Hacker News new | past | comments | ask | show | jobs | submit login
Changes to LastPass Free (lastpass.com)
360 points by seng 11 months ago | hide | past | favorite | 414 comments

LastPass seem to be shooting themselves in the foot with their irrational and inconsistent pricing.

- A few years back, their free/premium tiers were looking similar to what they announced today. Only they charged a mere $15/year for premium, which I gladly paid.

- Then, overnight, they offered syncing across all types of devices for their free tier. The premium tier was only adding some niche features. I would have continued to pay $15/year just to support them, but at the same time they bumped up premium to $36/year. That was a deal-breaker: not paying 2.5x for features I don't use.

- Now, they switch back to not syncing across all types of devices, but the premium price stays $36/year.

If LastPass was the only game in town, they might get away with it. But there are at least two competitors, against which LastPass doesn't compare favourably: 1Password costs about the same, but is more refined. Bitwarden is a bit less refined, but is cheaper.

I'm not dissatisfied with the LastPass product itself. But having to keep up with radical policy changes every few years largely negates any positive experience.

I'm surprised Enpass doesn't get mentioned more. Though the UI recently took a huge hit because of an asinine pwned password checker.

Thanks for the pointer. First time I hear about Enpass.

The UI looks nice, but I still don't get their company model. Data are stored on a third party cloud provider of your choice, so why is Enpass subscription-based? I surmise that paying removes some sort of ads from the apps, but I can't tell for sure. If that's the case, I'll have to pass.

It actually restricts the number of items you can sync. It is much cheaper though. Actually; with the new model they do have a sort of ad based system; they have this incredibly dumb popup about how some passwords might be compromised. Oddly even after paying its impossible to kill that banner.

I bet they are counting on the lock-in factor. It might be worth it to just pay the fee rather than to go through the pain of switching.

Logins data on LastPass can be exported to 1Password, just not straightforward. I did that, not going back to LastPass anymore.

LastPass was my first ever password manager and I used for it ~5 years. A few years ago, I got fed up with how sluggish it was (at least, at the time). So I switched over the Bitwarden. Unfortunately, the Bitwarden Safari extension for macOS had a bug where I had unlock my vault every time I wanted to use a credential and that got annoying.

Around the same time I started using Bitwarden, I started at a job with a corporate 1Password subscription for employees. 1Password's UX was so much better than Bitwarden that I switched my personal account over a few months into using 1Password for work.

1Password isn't perfect (e.g. auto-generated passwords can't be autofilled unless you manually convert it to be a 'Login'), but it's by far the best I've used.

I was going to reply "the problem with 1password is they have no Linux support," but it looks like Linux support actually got added late last year! (Or at least there's an open beta.) https://blog.1password.com/1password-for-linux-beta-is-now-o...

Anyone used both 1password and Bitwarden? I'm using Bitwarden right now, but I dislike the fact that their desktop app is Electron based.

Personally, I've used 1Password, Bitwarden, and LastPass. I switched from LastPass to Bitwarden a few years ago (use it on android and browsers for the most part), and use 1Password for work. Overall I'd say 1Password has the worst UX of all of them, though it looks "clean". It routinely messes with my settings on update, it's password generator is annoying to work with, and it doesn't pick up new logins I've entered well (eg. if I tell 1password to create a login from this page, it populates nothing while bitwarden sets the name and URL + any username or pwd it thinks it sees).

I could go into more depth but overall Bitwarden has been a great daily driver for the past few years and would recommend to anyone.

I feel like there's something wrong with your setup, then. I've literally never had to use the option in 1Password to create a new login for a page. It prompts me 100% of the time to save the login info when I login to a site and, sometimes, even prompts me to create a login when I go to create an account before I've ever logged in for the first time.

Keep in mind when discussing 1password's UX: all of the apps seem to be different between the platforms. My MacOS experience was much different than it is now on Windows.

The MacOS app is wonderful, but I find the Windows app incredibly annoying to use.

Keepass is another cross-platform option (open source), though the UI on non-windows environments is a bit... crap.

Nontheless, it works, and it works well.

Keepass is not a Web first app. There are extensions and workarounds but considering the nature of its file based database it can never be as smooth as solutions like bitwarden and others.

At work we share a Keepass file on a nextcloud instance and it's a giant PITA.

::Personal Opinion Warning::

When it comes to security, smoothness is kinda low on my priority list. I'm fine swapping windows to copy/paste values, or pressing a hotkey.

It's very high on my priority list. I want my employees to want to use a password manager because it's so convenient. A less perfect system that actually gets used adds more security than a more perfect system that no one likes.

