LastPass seem to be shooting themselves in the foot with their irrational and inconsistent pricing.
- A few years back, their free/premium tiers were looking similar to what they announced today. Only they charged a mere $15/year for premium, which I gladly paid.
- Then, overnight, they offered syncing across all types of devices for their free tier. The premium tier was only adding some niche features. I would have continued to pay $15/year just to support them, but at the same time they bumped up premium to $36/year. That was a deal-breaker: not paying 2.5x for features I don't use.
- Now, they switch back to not syncing across all types of devices, but the premium price stays $36/year.
If LastPass was the only game in town, they might get away with it. But there are at least two competitors, against which LastPass doesn't compare favourably: 1Password costs about the same, but is more refined. Bitwarden is a bit less refined, but is cheaper.
I'm not dissatisfied with the LastPass product itself. But having to keep up with radical policy changes every few years largely negates any positive experience.
Thanks for the pointer. First time I hear about Enpass.
The UI looks nice, but I still don't get their company model. Data are stored on a third party cloud provider of your choice, so why is Enpass subscription-based? I surmise that paying removes some sort of ads from the apps, but I can't tell for sure. If that's the case, I'll have to pass.
It actually restricts the number of items you can sync. It is much cheaper though. Actually; with the new model they do have a sort of ad based system; they have this incredibly dumb popup about how some passwords might be compromised. Oddly even after paying its impossible to kill that banner.
LastPass was my first ever password manager and I used for it ~5 years. A few years ago, I got fed up with how sluggish it was (at least, at the time). So I switched over the Bitwarden. Unfortunately, the Bitwarden Safari extension for macOS had a bug where I had unlock my vault every time I wanted to use a credential and that got annoying.
Around the same time I started using Bitwarden, I started at a job with a corporate 1Password subscription for employees. 1Password's UX was so much better than Bitwarden that I switched my personal account over a few months into using 1Password for work.
1Password isn't perfect (e.g. auto-generated passwords can't be autofilled unless you manually convert it to be a 'Login'), but it's by far the best I've used.
Personally, I've used 1Password, Bitwarden, and LastPass. I switched from LastPass to Bitwarden a few years ago (use it on android and browsers for the most part), and use 1Password for work. Overall I'd say 1Password has the worst UX of all of them, though it looks "clean". It routinely messes with my settings on update, it's password generator is annoying to work with, and it doesn't pick up new logins I've entered well (eg. if I tell 1password to create a login from this page, it populates nothing while bitwarden sets the name and URL + any username or pwd it thinks it sees).
I could go into more depth but overall Bitwarden has been a great daily driver for the past few years and would recommend to anyone.
I feel like there's something wrong with your setup, then. I've literally never had to use the option in 1Password to create a new login for a page. It prompts me 100% of the time to save the login info when I login to a site and, sometimes, even prompts me to create a login when I go to create an account before I've ever logged in for the first time.
Keep in mind when discussing 1password's UX: all of the apps seem to be different between the platforms. My MacOS experience was much different than it is now on Windows.
The MacOS app is wonderful, but I find the Windows app incredibly annoying to use.
Keepass is not a Web first app. There are extensions and workarounds but considering the nature of its file based database it can never be as smooth as solutions like bitwarden and others.
At work we share a Keepass file on a nextcloud instance and it's a giant PITA.
It's very high on my priority list. I want my employees to want to use a password manager because it's so convenient. A less perfect system that actually gets used adds more security than a more perfect system that no one likes.
There are notable advantages to browser integration - in particular not filling on spoofed "lookalike" domains made with visually similar Unicode characters, and not putting passwords into the clipboard where they might be snagged by anything watching the clipboard.
(admittedly, if your system has something malicious monitoring clipboard use you already have big problems)
Lack of smoothness is what causes many people to ignore these things. So, while you or I may know better, its still a very important aspect if we want more than just the few in the know people to use security tools.
I have also used multiple shared Keepass files at work and the issue isn't a lack of smoothness. There have been multiple instances of sync/dataloss issues where you have to refer to an old version or find someone who has the latest "OK" version of the file.
I love Keepass for personal use, but if you using it for sharing passwords at work then 1Password or Bitwarden are the way to go.
Keepass and all is great. But it doesn't have first class support for anything but passwords.
I'm sure many people will cringe when reading this, but I also save credit cards in my password manager and use it to auto fill when I need it. This unfortunately isn't supported by Keepass et al.
It has templates, which are supported by some implementation but not others. Which also isn't great.
> I'm sure many people will cringe when reading this, but I also save credit cards in my password manager
Why would anyone cringe to read that? They're no more valuable than passwords. In fact, I would think they're less valuable, since really the CC company is on the hook if a number gets stolen.
Another reason this is helpful is if you lose your wallet and have all the phone numbers and details for your cards stored in a sun cable database. It makes it easy to cancel your cards and order new ones.
I store my CC numbers in KeePassXC even though there's no first class support. I put my full name as the username, the number as the password, and the expiration and CVV I put in the comments.
I do this too and it's another reason that I use 1Password. I use this functionality a lot too because I very rarely have my wallet on me but I always have my phone.
My biggest problem with Keepass is that the integrations aren't part of the core project. Want browser integration? Great, pick one (or more depending on browser choices) of multiple projects from pseudonymous/anonymous people, install it and give it access to your password store. Want mobile? Do the same.
Last time I looked at it the very nature of the Keepass ecosystem basically meant that you had a ton of different people with commit privileges to different areas, and no real reason to trust any of them.
This is a valid criticism for sure. I suppose the only truly cross platform options is KeeWeb but you give up some features, mostly on mobile, eg. fingerprint unlock: https://github.com/keeweb/keeweb/issues/1132.
Keeweb is what I use on all platforms. Yeah it's an electron app but it supports natively storing the keepass file in the cloud. Works online or offline and has global autotype.
KeepassXC is another option for multi platform. I use it on mac
KeepassDX for Android (or Keepass2Android)
I was a happy 1Password user, but prefer to use my own hosting for the files & the subscription model makes using your own files very hard (but it's still possible)
I tried BitWarden but the lack of a proper desktop app (where the browser plug-in connects to) is a deal breaker. I don't want to type my master password into my browser.
1Password's support is not that great on Linux. I couldn't get it working anywhere but on Ubuntu. On all other distros, the extension failed to find the running app.
I also switched from Lastpass to 1Password. I did a mildly deep technical investigation into why Lastpass is slow on the browser. I found LastPass delays all page rendering by about 70ms. https://joe.schafer.dev/passing-lastpass/
I had almost the exact same experience. Lastpass was too sluggish for too long and then they jacked up the prices (while also making the free plan actually usable with syncing). I tried Bitwarden but I hated the chrome extension because it didn’t have good autofill which is critical.
Finally switched to 1Password and it has much better autofill + great OTP support even on iOS.
Same. I've been a 1Password license holder for forever and I was looking at switching away from it because they seem to be moving completely to their subscription service but now the value of the subscription service is looking better and better since I started looking at other options. I can get multi-platform apps for my entire family, with the features I've been using for years, and the cost is cheaper than what I was paying in the past for each individual license on each device.
The only thing keeping me from switching is my past experience with these types of services where, once I make the switch, they remove the standalone license and then raise their prices and I have no alternatives besides dropping the ecosystem entirely or ponying up the ransom. I don't like being in that situation.
I had just posted in the duplicate thread complaining about 1Password (https://news.ycombinator.com/item?id=26154324). I've been a user since 2007 and it seemed to get significantly worse with version 7.
Despite its increasingly major flaws (no exact URL matching, slow UI, no way to trigger a sync), it seems like it is still the best option for someone who wants a native Mac/iOS interface. Though if it keeps getting worse at the same rate, hopefully other options will catch up.
Two main bugs I experience with Lastpass are (1) duplicate entries when things sync up and (2) quick search doesn't enable the copy user / password buttons many times. Annoying workaround is clear the search, and re-search again, that usually brings back the buttons.
Yes! 2 drives me nuts. I switched from BitWarden to LastPass mainly because of the quick search. And having to clear the field and retype is one of those minor bugs that is slowly driving me insane because I hit it 15 times day.
I also changed from LastPass to Bitwarden to to LastPass being noticeably slow. I don't mean to diminish the probably very hard work put into a product with a decent free tier, but it was sluggish enough it only made sense to try an alternative.
LastPass costs $36 per year. Operating on the principle of being the customer and not the product, that seems very reasonable for a secure way to store and share the keys to my digital life.
That said, it does make it a little bit harder for me to onboard my friends and family when they ask. One of the selling points has always been "Yes, you can use it on your phone and laptop" and "no, it doesn't cost anything".
I agree with other comments that in the current market, Lastpass is not worth it at $36/y. The way they increased the price is arguably more annoying than the price tag.
I happily paid for Lastpass at $12/y. Logmein raised price and I switched to free. Logmein limited free capabilities and I will switch to Bitwarden or 1Password and pay them. I'm not staying with Lastpass to get the rug pulled out under me the third time.
I switched to Bitwarden in early 2019. The migration was really easy, and I was surprised to find that it was accurate, too. Bitwarden has its flaws, but I'm happy with it.
LastPass is a commodity. There are many free or open-source alternatives that are as reliable and as secure as LastPass that provide similar functionality. It's hard to justify even the small price for a commodity service unless you provide the best possible solution, and sometimes even that is not enough.
I switched from LastPass premium that costed 15$ per year a few years ago to Bitwarden because LastPass could recognize password fields on all web pages, while free Bitwarden just works everywhere.
