've been a Roboform user for many years,
I used Roboform for more than 6 years. I was getting frustrated periodically, and then tried Lastpass. It didn't take long for me to cancel my subscription to Roboform.

Oh and by the way, since some seem to think Lastpass costs $$. I use the free version, and it covers everything I need to do on two Windoze machines, two chromebooks, and my Android phone. No real limitation in what I want to do.

mkedst
Posts: 9
Joined: Sun Oct 07, 2018 11:14 am

Re: LastPass vs BitWarden

Post by mkedst » Thu Nov 22, 2018 5:06 pm

I learned that both LastPass and BitWarden require upgrading to premium to use YubiKey, $24/year and $10/year, respectively. :annoyed

Jeff Albertson
Posts: 671
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: LastPass vs BitWarden

Post by Jeff Albertson » Thu Nov 22, 2018 7:28 pm

mkedst wrote:
Wed Nov 21, 2018 8:42 pm
I've been a Roboform user for many years, starting back when it was considered a top choice, and I've just kept using it. But, now I've also been considering switching to either LastPass or BitWarden (or others), mostly because I'm thinking of adding a YubiKey for 2FA and Roboform doesn't support it.
Check on how you will export your data from Roboform. I made the switch from Roboform to Lastpass a few years ago. In order to export my data from Roboform, I had to downgrade the Roboform software on my PC to a version that supported data export.
Currently, I export my Lastpass data every three months & encrypt it using 7zip. The only issue is Lastpass' Secure Notes don't fully export.

mkedst
Posts: 9
Joined: Sun Oct 07, 2018 11:14 am

Re: LastPass vs BitWarden

Post by mkedst » Thu Nov 22, 2018 9:59 pm

Jeff Albertson wrote:
Thu Nov 22, 2018 7:28 pm
mkedst wrote:
Wed Nov 21, 2018 8:42 pm
I've been a Roboform user for many years, starting back when it was considered a top choice, and I've just kept using it. But, now I've also been considering switching to either LastPass or BitWarden (or others), mostly because I'm thinking of adding a YubiKey for 2FA and Roboform doesn't support it.
Check on how you will export your data from Roboform. I made the switch from Roboform to Lastpass a few years ago. In order to export my data from Roboform, I had to downgrade the Roboform software on my PC to a version that supported data export.
Currently, I export my Lastpass data every three months & encrypt it using 7zip. The only issue is Lastpass' Secure Notes don't fully export.
Thanks for the tip Jeff. I did test out Roboform export a few days ago and it seems okay with the current versions (8.5.4.4) ... although, I haven't tested importing it into another software.

gtd98765
Posts: 248
Joined: Sun Jan 08, 2017 4:15 am

Re: LastPass vs BitWarden

Post by gtd98765 » Fri Nov 23, 2018 7:59 am

mkedst wrote:
Wed Nov 21, 2018 8:42 pm
I've been a Roboform user for many years, starting back when it was considered a top choice, and I've just kept using it. But, now I've also been considering switching to either LastPass or BitWarden (or others), mostly because I'm thinking of adding a YubiKey for 2FA and Roboform doesn't support it. Roboform also costs about $20/year to have multiple device access. It's already been stated in this thread, but the maturity and mass usage of LastPass seems like a big plus.
I would also prefer that RF support the Yubikey, but it does at least now support TOTP codes from an authenticator app.

mkedst
Posts: 9
Joined: Sun Oct 07, 2018 11:14 am

Re: LastPass vs BitWarden

Post by mkedst » Fri Nov 23, 2018 12:09 pm

gtd98765 wrote:
Fri Nov 23, 2018 7:59 am
I would also prefer that RF support the Yubikey, but it does at least now support TOTP codes from an authenticator app.
That's true. I suppose they'll add YubiKey type support at some point.

I'm also considering KeyPassXC, which is the only password manager I've found so far that supports YubiKey for free (in fact KeyPassXC is completely free). It's open source, which many value. Although I don't believe it is as user friendly as other password managers, just my impression so far, as I haven't actually used it yet. It seems more up to the user to store in the cloud and access elsewhere, but then they also have the option to just store it locally.

RFS2019
Posts: 1
Joined: Wed May 15, 2019 1:21 am

Re: LastPass vs BitWarden

Post by RFS2019 » Wed May 15, 2019 3:37 pm

mkedst wrote:
Fri Nov 23, 2018 12:09 pm
gtd98765 wrote:
Fri Nov 23, 2018 7:59 am
I would also prefer that RF support the Yubikey, but it does at least now support TOTP codes from an authenticator app.
That's true. I suppose they'll add YubiKey type support at some point.

I'm also considering KeyPassXC, which is the only password manager I've found so far that supports YubiKey for free (in fact KeyPassXC is completely free). It's open source, which many value. Although I don't believe it is as user friendly as other password managers, just my impression so far, as I haven't actually used it yet. It seems more up to the user to store in the cloud and access elsewhere, but then they also have the option to just store it locally.
I just looked into KeyPass b/c I want to leave Last Pass as they are TERRIBLE now & me & so many others are very upset.

KeyPass doesn't have their own Android app which means that your data won't sync & how can you suggest other people's Android apps for such an important app?

Someone could create an app that steals people's info & KP doesn't care enough to create their own.

So that's a no go for me.

I hope it worked for you.

Post Reply