There are notable advantages to browser integration - in particular not filling on spoofed "lookalike" domains made with visually similar Unicode characters, and not putting passwords into the clipboard where they might be snagged by anything watching the clipboard.

(admittedly, if your system has something malicious monitoring clipboard use you already have big problems)

Lack of smoothness is what causes many people to ignore these things. So, while you or I may know better, its still a very important aspect if we want more than just the few in the know people to use security tools.

I have also used multiple shared Keepass files at work and the issue isn't a lack of smoothness. There have been multiple instances of sync/dataloss issues where you have to refer to an old version or find someone who has the latest "OK" version of the file.

I love Keepass for personal use, but if you using it for sharing passwords at work then 1Password or Bitwarden are the way to go.

I'm using KeePass + Syncthing to get it around all my devices. Works like a charm! Except for iOS devices...

We used Dropbox and it was also a PITA.

Bitwarden is great, haven't used 1Password.

Keepass and all is great. But it doesn't have first class support for anything but passwords.

I'm sure many people will cringe when reading this, but I also save credit cards in my password manager and use it to auto fill when I need it. This unfortunately isn't supported by Keepass et al.

It has templates, which are supported by some implementation but not others. Which also isn't great.

> I'm sure many people will cringe when reading this, but I also save credit cards in my password manager

Why would anyone cringe to read that? They're no more valuable than passwords. In fact, I would think they're less valuable, since really the CC company is on the hook if a number gets stolen.

I don't know. I guess I figured since Keepass and KeepassXC didn't have it, it might be because the most security and privacy conscious don't do it.

Another reason this is helpful is if you lose your wallet and have all the phone numbers and details for your cards stored in a sun cable database. It makes it easy to cancel your cards and order new ones.

I store my CC numbers in KeePassXC even though there's no first class support. I put my full name as the username, the number as the password, and the expiration and CVV I put in the comments.

This is what I keep reading, but when I tried that, auto fill didn't work for this.

I do this too and it's another reason that I use 1Password. I use this functionality a lot too because I very rarely have my wallet on me but I always have my phone.

My biggest problem with Keepass is that the integrations aren't part of the core project. Want browser integration? Great, pick one (or more depending on browser choices) of multiple projects from pseudonymous/anonymous people, install it and give it access to your password store. Want mobile? Do the same.

Last time I looked at it the very nature of the Keepass ecosystem basically meant that you had a ton of different people with commit privileges to different areas, and no real reason to trust any of them.

This is a valid criticism for sure. I suppose the only truly cross platform options is KeeWeb but you give up some features, mostly on mobile, eg. fingerprint unlock: https://github.com/keeweb/keeweb/issues/1132.

KeePassXC is a modern fork that uses Qt for its UI, and it looks great on all platforms.

"All platforms" does not include Android?

It's there on android too with keepass2android.

Please don't anyone take this as a plea to 'improve' the UI of keepass :-) Sometimes "... crap", just works.

Been using kp for years, also the android version. I manually sync my .kdbx files, and all is good.

I won't disagree with you on this. It does work, and WRT security, fewer integrations is sometimes better.

Keeweb is what I use on all platforms. Yeah it's an electron app but it supports natively storing the keepass file in the cloud. Works online or offline and has global autotype.

Works great for me!


Use KeePassXC rather than the official client. Even on Windows, I found it preferable.

Yeah, the lack of a good Mac client made Keepass untenable for me. I tried several and they all sucked.

A password manager is the one thing which I really need to work well everywhere, because I need access to my passwords everywhere.

I've been using macpass for a while on osx, and it works pretty well (and looks better than keepassxc): https://macpassapp.org/

For what it's worth KeePassXC these days is very good useability wise and has some awesome features in it

I'm evaluating StrongBox right now. https://strongboxsafe.com/

Features for MacOS are being actively developed to bring it up to parity with the iOS apps.

Have you tried KeeWeb and AuthPass?



KeepassXC is another option for multi platform. I use it on mac

KeepassDX for Android (or Keepass2Android)

I was a happy 1Password user, but prefer to use my own hosting for the files & the subscription model makes using your own files very hard (but it's still possible)

I tried BitWarden but the lack of a proper desktop app (where the browser plug-in connects to) is a deal breaker. I don't want to type my master password into my browser.

1Password have had a cli interface for some time. I used to use that on Linux like two years ago.

Since the release of 1PasswordX I hardly ever spend time in the native apps except for iOS.

Pretty sure the 1Password linux app is also Electron.