The functionality is a commodity but what about the UX? MP3 players were fairly common when the iPod came out but the iPod crushed all the competition? Why because the UX was simply better.
Without a doubt the password manager with the best UX is 1Password. Last year ago I got my tech-averse partner to set it up on her phone, the entire process took about 10 minutes and then it was done. She's never asked for me help or support, once she got things working its simply continued to work.
I've since setup it up across my family and my pre-teen child is also using it without a hitch.
From a holistic perspective I love that I can manage multiple vaults. Everyone has a private personal vault that is only available to them and we have a bunch of shared vaults for things like xbox and netflix passwords.
I've never used BitWarden so I cant comment on the UX but $60 a year for 1password is well worth it. I can rest easy knowing that everyone in my family has good password hygiene.
I was a paid Lastpass user who switched to Bitwarden a few years back because of the UX/functionality issues Lastpass had been developing. I've heard 1password has better UX; I'd describe Bitwarden's UX as similar to the Lastpass of 5-7 years ago.
I transitioned to 1Password after many years of LastPass and have been quite pleased.
I continue to harbor some concerns about the emergency workflows (what happens in case of death or disablement) but otherwise it's just been solid. LastPass felt, on the other hand, like it was increasingly neglected.
They had self hosted sync with the old vault format. They removed it when they switched to the new vault format. Dropbox always worked. Now they push their own service.
No, it didn't. I don't remember the details, but the local sync (starting a sync server on the phone) did not work for me with a normal home network, and Dropbox didn't work across all devices, either.
> Without a doubt the password manager with the best UX is 1Password.
I would agree for the macOS and iOS versions but the Windows version could get some polish. The default title and menu bars still hang around, the font choice isn’t that great, and all in all it feels less nice to use.
>Without a doubt the password manager with the best UX is 1Password
My experience is about 1 year old, but I have to disagree, as a paid 1Password user, my browser plugins and mobile client would fail to fill in the forms I used at least 50% of the time. That's horrible UX, but I agree, their UI looks nice.
I've been debating making this switch myself. How time consuming was the transition? Did you have to do much manual data entry or does bitwarden have the ability to reliably import lastpass data?
The most annoying thing for me is that Bitwarden doesn't have support for all of the extra "credential types" that LastPass has. They are still imported, but everything that isn't supported is imported as a secure note.
So far the only issues I have had logging in anywhere has been logging into my firefox account (in a new browser), and home assistant.
Bitwarden is more reliable at importing data exported from Lastpass than Lastpass is at exporting your data. Export bugs happen, but their forum and /r/lastpass are always quick to come up with workarounds for Lastpass bugs.
Shared passwords aren't included in the Lastpass export, at least at the time I last exported from Lastpass.
The only functionality I do miss from Lastpass is the option to generate the short pronounceable strings I use to create usernames, like the one I'm using now.
I used to subscribe, then the service was acquired and the price doubled so I stopped subscribing and relied on the free tier. With this announcement I think it's time to move on (probably to Bitwarden)
It’s ridiculously expensive. I get Office 365 with 1TB of storage for €6 per month. Office is just as secure as lastpass. I bought Enpass(wouldn’t recommend as they moved to a subscription model) and store everything on OneDrive. Paying $3 per month to store tiny text files is crazy.
I often see comments like this one that misunderstand value for how something is achieved.
Value is decided by the market according to the utility of the service. I happily pay $22 per year for Pinboard to keep a few bookmarks with tags. That's also storing "tiny text files" but I could not care less. I could even implement something similar myself. And yet, I find the value it provides worth paying.
Another, more extreme example. I am part of a $5000 business program. Last week, I got a single piece of advice that I consider already paid for the entire program. The delivery was 20 minutes long. It was not even something original invented by the lecturer, but it can be found in some books. And again, I don't care. The value is in the impact, not in how the advice that was discovered or delivered.
Conglomerates that do B2C for money will always beat upstarts as their customer unit average cost will be lower and per unit attributable revenue will be higher.
If the only thing that a customer cares about is paying the minimum amount, the customer should not be surprised that their choices would be limited to conglomerates.
Independent restaurants are a lot more expensive than national chains and make a lot less money than the national chains. If one's only goal is to feed oneself in a restaurant, one is better off going to chain one.
Fine but that’s not the parent’s point. You shouldn’t buy from local stores, local restaurants, or small shops because of some notion that you’re sticking it to large companies. You do when, for you, their products and services they offer have better value for you.
If you choose a worse or more expensive product because it’s from a small business then you’re only making yourself worse off.
> Fine but that’s not the parent’s point. You shouldn’t buy from local stores, local restaurants, or small shops because of some notion that you’re sticking it to large companies. You do when, for you, their products and services they offer have better value for you.
That's not correct: the part of the value that you get from buying from local small businesses rather than conglomerates is that you are not buying from a conglomerate, even if the local product could be considered inferior by some measure.
That's true for people who try to politicize every aspect of their lives, but this is a toxic attitude and, as the grandparent post said, you are only hurting yourself.
> misunderstand value for how something is achieved.
I find this line of reasoning offensive as it assumes that people who genuinely disagree with me don’t understand.
I think it’s more likely that people understand and genuinely disagree. It’s dismissive to just not respond to someone’s values and rationing and I think leads to less discussion and thus more disagreement.
It’s very likely that people place different values on things and I think to have conversation we have to get to common ground and then build from there. If different people miss the meat of an argument then I think it’s not as interesting or useful.
I mean the value prop is the software functionality, not the storage. You think lastpass/1password are funding their development with a markup on storage?
I can get the argument that it’s not worth $36 but not because of storage costs.
I was a happy user of that workflow until I started working for an organization that blocked Dropbox but not any of the browser plugin based password managers.
Also while free, arguably the UX is not very good especially on mobile, unless Keepass integrates the way Lastpass, 1Password, et al do. I cannot imagine convincing any of my non-tech friends to go this route.
Interestingly this is basically how 1Password did password sync for years - not a Keepass database, but a 1Password folder structure stored within Dropbox saving a bunch of little text files. They added other synced storage options over time before turning up their own cloud service, but third party sync was where they started.
I kinda feel like the price point for these things is set wrong, though. What you want is a higher price point which gets you /everything/. I pay $1200 per year for bandwidth. If I needed to pay a couple hundred bucks more for access to everything (online newspapers, LastPass, online office suites, etc.), I'd gladly do so.
LastPass should have 250 million customers, not 25 million, each paying $3.60 each, not $36. Most should be inactive, as part of some kind of subscription bundle.
Kinda like a more democratic, decentralized version of Prime.
From posts here, though, Bitwarden seems more reasonable. I trust open source more, and it's cheaper.
It was definitely starting to feel a little pricey for how terrible their UI is and how little interest they seemed to have in fixing it. What really got me to switch to Bitwarden though was how it started "recommending" that I change my master password with a modal popup every single time I unlocked my account.
On the flip side they offered very little value in premium compared to free (for me) so there was no reason to upgrade even when I wanted to pay (I did pay for 2FA but TBH o could live without it)
I moved to Bitwarden about a year ago when I got fed up with the terrible UI in Lastpass. Bitwarden isn't the pinnacle of UI either, but at least it's way cheaper. Been very happy with it.
My topics:
- Bitwarden is becoming risky to use?
- the next Bitwarden?
So many people recommend Bitwarden now. I am a paying customer from the first day and have been using it on all my devices. Bitwarden followed my Lastpass experience, similar to what OP has described.
Now, Bitwarden's popularity is troubling me. It has become already large enough to be an attractive target for attacks. The bigger it gets, the more lucrative it is for attackers. Similar to the Windows vs. OSX discussions 10 years ago: viruses spread on Windows, because it was big.
Hence, I am starting to worry about using it and asking myself what "the next" Bitwarden is.
What do you think? Is my reasoning going into the right direction? Do you see the point reached where Bitwarden has reached critical mass? What would you recommend as "the next" Bitwarden?
Bitwarden is open source and regularly audited, which is not something you can say about Lastpass.
Your thinking about Bitwarden becoming a more valuable target is probably directionally correct, but at least anecdotally, I think the biggest target in this space is going to remain either the built-in Chrome/iOS password managers, or Dashlane, which is a product that advertises widely on Podcasts, etc.
The way that Lastpass and Bitwarden (which seems to have followed most of the security architecture of LP) is designed, it makes it very resistant to attacks.
The passwords and all data are encrypted on the client side and the server has no way to decode your passwords so even if Bitwarden's password was stolen, the passwords within the accounts are as secure as the Master password you chose.
Also the fact that the server side is fully open-source (and not just the client) means you could switch to using your own servers at any time.
How big the target is has very little to do with how safe it is.
virus' spread a lot more on windows because of MS's shit stance on security. It an even more popular OS now but the virus landscape is a hell of a lot more limited because they started to take security more seriously. They still have a way to go.
It works great on iOS. Full integration as you would expect, pops up at the top of the keyboard for app & website autofills. FaceID is also implemented to authenticate before opening your vault.
edit: One note about something that was bugging me for a while...items created on my computer sometimes wouldn't show up in the vault for immediate use. Painful when you sign up for a service using your computer and then try to immediately sign into it on your phone.
In the iOS app settings there is 'Swipe down to refresh' (or similar) - turn that ON. Not sure why it was off by default, but it totally fixes the issue. Just swipe down to refresh the vault and your new item appears.
I think with any install of BitWarden, be it a browser add-in or separate app, the one you are adding a new credential into knows enough to sync to the cloud, but the others won’t know that new data awaits in the cloud until they do a scheduled query/poll or you manually sync through those clients.
