Gadget wrote: ↑Thu Feb 06, 2020 9:48 am
I've been a Lastpass user for years since it came out. I've recently grown frustrated with certain things about Lastpass, so I branched out and tried a few few different password managers. I thought the bogleheads community might appreciate my review/results. They are geared towards a married couple that needs to share many passwords. Single users may pick another option. For anyone that fears setting up passwords in a new password manager, that process was painless on all options I tried. The export/import functions work well on all of them.
Overall winner for a husband/wife that want to share passwords: 1password
Password managers I didn't bother to try out:
-Keepass: I tried this one years ago. While a tech guy like myself could use it, it doesn't pass the wife simplicity test. Glancing over its current state, I think that still applies today. Bitwarden seems to beat Keepass in user interface, while providing the same types of options for self hosting the password vault outside of the cloud.
-Dashlane: With their super bowl commercial and new UI, I was all ready to try it out. But unless I'm mistaken, they have literally no family/spouse password sharing possibilities. So it was instantly out of the running for me.
Password manager I've used for years:
1) Lastpass ($48/yr for family): I've been using Lastpass for years. When it first came out, I really liked it. My wife and I originally shared one account.
Lastpass was the first (I think) password manager to have a family plan option. I signed up for their family plan as soon as it came out since I was already a premium account holder. It was a great first attempt on their part, but it has not been meaningfully updated since it first came out years ago.
I've submitted multiple requests over the years for them to allow the password security checkup option on shared family folders. The security checkup is great, but it only works for your private vault. Which means it doesn't check or allow me to check my shared passwords with my spouse, or her passwords (which are probably the weakest).
I also don't like the new ownership group of Lastpass. It makes me nervous that they will somehow try to monetize my data. I don't understand the private equity group's intentions. Elliot Management in particular I have a bad taste due to their normal business practices in other fields.
While usable, the shared folders in Lastpass can be confusing. My wife would frequently add accounts, and they'd get stuck in her private vault. Then she'd be using my computer and couldn't find a password she thought was shared. It's also hard to explain, but passwords are hard to manage once they're in a shared folder. It's just a clunky interface for shared folders, but it gets the job done. And to be honest, there aren't many competitors in this area. You can at least move password between shared folders unlike Bitwarden.
One thing Lastpass does well is that their 2 factor authentication in the family plan can work for more than one account. With all other options I've seen (except 1password), only a single phone can receive the 2 factor authentication code. This was really annoying for my wife when I wasn't around back before lastpass families.
Lastpass has had a few breaches, but I actually like the transparency. I worry that the new private equity firm might hide breaches though because they likely affect customer outflow. I figure most password managers have cyber issues from time to time, and they only report them if they absolutely have to. I also don't mind if the password manager is open source or not. I'm a software engineer, and while I like open source, it doesn't necessarily mean it is more secure. Secure open source software requires a dedicated team of software developers to keep it up to date constantly. You could get that with open source, but you could also get a single developer who doesn't have time for all that because he doesn't get paid for his efforts.
Password managers I've been testing the past couple months:
2) BitWarden ($0 for couple): I really wanted to like Bitwarden. It's free. Free even for couples to share passwords. It's open source and has had independent security audits. It has a clean UI and is well polished. You can setup your own vault outside of their cloud if you want. I think it would be my recommendation for a single person. Where Bitwarden falls apart though is it's sharing implementation. It's designed for a large enterprise with an administrator who manages accounts and passwords.
Basically, instead of having shared vaults you have to setup a family organization. Then within the organization, you can have collections. These collections contain your shared passwords. You have to manage collections with user permissions like it's a large Windows server or something. Where it gets confusing, it's really hard to manage passwords in these collections. I was confused myself, which is a big no chance of adopting for my wife.
When passwords are in a collection within the organization, I swear you can't move them to another collection or private vault. They're stuck. You have to delete them, or export them, delete them, then reimport them to another collection. It makes no sense. Then sometimes when you move passwords from your vault to a shared collection, it leaves them in both places. Which means your autofill options on websites and apps are cluttered with duplicate entries. To fix this, I tried deleting a few of them. But in some cases, it would delete the passwords in both my vault and the collection. And there is no trash can where deleted passwords go like in Lastpass or 1Password. So they were just gone. At this point, I gave up. Even though it was free, Bitwarden has work to do on the shared password interface. But for a single user that doesn't need to share passwords, this might be the first option to try.
3) 1Password ($60/yr for family). I didn't think I'd like this one at all. It was originally a mac password manager. I'm an android guy, and all the reviews for it say you should probably look elsewhere if you aren't in the Apple Ecosystem. Reviews made it sound like it didn't work well on chromebooks or android phones, whch are my only devices. Most android sites said Lastpass is a better option for android/chromebook users.
The reviews were all apparently outdated and based on their older desktop software which was a $60 one time license. 1password now has a cloud option just like lastpass. It works just as well as Lastpass on Android phones and in Google Chrome. Personally, I think it's UI is a little prettier than Lastpass and Bitwarden, but that's not why I'd choose it over the others.
1Password finally gets how a couple would want to share passwords. Basically I can have multiple vaults for the family. I can easily move passwords between vaults. And best of all, any account setup as an admin of the family can view any vault at any time. All while still being able to filter vaults for everyday use. For instance, I have a Private Vault, a Husband's vault, a Shared Vault, and a Wife's Vault. My wife and I don't really need to keep anything in the private vaults, but we could. But we want the Husband vault (shared) and Wife's vault (shared) to be filtered out by default. In 1password, you can do this by changing what your account considers "all vaults" in preferences. So my preference is to view only my Husband's vault and the Shared vault by default to remove password clutter during autofill. Then if I need to, I can always go to Wife's vault for one of her financial accounts. But it won't clutter my autofill options by default.
1Password also excels in its security audit. I think they call it something like Password Warden, and it works for every vault you have. This one ups Lastpass, because Lastpass' equivalent feature only works for your private vault. I do wish this functionality was in the phone app instead of just the main website or PC apps, but to be fair no one else I'm aware of has this on the phone app either. Lastpass didn't anyway.
1Password supports 2 factor authentication, but another thing I love about 1password is that it has a secret key. As far as I'm concerned, this secret key is just as good as if I setup 2 factor on my phone, only easier to manage. I can just protect the secret key on my own, and I only need it when I setup a new device with 1password. This means I never have to bother with 2 factor approvals on my phone. Someone can chime in if I'm being ignorant, but as far as I can tell this secret key combined with my master password not only makes my master password more secure (and makes it impossible for a hacker to get your vault unlocked even if they have your master password), but it replaces the need for 2 factor authentication because it is something I have with me. The hacker can't get it. This is very wife friendly, because she hates 2 factor authentication. Her phone is rarely in her pocket like mine. Even a subpar masterpassword in 1password is secure due to it combining with the very long random secret key.