Bitwarden is fine, especially for $10/yr.

Last year 1Password announced official support for Linux, and released a beta. Surprisingly it wasn't an electron app but proper desktop app.

> and React for a responsive component-based UI.

Heh. I clearly got too excited to read it properly back when they announced it.

I stand corrected.

There's a CLI. I honestly just end up using the browser extension...

The link they provided was to the announcement about the app. The app is electron. the CLI is written in Go, so it should feel pretty CLI-like.

I refuse to even think of using 1Password X. It's a security nightmare waiting to happen.

1Password's support is not that great on Linux. I couldn't get it working anywhere but on Ubuntu. On all other distros, the extension failed to find the running app.

I also switched from Lastpass to 1Password. I did a mildly deep technical investigation into why Lastpass is slow on the browser. I found LastPass delays all page rendering by about 70ms. https://joe.schafer.dev/passing-lastpass/

I had almost the exact same experience. Lastpass was too sluggish for too long and then they jacked up the prices (while also making the free plan actually usable with syncing). I tried Bitwarden but I hated the chrome extension because it didn’t have good autofill which is critical.

Finally switched to 1Password and it has much better autofill + great OTP support even on iOS.

We’ve been using LastPass without real issues of any variety (inc speed) on: Mac, iOS, windows 10. Sharing feature working well.

Same. I've been a 1Password license holder for forever and I was looking at switching away from it because they seem to be moving completely to their subscription service but now the value of the subscription service is looking better and better since I started looking at other options. I can get multi-platform apps for my entire family, with the features I've been using for years, and the cost is cheaper than what I was paying in the past for each individual license on each device.

The only thing keeping me from switching is my past experience with these types of services where, once I make the switch, they remove the standalone license and then raise their prices and I have no alternatives besides dropping the ecosystem entirely or ponying up the ransom. I don't like being in that situation.

I had just posted in the duplicate thread complaining about 1Password (https://news.ycombinator.com/item?id=26154324). I've been a user since 2007 and it seemed to get significantly worse with version 7.

Despite its increasingly major flaws (no exact URL matching, slow UI, no way to trigger a sync), it seems like it is still the best option for someone who wants a native Mac/iOS interface. Though if it keeps getting worse at the same rate, hopefully other options will catch up.

Two main bugs I experience with Lastpass are (1) duplicate entries when things sync up and (2) quick search doesn't enable the copy user / password buttons many times. Annoying workaround is clear the search, and re-search again, that usually brings back the buttons.

Yes! 2 drives me nuts. I switched from BitWarden to LastPass mainly because of the quick search. And having to clear the field and retype is one of those minor bugs that is slowly driving me insane because I hit it 15 times day.

I also changed from LastPass to Bitwarden to to LastPass being noticeably slow. I don't mean to diminish the probably very hard work put into a product with a decent free tier, but it was sluggish enough it only made sense to try an alternative.

LastPass costs $36 per year. Operating on the principle of being the customer and not the product, that seems very reasonable for a secure way to store and share the keys to my digital life.

That said, it does make it a little bit harder for me to onboard my friends and family when they ask. One of the selling points has always been "Yes, you can use it on your phone and laptop" and "no, it doesn't cost anything".

I agree with other comments that in the current market, Lastpass is not worth it at $36/y. The way they increased the price is arguably more annoying than the price tag.

I happily paid for Lastpass at $12/y. Logmein raised price and I switched to free. Logmein limited free capabilities and I will switch to Bitwarden or 1Password and pay them. I'm not staying with Lastpass to get the rug pulled out under me the third time.

I switched to Bitwarden in early 2019. The migration was really easy, and I was surprised to find that it was accurate, too. Bitwarden has its flaws, but I'm happy with it.

I'm pretty much in exactly the same boat, plus also looking at using separate systems to segregate my personal and personally-owned business accounts.

It looks to me like 1Password has the same pricetag as Lastpass: 36USD/y.

At least they've kept it the same price for years https://web.archive.org/web/20160915083507/https://1password...

LastPass is a commodity. There are many free or open-source alternatives that are as reliable and as secure as LastPass that provide similar functionality. It's hard to justify even the small price for a commodity service unless you provide the best possible solution, and sometimes even that is not enough.

I switched from LastPass premium that costed 15$ per year a few years ago to Bitwarden because LastPass could recognize password fields on all web pages, while free Bitwarden just works everywhere.

The functionality is a commodity but what about the UX? MP3 players were fairly common when the iPod came out but the iPod crushed all the competition? Why because the UX was simply better.