Having a push feature only works if you can engineer your app or add-in to open up the necessary ports or tunnels in the OS itself. Polling on the client end will always be easier to implement.
Also: just checked BitWarden v2.8.0 (449) on iOS 14.4, no setting for “swipe to refresh” anywhere in its settings.
Absolutely. I don't know what eventually triggers the vault on my iOS device to update. It definitely isn't a push notification when the vault is modified on other devices. Probably just a simple duration-since-last-update timer, like the Chrome extension.
My trouble was specifically related to the 'Pull down to refresh' behavior being disabled by default though. If that feature is disabled the new items will appear sometime, with no way of knowing when that will be. I honestly don't even know why that feature has an ON/OFF switch, it should just be permanently enabled.
I've tried really, _really_ hard to like Bitwarden. But I ran into 2 huge issues, that ended up being blockers for me:
1. Sharing is super-confusing. I was trying to organize things for my mom, as well for my wife and I. And you have to create these "organizations". And they makes things really confusing for a variety of reasons. They are a different pricing/SKU. And the UX around them is not good. It's not clear where things are being created a lot of the time, and who may or may not have access. It just was a really bad experience.
2. It was outrageously slow for me. I use Enpass otherwise, and it comes up right away, and searching is relatively fast. But Bitwarden always had this delay. And it was a huge pain point because it wasn't clear immediately if there were just no results, or if I just had to wait a few seconds. And sometimes things would pop up unexpectedly.
So I've continued using Enpass. It has _by far_ been my favorite password manager. It's no open source, but it uses Sqlite and SqlCipher under-the-hood, and I have full control over where it syncs my data to. Sharing is still a problem (mainly because of the architecture decisions - there is no "central server"), but everything else is so great that I'm fine making that tradeoff.
Agreed on the sharing - I was trying to arrange a family plan for 5 people, and happy to pay $10*5 a year (coming from a shared lastpass instance), but have given up trying to figure out how sharing works. Ideally every person would have their own personal vault and there would be a shared vault for "family" accounts, that you don't explicitly have to switch to in order to use. We just share master passwords and manually sync things, but it seems like a missed opportunity to upsell individuals into family or small team plans with just a few new sharing features..
Having just set up a free organization the other day, I agree it was slightly confusing. Mostly because I was kind of hoping to combine costs for an organization with the per user $10/year plan. In the end, I set up a FREE organization for two people, and paid for the per-user upgrade for one of us, for now, to get the reports on bad passwords.
If you're trying to set it up for three users, you'd need to pay for a organization, which starts at $9/month. On the other hand, I believe you could set up two free organizations where you are a member in each, and you add your mom to one and your wife to the other.
I don't think it was a particularly difficult process, but I did it on my computer, and once it was all figured out, helped my spouse with the rest. I don't find the sharing process confusing. You click Share on a saved password, choose the organization, and then you choose the collection you put it in (which can simply be Default.)
I haven't found BitWarden to be slow, but my laptop is a Ryzen 7 4800H and my old phone was a Pixel 3, so neither are slouches. Not sure how many records I have but I'd estimate about 500.
re:2 - interesting. I've used bitwarden regularly over the last year or so across windows and mac laptops and iOS devices. I can't recall ever having a notable delay. I wonder what this implies about configuration.
I'd be a bit afraid of this. Secure key derivation takes time. Remember, you want to be able to defend against people with a few GPUs or the ability to configure a cheap FPGA at least and the ability to build custom ASICs or employ a GPU botnet at worst. Taking ~5 seconds to derive your key securely on your phone is a near inevitability.
Same here, I'm happy to pay Bitwarden because they have a highly functional firefox addon. LastPass was garbage for like two years before I dropped them and that was itself years ago. It's been bad for a while.
I definitely don't trust LastPass with my information, definitely don't trust that it will actually work in my browser, and if you export your lastpass vault bitwarden imported it perfectly.
Take my advice at your own risk of course, I had both for a few months before I was confident it was safe to close my lastpass account.
I did the same switch too a while back, Bitwarden has been really solid.
Interesting thing: I just now remembered to delete my LastPass account, but the delete account flow breaks totally. Just end up in a modal without any content in it, both Firefox and Chrome.
I'm wondering if they are even deliberately blocking deleting accounts for damage mitigation?
Huh, you reminded me that I used LastPass for a while and still had that account. I went and deleted any passwords still in there, and then had to do a web search and found https://lastpass.com/delete_account.php which worked for me. I just had to confirm 2 or 3 times and then it claims it deleted my account. This is in Firefox on Windows.
Honesty, I’ve been using LastPass for years and lately the chrome and Firefox extensions have been really buggy for me. Especially the chrome one. So I’m not sure it’s nefarious.
Import features alone should work, but if you’re absolutely desperate you can roll your own import process with bitwarden-cli (it’s on github and various package managers).
I think Bitwarden's UX is pretty poor. A few examples off the top of my head:
- 1Password's TOTP support is much better. 1Password autofills the code and the password, Bitwarden only copies the code. 1Password will scan pages for QR codes.
> Rotating your account’s encryption key will render an Encrypted Export impossible to decrypt. If you rotate your account encryption key, replace the old backup with one that uses the new encryption key.
All password managers have issues but as a user of 1Password I have a lot of gripes with the product:
- Fails to fill out passwords around 2% of the time (Firefox account for example)
- Sometimes I mash the "CMD+/" shortcut and nothing happens. It's very unstable.
- Password generator is rigid. I have to edit the generated password about 90% of the time to add capital letters, numbers etc. I made a comment a while back on how we should be using HTML data attrs on the password field to hint how a password should look for password generators. Perfect password every time.
- Can't remove a single item from the trash. It's empty all or nothing.
- The shift to the web. Introduction of Keepass X extension whilst supporting the legacy. No feature parity between them. It's a bit of a mess to be honest.
It's probably tough to find a thorough review where someone put basically all their passwords in different password management tools and lived with them for long enough to compare them. Then again, people have undertaken more arduous tasks before.
For a while, I had the horrible practice of using the same username and very simple password everywhere. Eventually my "one true password" became slightly more complex, but I still had some bad habits. I eventually started letting Chrome save all my passwords except for, of course, my Google one.
I switched to LastPass (free) for a while. (My memory of this is a bit fuzzy.) At some point I wanted to switch to something less, eh... corporate? So I got BitWarden. I really like the password generator, and use it exclusively now. (There was a web site I used to use for this, but of course this is much more convenient.)
It was a bit rocky in the earlier days. Integration with the browser on Android could sometimes be a little shaky. It's still not perfect, but I don't have good comparisons there. I use Firefox on Android, Windows and Linux. It works really well on the desktop and mostly really well on Android, though with the browser it's unreliable if you rely on the Android app, so I install the Firefox Add-On for BitWarden, and that works reliably.
My spouse set up her own account, and we share some of our important passwords via a free organization. This is a great feature and gives us both some peace of mind if we were ever required to get into each other's accounts. We also paid the $10/year so she could see reports on her passwords, and get rid of breached, insecure and duplicate passwords. She has adapted readily to using the password manager though she mostly just uses it on the computer, not on the phone.
Overall we are very happy with it and I believe it's an excellent option. I cannot, however, compare it to 1Password.
Unless you have strong opinions about either one's UX, the most significant difference that matters to most users between Bitwarden and 1Password is that Bitwarden has a free plan and 1Password doesn't. Sometimes the "free" price tag is the difference between being able to convince someone (or yourself) to use a password manager and not being able to convince them.
About UX: between BitWarden and 1Password, I haven't seen any actually compelling discussion of the two password managers' UX that goes beyond just the typical way in which anonymous internet commenters enthusiastically assert preferences. They both do their jobs well enough the vast majority of the time. If you're genuinely in doubt about the UX, try Bitwarden for free and then try 1Password if you can't stand Bitwarden's UX.
Bitwarden doesn't have a Safari extension anymore since Safari's extensions are their own format... Safari since said they'd allow Chrome's extension api but I haven't heard if Bitwarden will start developing the Safari extension again.
That's not true. If you install it from the Mac App store, you do then get the extension and can activate it within Safari. I just switched from LastPass to Bitwarden and by all accounts it seems better than LastPass (for my basic usage) and the Safari extension is working fine for me.
Thanks for this, by the way. There was a time where the author had announced that he wouldn't be supporting the Safari extension for Catalina and beyond, and I never realized it came back. My work life is better now ;)
Good to hear, I want to make the jump myself some day. At the moment I have a personal (paid) LastPass merged with my companies enterprise Lastpass and for sanity sake I get both in one UI with Youbikey support.
Honestly I pay for the premium even though I use absolutely none of their premium features. At €10/year, it's the cheapest subscription I've ever encountered, and I don't want to store OTP at the same place as my passwords to avoid single point of failure for my most important stuff.
The title is slightly off. The limit is to a single device type, not device.
If you only use LastPass on 2 devices of the same type (on your desktop and your laptop or if you only use it on your Mobile and your Tablet) you will be fine to stay on Free, However if you use it on your Desktop and your Mobile (like me) you will need to swap password managers or pay up for the service.
Before LogMeIn brought them the service was free on "Computers" but you had to pay up for Mobile (Although you were able to access your vault via their website, the mobile app just made it easier).
Guess it's time for me to invest my time into actually settings up and exporting my passwords to something like KeePass (I've been meaning to do it ever since LogMeIn brought them, I was just far too lazy to do it until now).
$30~ for a year (the offer they included in the notice) aint that bad, but I just don't like having the rug pulled from under me and would rather support something like KeePass than support LastPass.