Without a doubt the password manager with the best UX is 1Password. Last year ago I got my tech-averse partner to set it up on her phone, the entire process took about 10 minutes and then it was done. She's never asked for me help or support, once she got things working its simply continued to work.

I've since setup it up across my family and my pre-teen child is also using it without a hitch.

From a holistic perspective I love that I can manage multiple vaults. Everyone has a private personal vault that is only available to them and we have a bunch of shared vaults for things like xbox and netflix passwords.

I've never used BitWarden so I cant comment on the UX but $60 a year for 1password is well worth it. I can rest easy knowing that everyone in my family has good password hygiene.

I was a paid Lastpass user who switched to Bitwarden a few years back because of the UX/functionality issues Lastpass had been developing. I've heard 1password has better UX; I'd describe Bitwarden's UX as similar to the Lastpass of 5-7 years ago.

I transitioned to 1Password after many years of LastPass and have been quite pleased.

I continue to harbor some concerns about the emergency workflows (what happens in case of death or disablement) but otherwise it's just been solid. LastPass felt, on the other hand, like it was increasingly neglected.

Same, I was a paid LastPass user and the Firefox add-on was so bad that it was worth negative money. They clearly didn't care.

I really like the 1Password UX. Also, they're new integration with Safari 14 on macOS is also great.

> Without a doubt the password manager with the best UX is 1Password.

I doubt that. Navigating the sync options and finding one that works with Android phone, iPad and Windows PC was impossible.

Throw in two vault formats (with implications for which sync option can work), and it's a mess.

That was the paid standalone version, not the subscription model (that was when I finally jumped ship).

They had self hosted sync with the old vault format. They removed it when they switched to the new vault format. Dropbox always worked. Now they push their own service.

> Dropbox always worked.

No, it didn't. I don't remember the details, but the local sync (starting a sync server on the phone) did not work for me with a normal home network, and Dropbox didn't work across all devices, either.

I’ve used 1Password for years.

I would pay more for greater simplicity.

> Without a doubt the password manager with the best UX is 1Password.

I would agree for the macOS and iOS versions but the Windows version could get some polish. The default title and menu bars still hang around, the font choice isn’t that great, and all in all it feels less nice to use.

>Without a doubt the password manager with the best UX is 1Password

My experience is about 1 year old, but I have to disagree, as a paid 1Password user, my browser plugins and mobile client would fail to fill in the forms I used at least 50% of the time. That's horrible UX, but I agree, their UI looks nice.

Point and click or keyboard UX for this stuff is awful no matter how you slice it.

At most I want a prompt for my unlock password when the password manager sees I’m on a site or in an app it has a password for.

We still externalize way too much orthogonal effort on users.

One of the reasons I like 1pwd is their cli tool. I can put such a call to it in a script, authenticate and stop giving a crap about 1pwd

I've been debating making this switch myself. How time consuming was the transition? Did you have to do much manual data entry or does bitwarden have the ability to reliably import lastpass data?

I switched around the beginning of the year.

There is a [KB article](https://bitwarden.com/help/article/import-from-lastpass/) about exporting your LastPass vault and then importing it into Bitwarden.

It only took a minute or 2.

The most annoying thing for me is that Bitwarden doesn't have support for all of the extra "credential types" that LastPass has. They are still imported, but everything that isn't supported is imported as a secure note.

So far the only issues I have had logging in anywhere has been logging into my firefox account (in a new browser), and home assistant.

Bitwarden is more reliable at importing data exported from Lastpass than Lastpass is at exporting your data. Export bugs happen, but their forum and /r/lastpass are always quick to come up with workarounds for Lastpass bugs.

Shared passwords aren't included in the Lastpass export, at least at the time I last exported from Lastpass.

The only functionality I do miss from Lastpass is the option to generate the short pronounceable strings I use to create usernames, like the one I'm using now.

I used to subscribe, then the service was acquired and the price doubled so I stopped subscribing and relied on the free tier. With this announcement I think it's time to move on (probably to Bitwarden)

I just did.

Same here.

It’s ridiculously expensive. I get Office 365 with 1TB of storage for €6 per month. Office is just as secure as lastpass. I bought Enpass(wouldn’t recommend as they moved to a subscription model) and store everything on OneDrive. Paying $3 per month to store tiny text files is crazy.

I often see comments like this one that misunderstand value for how something is achieved.

Value is decided by the market according to the utility of the service. I happily pay $22 per year for Pinboard to keep a few bookmarks with tags. That's also storing "tiny text files" but I could not care less. I could even implement something similar myself. And yet, I find the value it provides worth paying.