Maybe I will change my mind after I've had some time to digest the news and play with KeePass (and its alt's).
I've been using KeePassXC for a few years now. Before this, I was using LastPass and then before that, the original KeePass. Feature-wise, KeePassXC does a really good job replacing and going beyond LastPass.
It can have folders, it generates passwords, it can hold TOTP (2FA) tokens and it can even hold SSH keys acting as your SSH agent. Having your password safe be an SSH agent is a really nice feature which means less copying passwords around. The browser plug-ins have worked well for me as well.
I like that it can use any file sync tool for storing the key database - similar to why I like Joplin for note taking. I also like that there are many different clients for it since it is an open standard. To keep things secure you can use a password plus a key file. As long as you keep the keyfile only on the devices or on separate sync services, it raises the bar of security quite a lot.
There are KeePass clients on Andriod (Keepass2Android and KeePassDX) as well as iOS (Keepassium and another that I forgot the name of). All of the mobile clients support filling passwords. I have them all looking at the same file share and have not had any issues with corruption or file sync. I have it configured to immediately save all changes to disk and it writes and merges conflict files automatically as needed.
There are a few areas that it isn't as strong. First is sharing passwords - it has a feature for it but I haven't actually tried it out yet. Since you need to have the shared file ahead of time, you're really relying on your file sync provider to share that part of things. Second, the integration between programs works well but it isn't as seamless as a cloud service would be. For example, prompts will pop up in KeePassXC when there is a request to access a new password by a website. I believe this is probably more secure but it is an extra thing to come up when auto-filling passwords.
I have yet to try bitwarden but I would guess that sharing and lower-friction in web browsers would work better with it since those were the key benefits of LastPass when I'd used it.
FYI Bitwarden is only $10 a year. Before Bitwarden I used a combination of Keepass and Google Drive to sync all my passwords between devices. That was a workable solution, but Bitwarden is certainly easier, and I think more polished too.
I should also note that the free bitwarden does support syncing across unlimited devices (and device types), and can be self-hosted if you like that kind of thing. The premium version unlocks additional features like 1GB of encrypted file storage, a built-in TOTP authenticator, and priority support - but I was using the free version for multiple years prior to paying and it was great.
Cheers for the info, I'll look into it. I'm not against paying for the service (I've used the hell out of LastPass) I just not a fan them pulling my use case from under me.
That will always be a risk, as long as you rely on cloud services.
I started using Lastpass as well, but moved to Keepass as soon as they were eaten up by Logmein. I moved to Keepass and I keep the keyfile on OwnCloud. It works very well, and even better than Lastpass (at least as it was when I last used it). Keepass has actual desktop clients, so you don't have to use a janky web-app.
>That will always be a risk, as long as you rely on cloud services.
True, but it seems that Bitwarden offers the option to self host which could help mitigate that. However as a paying customer you have more of a leg to stand on if the company does try and pull the rug from under you.
As for LastPass, I rarely used the "WebApp Vault" (Only to copy my passwords for native apps on my desktop) and did it all via the context menu / LastPass button injected into the User/Password fields in the browser.
Their iOS app was very handy (As my local supermarket self scan app keeps logging me out) as for most app's it would offer autocomplete. So I'm going to be looking more into the mobile intergration then the Desktop intergration (as its far easier for me to C+P between things on Desktop then it is for me on Mobile.)
I am going to give KeePass a try but I've not settled on which system I will actually switch to yet.
To me, the unbeatable feature of Keepass is the fact that I'm not limited to user/password combination. I use it to store important notes and even files.
Bitwarden is awesome. I use the free version and it covers all that I need. All the clients and the server are open-source, you can self-host it for free, and there are even alternative server implementations like https://github.com/dani-garcia/bitwarden_rs
The whole distinction between mobile and computer is such a frustratingly artificial concept, a concept that has been imposed for monetization and control.
At this moment in time, I'm not against paying for my password manager as it has been handy to me. However because I feel that LastPass has pulled their product from me with a demand to pay up to continue to use it, it feels different to me then it would be for me to opt into a paid account because I liked the service but the free account would probally work just fine for my use case (The current free tier of Bitwarden for example).
So at this point in time I would rather switch providers and give them the 30 bucks LastPass are now demanding for my use case out of the sheer principle of the matter.
So If I do Swap to KeePass or KeePassXC I will be donating that 30 bucks to them. If I swap to something like Bitwarden I'll pay them for what ever package is as close to that $30.
The only problem I had with BitWarden was you cannot add/update entries on mobile when you're offline. This might not be a big issue for many, but it was a deal-breaker for me. I'm now rocking a local KeepassXC (PC) + Keepass2Android + Syncthing setup that syncs when I'm on my home network.
Bitwarden is a F/OSS software that you can install its server on premise [1]. I hope it to be lighter, though (its minimal memory requirement is quite large).
I'm using Keepass2Android Offline; it supports the auto-fill service that was introduced in Android 8, so it shows up anywhere a password manager is supposed to show up and yes, works with Firefox for Android.
either Keepass2Android or KeepassDX. They both have virtual keyboard support[1] and at least one of them has android auto-fill support.
[1] to use it you have to open/unlock the database, select the entry (although I think it's also possible to associate to android package ids so you don't have to do this), switch back to the app, change your keyboard to the keepass keyboard which will have buttons for entering user and password.
Just switched to Bitwarden. Took me ~15 minutes to get the browser extension + app installed and to complete the migration using the export/import features.
I've performed the switch as well, however, a couple of things to consider about Bitwarden:
- field detection is much poorer in Bitwarden (ie. it will fill both signup and login fields in some websites... including HN)
- Bitwarden timeout doesn't survive browser restarts (at least, this was the last time I've tried it), making it difficult to use for people with a complex password and frequent browser closing/opening
I don't like using browser extensions for password managers (I read in the past these are usually the easier attacks, might not be true nowadays) and switched from LastPass to Bitwarden.
The feature I miss is that LastPass has a Mac MenuBar app which provided a global shortcut to search my wallet, for Bitwarden I always have to open the app.
Also, the iPhone app doesn't let you view attached images in the app, you have to first download them to the phone's storage.
Also bit wardens enterprise feature is very different than anyone else’s enterprise feature.
It’s in my opinion a bad system. The issue revolves around that you always have a personal account, that has work access. Well.... for enterprise, I want to be able to help user reset their password, override there to MFA, revoke access to a share, audit what shares they have access to.
I REALLY wanted to use Bitwarden company wide, but the enterprise product is just not there.
The concept is that you have your personal vault, and then you can also be a member of multiple organisations, each with a vault.
If you want, you can choose to disable the "personal ownership" option, so that employees lose their personal vault and can only use the organisation's vault. You can also select the "single organisation" option to prevent an employee from joining a second organisation.
Once you have done that, you can audit all of the shared "collections" in an organisation and revoke access to specific "collections" for specific employees.
And if you want enterprise-y control, then you can manage employee credentials using LDAP, etc.
It is a bit confusing to be fair, but I think you can do the things you mention?
How does it do with sites that insist on using a 'password' type field for both username and password? This is my biggest pet peeve on the internet today!
I've been wanting to move away from LastPass for a while now for different reasons - it feels very heavy and clunky. It's slow and the autofill can be glitchy.
Does anyone have any recommendations from this perspective? 1password seems more Apple-oriented, but my devices are all Windows (chrome), and Android.
There's lots of discussion here about "terrible UI," but I imagine none of these password managers are consistently great across all platforms. E.g. Someone using an app solely on a linux desktop in Firefox will obviously have a vastly different experience than someone using the app primarily on an iPhone with safari.
I just switched (literally in the last hour) from Lastpass to Bitwarden. Quick painless import and works great across iOS, Firefox (browser extension) and native client.
Free and open source (client and the server too if you want to self-host).
We moved away from LastPass for the reasons you mentioned and for the problem that I couldn't recover the password of a business account. The account was just not usable and they couldn't even delete it, so once someone made a mistake while opening it, their email address was blocked. I think they fixed this since we moved, but 1Password is not standing in my way and does everything reliably and quietly.
They have apps for all (mobile) OSes and even a native Linux app, what I really appreciate. I just saw they also have a CLI, I have to test this, too.
I'm just a happy customer with ~60 users and not affiliated.
I use 1-password and I don't agree with it being Apple-oriented. Their integration with Apple OSs is awesome, but their Windows solutions work really well as well.
I am very happy with Bitwarden. Fully open-source (including the server), free tier has everything I need (and the premium is just $10 a year), self-hostable (and there are even alternative server implementations). The UI isn't "sleek" but you'll get used to it very quickly. And it has a nice import wizard that will walk you through the process of exporting your passwords from other password managers.
I recently migrated from LastPass to 1Password. Honestly it's been great. The UI is better, sharing vaults is easier, they have integrations with haveibeenpwned.com, and integrations are seamless. There's no free tier, but the cost feels worth it to me. I was able to get my whole family on 1Password without too much hassle.
I switched to using safari’s password sync across mobile and desktop. It only works on iPhones and macOS desktop safari, but I adjusted my workflow.
It’s both free, and reliable as long as Apple supports it. But I trust Apple to exist or migrate better than a dedicated product company like lastpass. Both for a decent user workflow and for not being breached (much scarier to me).
I know that companies learn from security incidents and that we should reward, not punish companies for being transparent in their responses. But lastpass [0] has had issues with breaches and potential breaches and I’m nervous about storing bank passwords and whatnot with third parties.
I used to recommend lastpass because it was easier to use and better than others. But now, for people who don’t know how computers work, I just recommend to buy an iPad or iPhone and use their password managers.
I think it’s going to be tough, even if free, to compete with this.
Doing stuff like making users choose between desktop and mobile, completely arbitrary with no real engineering driver, will just move more users away, I think.
What you need to worry about being tightly integrated with Apple is not a hacker getting your data - it is being stuck with you or your surviving family not having access to your own data. This is my primary worry about walled gardens such as Apple or Google where you could be locked out of your own data because, you know, you looked at your phone the wrong way.
In this instance, you are better of relying on someone whose primary business is to save passwords. They are more likely to have thought about this.
For example, 1Password, explicitly offer an emergency kit[1] for your surviving family should something bad happen to you.
They also used to have a zero-install reader called 1Password Anywhere, but that seems to have been discontinued.
This is a good concern, and one I mitigate by keeping a file with trusted people that is to be used in case of my death.
I think I’m better off relying on Apple’s business of protecting my identity (and selling me more apps, music, phones). And the effort spent on this by Apple is likely better than the primary purpose of a much smaller company. I also don’t think the incentives for a password as a service company that makes money off a monthly fee are lined up with mine. In time, I think they will only get worse as they layer on “features” to grow revenue from a fixed, and shrinking, market.
If you’re worried less about hackers and more about big brother, such as crossing borders, they also have a Travel mode that drops from your devices any password vaults not marked safe for Travel. Then toggle them back on after you don’t consider yourself or your data subject to inspection.
> But I trust Apple to exist or migrate better than a dedicated product company
I'm staring at my huge Aperture photo library (with tags, edits, versions and albums). Apple left me hanging. I would not assume anything of a huge company.
For all kinds of reasons, I hate what they did there, abandoning Aperture functionality — there remains zero other software that fills what Aperture did for me. Even though Capture One and Adobe Lightroom Classic can both import from it to a degree:
That said, Aperture could still open an Aperture library using the final versions of Aperture up until Mojave. So from the time Aperture was discontinued, Aperture itself worked through six versions of MacOS, until Catalina.
As of Catalina, Aperture no longer ran native[1], but Photos itself could still open and migrate those libraries (note: I have not tried in Big Sur). While Photos didn’t recognize everything initially, before Aperture became unsupported, Photos did eventually handle tags, non-destructive edits, JPEG+RAW pairs, referenced files, and albums.
Apple eventually got the parity enough I was able to move a quarter million photos over into Photos, and haven’t needed to re-open Aperture in a couple years. While I haven’t needed it, I did test the software linked in [1] below, and it worked great.
From README: ”All Aperture features should be available except for playing videos, exporting slideshows, Photo Stream, and iCloud Photo Sharing. If RAW photos can't be opened, you need to reprocess them.”
Hard disagree -- this is a product, not a feature.
If it's a feature then it's tied to a single product. The whole reason I don't use Apple's or Chrome's built-in password syncing is because I need my passwords to also work on Android and on Firefox.
LastPass is one of the only ones that supports MFA on Linux and iPhone with my Yubikeys. Their security track record is a bit meh, but generally speaking, I’m very happy with how they integrate everywhere.
They’re accessible outside of a browser, via a “keychain”, and the entire OS is built to use this keychain, which also syncs appropriately among your devices.
On iOS, it’s Settings > Passwords. On MacOS, it’s Keychain Access, which looks like this:
There is also a UI in Safari itself, which on MacOS has added some advisory features, including easily guessed, seen in a data leak, or used on multiple sites:
Well, time to switch it is. I can't justify more than a couple of dollars a year for a password manager. Also artificial limits, especially when companies limit existing features like this piss me off (cough google photos cough). Why not add new features and make them premium only?
Plus I recently changed my Lastpass password and they had added symbol/number requirements since the last time I had changed the password and it would not let me use just a word based password. Bitwarden let me without issues.
Checking out the extension now, it's also much easier to use than Lastpass. For me I don't care, but for my parents the Lastpass chrome extension interface is really confusing.
> Also artificial limits, especially when companies limit existing features like this piss me off (cough google photos cough).
On the one hand, I tend to agree that changning existing features to paid is not-great (disclaimer, I was paying for Google Photos/One/Whatever even before they announced the changes), I wouldn't call space limits "artificial"
Yes, perhaps that wasn't the best example, the issues get lumped together in my head.
But for google, I believe the issue was people were abusing it. The proper solution would have been to stop the abuse, not what they did. Or for example, they might have removed unlimited video uploads which would make more sense, or had soft limits. Also you can't tell me google did not foresee this happening, which just tells me they used the free storage as a lure.
The reply to me correctly pointed out that I compared it to the new google photos storage restrictions which could be interpreted as not being artificial, not that the lastpass restriction aren't.
Even though I know the answer, I think it's interesting to note that none of the "questions" posed ask "Why?"
I guess they felt the obvious cash grab was obvious enough to have no need for explanation.
I'll be moving off to somewhere else, despite being pretty deeply entrenched in lastpass. Hopefully there are some migration tools available. I have hundreds, maybe thousands of passwords stored--generated passwords which I do not know at all.
Based on comments here, I'm likely to end up with a self-hosted bitwarden. I'll feel better about that, anyway. I'm trying to eliminate my cloud dependencies, besides my VPS.
Those of you looking for an alternative, consider moving your data to a Keepass database. Its a more or less open file format, which a lot of different tools can read.
My goto tool currently is Keeweb - https://keeweb.info/. Its basically a SPA, can be used offline or online.
Keeweb + a google drive hosted keepass database file keeps my passwords available and synced across 5-6 different devices.
Never again on Keepass. The dollar savings is not worth the hassle of it.
You have to use a different client on every device because the official client is Windows only, and I’ve even experienced bugs a client I used that caused me to lose data entered into secure notes.
And while a single page app client is nice, it’s not good for password managers. 1Password integrates with the iOS password management API and browsers to fill in passwords and even credit card info, and I’m guessing most competitors like Bitwarden (open source just like Keepass!) do the same.
Saving ~$10-50 a year on something as useful and vital as a password manager in order to “roll your own” is such a bad tradeoff.
I switched off of Keepass when I almost accidentally lost data due to a client sync conflict. I had to go back to my Dropbox history and do a bunch of surgery to repair the damage. It’s just not worth it.
>Saving ~$10-50 a year on something as useful and vital as a password manager in order to “roll your own” is such a bad tradeoff.
This. I find it really strange that tech-savvy folks---who almost certainly have thousands of dollars worth of equipment---would cheap out on a password manager. You want a password manager that's secure, reliable, well-maintained, and usable. And doubly so if you want your less tech-savvy family to get the benefits and conveniences of using a password manager. Those things cost money. And $60/year (on the high end of things) is a bargain for what you're getting.
And doubly so if you want your less tech-savvy family to get the benefits and conveniences of using a password manager.
Definitely agree with this. I might consider setting up Keepass for myself (though I actually just pay for 1Password), but my lay friends would bounce off the setup and maintenance work of rolling your own Keepass setup immediately, and then I'd be on the hook to help them troubleshoot. I'd rather just point them at Bitwarden or 1Password. It works well enough and has good enough support that they get an operational password manager with minimal hassle and I don't have to spend time supporting it. Sure, you don't control their clouds, and 1Password isn't open source, but even so it's a dramatic improvement on a lay user's account security.
> All that hassle so that you can save $10 a year.
You are talking as if KeePass's only advantage is being free and it is only preferred by people who cheapen out. That's not true, just as it's not true for similar arguments for Android vs iOS, or Linux vs Windows, or Windows vs MacOS. People have different preferences and priorities.
Even if the pricing was reversed, I am sure many people would prefer KeePass, as I do, just as in general preferring paid desktop programs to free online services.
> something as useful and vital as a password manager
Indeed, even if one day I give in and start using those online services for everything, something as vital as a password manager would be one of the last places where I would cave in.
I understand that KeePass wasn't for you, and it probably isn't for heavy mobile users as it is primarily a desktop program (official KeePass client works on macOS and Linux by the way, though it feels more at home in Windows). I am sure you could find excellent mobile clients too (I wouldn't know as I never had the need), but I understand that lack of official clients and having to choose among non-official clients, some of whom might be buggy, can be frustrating. But it is perfect for my use case, and for my non-technical parents that I introduced it to, regardless of price.
Keepass is simply not the best solution anymore, even if you want to stay in the FOSS realm. It’s just clunky old software that makes it far too easy to accidentally lose data.
So you voluntarily prevent yourself from updating passwords when you’re on your phone or tablet just so that your password manager doesn’t lose data?
Isn’t that a ridiculous design oversight? To completely handicap any situation involving more than one computer? That’s exactly why I stopped using Keepass.
My use case is different. My all passwords are in Chrome. Simple. Keypass has some specific passwords like Chrome Sync Phrase, some zip file passwords, some other things. Plus initially I used to use keypass when i started using any password management instead of same password everywhere.
At that time, & still now, I use Dropbox to sync PC KP db with Dropbox. Then FolderSync to sync one way (read only) from Dropbox to Phone. If i need to add password, I wanted to make sure I can add only on PC. PC had the official Keypass, phones had the Offline Keypass App.
$10 now is nothing for me, but few years ago in India it is about 2 days salary of a manual laborour. About 5 meals. Or about 10 litres of Petrol.
I am always wary of anything online which has my passwords. The same reason Chrome does not have all my passwords, but still I trust Google more than any other relatively smaller software like Lastpass or bit warden or anything.
Keeweb looks nice. On macOS I use KeePassXC[0] but I'm not a huge fan of it. Will give Keeweb a try.
On iOS I switched to KeePassium[1] for my database a while back and its very nice. It integrates with biometric unlock and iOS password management so I can get at easily from anywhere and it stays in sync with the stored database (via a self-hosted Seafile[2] instance) nicely.
The setup has served us (two users) well with few hiccups and good support for dealing with the rare conflicts that do arise.
Second on this. I've been using it for almost six years now, never had any issues on my desktop or Android. Probably requires a bit more setup than LastPass, but it has been able to do anything I've ever wanted to do, including apps/plugins for Android, Chrome, Firefox, SmartFTP, and more.
I've tried LastPass and 1password, but neither has a good implementation of auto-type on desktop, where my definition of good is KeePass.
To those that dismiss KeePass as being too clunky I hear you, but I think the situation is better than it used to be thanks to the development of several high quality and open-source clients for non-Windows platforms: iOS (StrongBox, KeePassium), MacOS (StrongBox, MacPass), Android (Keepass2Android), and KeeWeb as well. I would pay special attention to whether or not these clients support KeePass' built in database sync/merge feature [1], especially if you don't use a cloud back-end. Most cloud providers will save two versions of a file when there's a sync conflict ensuring you don't lose data.
As for storage back-ends I've used OneDrive, sFTP, and WebDAV [2], and I'm currently migrating everything to WebDAV. sFTP works well but some clients take too long to open and close the connection.
Oof, this is a rough one! Id rather have a device number limit than a device type limit.
Main Takeaway:
"We’re making changes to how Free users access LastPass across device types. LastPass offers access across two device types – computers (including all browsers running on desktops and laptops) or mobile devices (including mobile phones, smart watches, and tablets). Starting March 16th, 2021, LastPass Free will only include access on unlimited devices of one type. "
"I'd rather have" == "this is what I need to stay within the limits of the free tier"
Lastpass reasons for doing this are perfectly clear. They want people to use and trust their platform, and there's no better way for doing that than allowing users to use the full version of their product. At the same time, they want revenue, and targeting the people that use Lastpass as an integral part of their workflow (e.g. myself) is a valid strategy.
I've used Lastpass for years. I was a premium user, but at some point the free tier started covering my use case, so I stopped paying. Now I'm probably back at the point where I'll start paying again. I could definitely live without mobile access, but it's a convenient thing to have and I can easily afford it. Maybe I'll look for an alternative too, but it has to be just as convenient.
I was previously a paying member but when they doubled their price, I realized the free tier worked for me and I move to it. Id gladly pay $15 a year for the service and not hassle with moving. But I might as well try out bitwarden for $10 now.
It would also be easier for me to recommend to less technical users like my family if I knew they could sync 1 mobile device and 1 computer. Its already hard enough to get any of them to use password managers to begin with.
I've been on 1Password since 2007. Unfortunately, software quality seems to have taken a nosedive since version 7 came out (disregarding the subscription issue). Random beachballs and slowdowns, annoying 2FA and duplicate password warnings, and decoupling of stored files from login entries.
I have been considering a replacement but haven't found anything up to the ease of use and Mac/iOS integration of 1Password yet.
I dont like the new safari web extension that adds little in page pop-ups everywhere. When I enter my master password, how can I be sure that the pop-ups are coming from the 1-password web extension and not from the website or another extension? Is it sharing the DOM with the website? If not, how are they separated? I realise I don’t understand how web extensions work but even so I don’t see why these pop-ups couldn’t easily be imitated by the site I’m on and I feel that it’s just asking for trouble doing stuff like that. After a bit of googling I realised that its possible to turn off, so I have.
1password has been feature complete for years now, I think they are changing things for no reason at this point. Just charge me for an update when operating system upgrades break the software. Sounds harsh I know, but TBH I wouldn’t mind if apple added family sharing to passwords and finally finished sherlocking them.
Yup. Since 7.7 my 1Password looks like this (https://imgur.com/a/Zz4WSdx) on my external screen, with the scaling of the background inexplicably broken. I also see other graphical glitches here and there. Meanwhile 1Password 7 for Windows every few months forgets that I registered it and I have to go find the license file (within 1Password!) again.
The paternalistic Watchtower "feature" is a whole other set of annoyances I wish I could disable.
Same boat here. 1Password is now the slowest piece of software I use on a daily basis. 15-30 seconds to get a password out of 1Password mini, laggy and unresponsive keyboard navigation, TouchID prompts that stack under other modals or windows so they don't work, random beachballs, ... the list goes on.
1Password browser and Mac app work for me without the issues you mention, paying user since version 5. I'm on a late 2013 MacBook with Catalina. I had the beachball issue in Safari but it went way after I restarted once.
I tried LastPass but on the first day it didn't save a password I generated like 5 seconds earlier, and I stopped trying it immediately.
Why would you type a 90 character password instead of copy / paste or have the manager fill it in?
Also why 90 characters when 2FA would be the safer option? Or half that is already infeasibly long to brute force?
Also what do you mean 'reading the password', like via a screen reader? I mean that would be pretty bad for accessibility, but if you mean displaying the password, my version has buttons for it (regular inline, and a popup with the password pasted large on the screen).
This is the password for the password manager (e.g. 1Password/ lastpass master password). The password to rule them all. It should be extra secure. I also have 2FA, but you must have heard of defense in depth.
Anyway, I want to be able to see the password and check for typos before entering it to unlock the vault. I don't want to retype the whole password in when I only mistyped 1 character.
When I say read, I don't mean screen reader. I mean read with my eyes, I didn't think this would be a sticking point.
I choose to have the highest level of security I can afford, of course there are diminishing returns with each layer of security. Im happy to see evidence that a long password is only secure "in theory", until then I will keep my strategy. I can type 100WPM and this password is based off ~uncommon words, so I'm not uncomfortable: I didn't complain about entering, I claimed the issue is 1 wrong character requiring typing the whole thing password. It only takes a few seconds, but it is frustrating to type the whole thing again (regardless of length).
Well, considering the LastPass master password is stored as a 256bit string on the servers, your 90 character master password has 720 bits making it considerably more its that make up the hash thats stored on the servers! 1 ASCII character is 8 bits!
LastPass is making a huge change to their Free product and giving users only a month to adjust. This is irresponsible at best. I completely empathize with the notion that good software is worth paying for, but a widely-used password manager needs to provide more time for users to transition into another product if they choose not to convert to paid.
Not sure i agree, they make it very easy to export your info/passwords and are just returning to a previous business model. As another user here commented, it only took 15 min to switch to another option.
> but a widely-used password manager needs to provide more time for users to transition into another product if they choose not to convert to paid
I think 3 months is much more reasonable, at least. Doing this in the middle of a pandemic is actively hostile. My parents are using lastpass. I'm going to pay for a license for them until the pandemic is over for simplicity.
As soon as I can physically visit them again I'm switching them over to something else in principle, and I'm changing to something else today (which includes cancelling my personal paid-for lastpass account).
I'm sure some users will find an alternative solution and switch easily. I'm also sure that some users will not. My assumption - take it or leave it - is that the folks who would find this more inconvenient are those who were introduced to LastPass by more security-minded friend or family member. They aren't necessarily inclined or well-equipped to transition their devices over from one password manager to another. This may cause them to abandon password management altogether or do something dangerous like temporarily store their passwords in plain text while they find someone to help them transition to another product.
During one of their previous price-hikes when the yearly membership cost doubled, I reached out to their support and asked if I could renew my membership before the price-hike took effect. They refused.
The emptor's counterpart, the venditor, also has a responsibility. I wouldn't dream of offering a free product that handles one of the most important aspects of consumer data security and then drastically altering it with only four weeks' notice. Many were introduced to LastPass, probably reluctantly, by more security-literate friends and family. These are the folks most likely to be squeezed in this very short transition period because they won't necessarily know how to navigate to a different product and would probably be more likely to do something risky in response.
Price aside, last I checked LastPass was terrible software compared to 1Password.
I had all kinds of syncing problems with the browser extension. And LastPass had a huge breach in the past, which its competitors didn’t. I don’t trust that it’s quality software - especially because it doesn’t “look and feel” like quality software.
Plus, they’re owned by LogMeIn, which is basically a crappy software conglomerate that includes GoToMeeting, and is owned by a private equity firm.
My experience was was ~2017 as an admin for their enterprise offering, so take that with a grain of salt. But my point is: compare all the options. Competitors like 1Password, Dashlane, and Bitwarden, and probably many others are worth looking into, and are almost certainly better than LastPass.
Those issues were ironed out years ago, at least in my case, and they were very very short-lived issues, though perhaps I was lucky. 2FA/Yubico support is nice as well. My main gripes are the lack of subdomain support e.g. if you have multiple subdomains, LP will offer ALL passwords for that domain and you have to scroll through the list to find the right one. #2: when you want to copy a password from one of the drop-down menus, sometimes "Copy Password" is above "Copy Username" and other times it's reversed, adding some extra cognitive load and just annoying due to lack of consistency.
I completely agree–LastPass is absolute garbage compared to alternatives. Genuinely one of my least favorite pieces of software I've ever had to use with any regularity, and my threshold for frustration is higher than most.
Using it for about the same time. On mobile (Android), deskop Linux in GUI, on some servers to hold the ansible-vault- and superuser passwords and in my browser.
Migrated from keepass and seahorse. Migrating did require some time and effort, mostly because seahorse had no proper export function.
I still need to dive into what features premium offers over free, I'll gladly pay, just never had the need for that.
LastPass was great when it was free, but 1Password is the better value now. Even Bitwarden provides a better looking UI. Glad LogMeIn made this change public before I moved my startup over to their service out of loyalty (i.e. laziness).
LastPass is trash software. We use it at my company and it’s universally hated. Full of bugs, terrible ui and bloated extensions that slow web pages. I wouldn’t voluntarily use it even if it were totally free.
Nowadays there are so many better options for less money. I say this as a satisfied 1Password user but I’ve heard good things about many other products.
I moved to bitwarden a few years ago from Lastpass..Primarily because of persistent sync issues with lastpass. It seemed they kept trying to see "features" and the core product took a dive with the logmein aquisition. They were pushing things like credit monitoring, but the password syncing would get wonky from time to time with a specific browser or on my phone or vice versa.
You can self host your bitwarden (though i dont). And you can, even with a free account, create a single "org" to share passwords with. In this case that org was my wife so now all our shared accounts reside in bitwarden and the password doesnt matter.
Ive even gotten to the point of using their passphrase generator for manual sign-ins like my work computers.
Yes after using Roboform and Lastpass I switched to Bitwarden. I pay the 10 bucks a year for convenience but folks I know self host it and are really pleased with it.
I am using `pass` (https://www.passwordstore.org/) with an encrypted git repository and this works well enough for my use cases. I do not have a complex threat model though, nor I need to share my passwords with other people or organizations.
I know right? They probably would have been better off just making it one computer and one phone, and for more devices go Premium. I think that would be fair. But a password manager that can only be used on one of my two critical devices (computer and phone) doesn't seem very useful.
5 or 6 years ago I was talking to coworker about password managers, and they told me how much they liked 1Password. I decided to give it a shot, and after a week or so decided to switch permanently and delete my LastPass account.
When I told them that I had made the switch, they laughed told me they had done the same: they tried LastPass and decided to delete their 1Password account!
switched to KeepassXC around 2 years ago when LastPass got bought. works great! there is no company that tries to brainwash me into thinking moving secrets[1] over a network is a a good strategy for managing them.
[1] it doesn't matter scerets are technically encrypted. the threat-model for managing and storing secrets is different. I also don't want people to guess how they were created, when they were last modified, where they will be used, what other devices use them etc.
I prefer a different dedicated database for each device. none of my accounts are used across devices. E.g. hw based compartmentalization is for me much better to reduce the cognitive overhead and avoid making mistakes.
I can't tell you how bizarre it is to me that despite there being four different (quite popular!) offerings in the password manager space, there's not one that really offers, to me, what I would call even a competent UI/UX.
From personal experience, this is my ranking of the Big Four in terms of "does it just fucking work every time I press the button":
1. LastPass
2. 1Password
3. Bitwarden
..
..
..
..
15. KeePass
As a result, I use LastPass. It's fine. It works perfectly about 80% of the time. I'll probably end up upgrading to Premium with this change. I'm fine with their current offer of $2.25/mo billed annually -- I definitely get more value than that out of the software given the amount of passwords I generate/save/retrieve on a daily basis.
But even LastPass has what I personally consider a deeply unreliable UI! About 1 in 3 times I open the Chrome extension, it just.... doesn't work?
It's absolutely wild to me. It's nuts, man! Maybe I'm just a frontend developer, so I get extra crotchety about shitty frontends. But c'mon! It's a consumer grade product that you interact with almost entirely through a 200x400px window. And that window doesn't respond to mouse hover half the goddamn time.
Free and open-source, keep control in your own hands, forever. Encryption with gpg, sync with git. Compatible with pass, which means better support and easy migration.
The basics are similar but it has many annoyances fixed, has a nice and quick interactive interface that doesn't get in your way and it is quite fast.
It also provides features like syncing with multiple machines, multiple (gpg) recipients, aliases, property selection, Windows support and more. And I might add gpg alternatives such as age soon. See the README for a better overview.
You might like to give it a try. It automatically uses your pass store.
Anyone considering pass (https://www.passwordstore.org/)? It is written in bash and uses gpg to store credetials on disk. And it is developed by the same guy behind wireguard. Also completely FOSS. On iOS I use passforios (https://github.com/mssun/passforios) and on macOS I am the developer of Pass for macOS (https://github.com/adur1990/Pass-for-macOS) which is a wrapoer for pass containing a Safari extension. Sync across devices is done using git (or cloud drives if you prefer). I use this setup for multiple years now and it works really well.
Just signed up for Bitwarden to see if that will be a better alternative, but I have to say the TOTP support isn't as good as LastPass. LastPass has a real authenticator app that I can use just like Google authenticator and also as a 2fa for lastpass, which it managed without requiring a copy of the code.
I used to be a payed subscriber, and then they made all the features I used free. For some reason, it frustrated me that they made it free, because I felt they were now gunning for some monetization scheme, where I'd rather they just focused on an affordable sustainable offering.
Agreed, a lot of mixed messaging from them over the last few years. I also used to happily pay the $12/year for mobile access but they strangely got rid of that requirement and added no value to the paid version. I'm just gonna pay the $36/year at this point because I don't feel like disrupting my working password system. But it feels like dating a person who doesn't know what they want.
I migrated from LastPass to KeePass + Syncthing when they got bought out by LogMeIn. Sounds complicated but only the initial setup is a little awkward, then it's smooth sailing from that point on, and no centralized server to ever worry about or your platform of choice going rogue. Keeping your devices secure is still on you, but that's true of any password manager.
It was absolutely the best choice to make and I encourage anyone to do so and never have to worry about your service going down or suddenly asking a "nominal" fee to the keys of your kingdom. Of course, should the need ever arise, it's not that hard to migrate to something like Bitwarden.
That's where I'm at right now, as a long time free user of LastPass. I've never been particularly happy with it, but it basically works and it didn't cost anything.
Now I get to evaluate the whole range of options available, and I doubt LastPass will come out on top.
The last bit of motivation I needed to finally make a switch! I know there are a lot of threads about this, but what do people recommend? Ease of use/transition is key or I won't be able to convince my partner to switch!
This is such an odd choice of pricing model. The usual approach is to say you get multi-device sync as part of a paid plan and single-device usage for free, or to place an upper limit on the device count, not count of types of devices.
My guess is that they want to limit functionality enough to make paid plans attractive, while still giving you the chance to try out how the sync works, but I can't help asking myself if this isn't unnecessarily confusing and going to put potential customers off as opposed to e.g. offering a 30-day trial on their paid plans.
It's them trying to go backwards. Originally free only worked on desktop. When they allowed mobile on free, a lot of people cancelled their premium. The other really crappy part, premium was only $12 then. I don't really see modern lastpass as 3x more valuable then it was then.
I think they are just betting on enough people staying because people are too scared to swap
Surprised that nobody here mentions Enpass. Its mobile app is paid, sure, but it's a one-time cost and it's using an AES-256 encrypted local sqlite3 DB that can be synchronized with several popular cloud storage options: Dropbox, OneDrive and any WebDAV server. So you have your credentials vault with you everywhere.
Very happy user for years. No subscriptions, desktop app is free, you just pay for your iOS / Android app once. That's it. Never had a problem with it and you can also tie it to your TouchID / FaceID, too.
At the time when I was evaluating my options only CLI clients for KeePass have been available so I had to make a call. Plus the mobile app is like $15.
Whether $15 is worth your good night's sleep (and less time burned to evaluate all options) is something we can debate endlessly but my stance is "yes".
Speaking of competitors and alternatives to this. I've used a version of my own for years, and have recently started working on a FOSS password generator and manager, called SrsPass.
Would love feedback on it, and it has an open-spec so you don't need to dig into the code itself to at least get a high-level overview of how it works, and at same time give anyone else the power to reimplement the spec:
I have received complaints about the current unskippable setup process being somewhat cumbersome, and one of the things on the top of the list to improve that experience is allowing a quick setup, essentially postponement of saving the backup phrase to a later time, albeit I'm deliberating a safe implementation of it.
I used to use pass. I must be too dense to understand how to properly backup pgp encypted files, because I had to reset all my passwords when I couldn't decrypt my backup.
They're just files. You back them up like any other. Do be sure you backup your private key though, if you lose that you've lost everything. Sounds like that is what happened to you.
Yep, it's pretty painful to have to use a separate app just to manage the PGP key. I've also found it very difficult to sync with git over SSH with a key instead of a password.
pass is great. I use the dmenu script to get passwords into my clipboard without leaving the keyboard or being locked into browsers with a supported extension.
As others have mentioned, the Android app has slight issues, but they're not dealbreakers for me.
There's some interesting pass plugins, e.g. pass-otp. You can get 2FA passcodes from the commandline rather than being locked into Google's Authenticator.
This is going to backfire for LastPass I think. It has stayed stagnant for years and performance has slowly degraded despite my devices getting much faster.
When it was free it was easy to stick with it despite its flaws because of momentum.
But now that I'm being forced to pay I'm going to do some cross-shopping and I really doubt LP is going to come out on top.
I'm totally willing to pay, but my expectations are higher as a paying customer.
The same thing will happen here as when Dropbox limited free accounts to three devices: all of us who've spent years evangelizing the service to our friends and family are going to get a bunch of pissed-off phone calls. They're not going to understand or care why, they're just going to be mad that it worked yesterday and doesn't work today.
I ditched all commercial ones because they are bad and majority can't even recognize intranet sites correctly. I use now Next Cloud Passwords plugin (FOSS) and can't be happier. It is missing some mass-sharing features that it will get eventually but other then that, its a pleasure to work with.
Seriously people, this is one awesome tool, it comes with web interface, browser extension that works great, is totally free and team ready. Developer is responsive and updates it regularly.
I was using everything before it, from LastPass, over pass, psono, bitwarden, 1pass, keypass, just to name few, but after the NC Passwords I never looked back.
The only hurdle is that you need to have NC installed, but NC is great too on the other hand :)
Everybody is mentioning Bitwarden as a replacement, but what about Dashlane? I've had my eye on Dashlane for a while, and it seems on-par with lastpass, so I'm confused why it isn't mentioned in this discussion more.
(to be clear: this is a genuine question, not an attempt to stealth-shill for Dashlane)
Let me know what you think if you ever try :) I sometimes wish we were more often mentioned here (thanks btw :) ). I guess that we are missing some features that the audience here requires (for example being open source?).
I think the issue with lastpass is its popularity, which would make it a target for hackers. If someone brute forces your password, then they've got access to everything
Are there any less popular but well featured password managers, or any roll your own solutions that wouldn't be so easily targeted
Passwords are the most unfortunate part of the web. It is a bad user experience that leads to poor security. I've spent the last couple of years trying to convince friends and family to use a password manager (usually lastpass) and use a different password for every site. Many were using some variation of the first password they ever made for their dialup AOL account in the mid 90's.
I can't blame lastpass for choosing to monetize their product. Securing the web is also not the job of lastpass. Unfortunately, making users pick either a desktop or mobile device for the free tier and requiring pay to have both I think many will pick the path of least resistance and go back to their old habits, foregoing password managers and unique passwords altogether.
From their blog update it is not clear if I use Lastpass.com on a safari browser on my iPhone will it detect Mobile device type or Computer? Basically, if I don't want to pay Premium can I still access LP on my computer and my iPhone (using browser)? Does anyone know?
Sorry if I'm asking an obvious question but how is this more convenient than pure-desktop Lastpass? If I'm inconvenienced by Lastpass' change of terms this is hardly a solution isn't it?
As a LastPass user I must say that this change makes total sense, and tbh I was expecting it.
However, after many years using their services, this change is the motivation I needed to switch to Dropbox passwords.
I'm a (happy) paying customer of Dropbox. When they announced the passwords service I was interested, but I had no true motivation to make the switch, since LastPass was free and working fine for me.
After reading this I finally made the switch. I must say it took me 10 minutes tops. The devs at Dropbox did make a very nice onboarding experience. And also kudos to LastPass for making it very simple to export everything in csv, which is easily importable to Dropbox passwords.
Does the autofill work well? I was considering trying it out, but, unlike 1Password and Lastpass, there are really no reviews of Dropbox Passwords anywhere.
Lastpass is very popular but has had a very unfortunate security track record, with several security incidents that make one worry about their whole approach to security. Information on these is widely available and IMHO, the details would've sunk a less successful product. May be worth reviewing those if you're considering it, or if this change in the free service is making you reconsider using it.
At the same time, it's probably true that for many users, Lastpass is better than no password manager at all, with one reused password on a postit.
I have migrate from lastpass -> bitwarden. Coulnd't be happier.
However, bitwarden cannot import data from lastpass csv. If you are havy lastpass user with custom fields, long note, than it can fail on free bitwarden tier(limit 1000 characters).
I ended up code a Ruby script that shell out to BitWarden CLI to import them.
Before raising its prices (or changing its free features) LastPass should get an independent security audit of its infrastructure, applications and extensions. There is a lot of competition in password managers, and they have almost the same functionality. So if LastPass wants to charge more, it has to differentiate from the other password managers, and given the security aspect of its business an audit would be the way to go.
I've also been waiting for an excuse to migrate off LastPass. Their 'shared' functionality on both personal and corporate accounts is a joke. Passwords consistently do not update when shared with other paid plan members.
We also pay for corporate support. I would say the average response time is about 48-72 hours. We've been talking about replacing them.
LastPass has been at the top of our axe list for SaaS tools.
It's quite sad how the same old story unveils: an agile company with a great product and large community sells off to a large corporation, which destroys both the community and the product on its quest to squeeze more ROI...
About 3 years ago, having been fed with regular price hikes without any good reason and/or new features, I switched to 1Password and never looked back.
Agreed, Syncthing has been rock solid no matter what I throw at it. 500gb of music files? source code directory with 100's of 1000's of files from npm_modules accidentally included? Photos? It just works. It also plays well with other sync providers (I sync a subset of dirs into iCloud files so phone/iPad can access things)
Right now I'm contemplating rolling/hosting my own password manager. Some comments have mentioned FOSS alternatives. Can anyone provide feedback on those examples? Sharing is not important to me, and I could live without autofilling probably. Features I do like:
1. Easily generate a new password on whatever device I'm using.
2. Save it, and sync it seamlessly to other devices.
There are a lot of recommendations for bitwarden here. It’s open source, and popular, but their website suggests Linux support is middling at best. Their desktop app download page only has AppImage’s for x86, and non-auto-updated debs and rpms.
Does it run on ARM Linux? Is it packaged natively by most Linux distributions? Are the packages reasonably up to date?
I was worried when LastPass was bought up by LogMeIn, but stuck with it. Then LastPass tripled the price. I went from a premium to a free tier user. Now LastPass pulls this, and now I'm not even a user. Hello premium BitWarden.
I wonder if this was forced by the moves that Microsoft is making.
If you have a Microsoft authenticator app on your phone, you'll likely have noticed that they started offering regular password management through the same app to all users for free.
Wow that is absolutely terrible. What happens when you don't have access to your computer or phone? This idea had to be thought up by marketing management it's so bad. Definitely lost me as a customer.
LogMeIn had (and probably still has) a reputation of putting existing features behind a paywall. I have no problem paying for a service if I like it, I was a paid subscriber before LogMeIn and for a year or two after the purchase. Slowly, prices started to rise, features for free users were being put behind a paywall. After many years of recommending LastPass to family and friends, I just couldn't anymore.
A few years ago I switched to Bitwarden after evaluating everything from 1Password, Dashlane, Keeper as well as free/open source applications like Keypass and Password Safe.
Why Bitwarden? It satisfied my need to be able to sync between a handful of devices (Windows desktop/laptop & Android) and replicated features that were previously available in LastPass. In the last three years that I have been a paid subscriber of Bitwarden, the price has not gone up (yet).
LastPass has failed to launch on my mobile phone too many times recently for me to trust it. This change to their service is the impetus I needed to finally switch.
My team has been using Passbolt for a few years. Not amazing, not terrible, does all the things you'd expect. Hard cost $60/yr. Soft cost maybe $1000/yr
i see nothing better in these "cloud" password providers which isnt in my keepass file which i have managed to keep updated for the past 5 years now. This is like one of those times when you break a feature and then charge people to fix it.
1. No inbuilt syncs. Dealing with sync conflicts manually eventually gets frustrating.
2. No multiple URL support. I had to have three entries for roll20 to support their app.roll20.net, roll20.net and forum domains. These duplicated entries also make rotation a pain and reduces the value of duplicate password tests when migrating to a password manager approach initially.
3. Poor Android apps. Apps don't support auto fill, have a UI from the gingerbread era, don't sync well even given the above caveats, and the android file system permission tightening has made using a seperate unrelated app to do the sync more painful.
4. Lack of a standard for identifying apps. Do they use the URL field and put the store ID in there? Do they use a custom field to allow having app + website login use the same entry? Does your next mobile app use the same field or even support that field?
Tell you what, I’ll give you my moms phone number and you have her set up keypass remotely with only quick basic instructions. No? Because she was able to set up and run Lastpass fine.
And now she'll have to export and migrate away from Lastpass. So the complexity was basically tail-loaded.
One of the major advantages of an app like Keepass{whatever} is that once it's set up it keeps working without subscription or keeping an eye on your inbox for changes to the Terms of Use.
Except for those times you have to use a Windows computer. Or have to share those passwords across multiple devices that don't belong to the same person.
I used Keychain for a long time. A dedicated password manager is a vast improvement.
Can you export the data from keychain? I am a macos/ios user, but at one point i will probably move to something new or better. That's why im using lastpass (considering 1password or bitwarden now).
I use this docker image: https://github.com/BytemarkHosting/docker-webdav, but with a PR that has yet to be merged that makes it easy to use a different UID/GUID [1]. I've tried to do it with nginx, as described in [2], but it just did not work reliably - it would often disconnect and instead of going down a debugging rabbit hole I just used the Apache based image. There is also a Go server [3] that I have not tried.
Lastly, I put an nginx reverse-proxy in front of it for SSL - probably not necessary since nothing is on the public internet.
I do not see the sense in using a product for this. You can use a free local password manager (like keepas) and cron rsync the database file to some backup servers you control. Or regularly back it up to an air gapped medium if you're paranoid. The chances of someone being able to break the encryption if you have a strong password for the next 5-10 years is nil, and by then you should've changed your passwords.
- A few years back, their free/premium tiers were looking similar to what they announced today. Only they charged a mere $15/year for premium, which I gladly paid.
- Then, overnight, they offered syncing across all types of devices for their free tier. The premium tier was only adding some niche features. I would have continued to pay $15/year just to support them, but at the same time they bumped up premium to $36/year. That was a deal-breaker: not paying 2.5x for features I don't use.
- Now, they switch back to not syncing across all types of devices, but the premium price stays $36/year.
If LastPass was the only game in town, they might get away with it. But there are at least two competitors, against which LastPass doesn't compare favourably: 1Password costs about the same, but is more refined. Bitwarden is a bit less refined, but is cheaper.
I'm not dissatisfied with the LastPass product itself. But having to keep up with radical policy changes every few years largely negates any positive experience.