Another, more extreme example. I am part of a $5000 business program. Last week, I got a single piece of advice that I consider already paid for the entire program. The delivery was 20 minutes long. It was not even something original invented by the lecturer, but it can be found in some books. And again, I don't care. The value is in the impact, not in how the advice that was discovered or delivered.

I didn't misunderstand "value for how something was achieved" I said it was expensive.


Microsoft have launched a beta password manager


Lastpass (€3 per month)

- Password Manager

- 1GB of encrypted file storage


Office 365 (€6 per month)

- Beta Password Manager

- Office Suite

- 1 TB Storage

A year from now:

"I do not understand why the only companies that exist are Google, Apple and Microsoft? Where is the competition?"

A year from now: "Suddenly I understand why individual consumer choices are not the basis for maintaining a balanced economic system."

Conglomerates that do B2C for money will always beat upstarts as their customer unit average cost will be lower and per unit attributable revenue will be higher.

If the only thing that a customer cares about is paying the minimum amount, the customer should not be surprised that their choices would be limited to conglomerates.

Independent restaurants are a lot more expensive than national chains and make a lot less money than the national chains. If one's only goal is to feed oneself in a restaurant, one is better off going to chain one.

Fine but that’s not the parent’s point. You shouldn’t buy from local stores, local restaurants, or small shops because of some notion that you’re sticking it to large companies. You do when, for you, their products and services they offer have better value for you.

If you choose a worse or more expensive product because it’s from a small business then you’re only making yourself worse off.

> Fine but that’s not the parent’s point. You shouldn’t buy from local stores, local restaurants, or small shops because of some notion that you’re sticking it to large companies. You do when, for you, their products and services they offer have better value for you.

That's not correct: the part of the value that you get from buying from local small businesses rather than conglomerates is that you are not buying from a conglomerate, even if the local product could be considered inferior by some measure.

That's true for people who try to politicize every aspect of their lives, but this is a toxic attitude and, as the grandparent post said, you are only hurting yourself.

> misunderstand value for how something is achieved.

I find this line of reasoning offensive as it assumes that people who genuinely disagree with me don’t understand.

I think it’s more likely that people understand and genuinely disagree. It’s dismissive to just not respond to someone’s values and rationing and I think leads to less discussion and thus more disagreement.

It’s very likely that people place different values on things and I think to have conversation we have to get to common ground and then build from there. If different people miss the meat of an argument then I think it’s not as interesting or useful.

It's ridiculously overpriced for what essentially amounts to storing a tiny binary blob on a server somewhere and making sure it's backed up.

I would've been happy to continue paying 12 USD / year for that service, but at triple the cost? I'm now on BitWarden.

I used to use LastPass, but its UI was incredibly buggy on Firefox and there were no signs of improvement, so I switched Bitwarden.

That said, you're not really paying for the storage, you're paying for the apps and plugins.

I mean the value prop is the software functionality, not the storage. You think lastpass/1password are funding their development with a markup on storage?

I can get the argument that it’s not worth $36 but not because of storage costs.

So... what are they funding it with? Data mining?

KeePass database stored in Dropbox is free.

I was a happy user of that workflow until I started working for an organization that blocked Dropbox but not any of the browser plugin based password managers.

Also while free, arguably the UX is not very good especially on mobile, unless Keepass integrates the way Lastpass, 1Password, et al do. I cannot imagine convincing any of my non-tech friends to go this route.

KeePass is extensible. IIRC, with addon(s), your encrypted DB file can be stored on your Google drive, or even your own (or company's) server.

keepass2android supports autofill across apps and is something of of a lifesaver for me, but I can't speak for iOS apps

Interestingly this is basically how 1Password did password sync for years - not a Keepass database, but a 1Password folder structure stored within Dropbox saving a bunch of little text files. They added other synced storage options over time before turning up their own cloud service, but third party sync was where they started.

I wouldn't pay $36/year.

I kinda feel like the price point for these things is set wrong, though. What you want is a higher price point which gets you /everything/. I pay $1200 per year for bandwidth. If I needed to pay a couple hundred bucks more for access to everything (online newspapers, LastPass, online office suites, etc.), I'd gladly do so.

LastPass should have 250 million customers, not 25 million, each paying $3.60 each, not $36. Most should be inactive, as part of some kind of subscription bundle.

Kinda like a more democratic, decentralized version of Prime.

From posts here, though, Bitwarden seems more reasonable. I trust open source more, and it's cheaper.

It was definitely starting to feel a little pricey for how terrible their UI is and how little interest they seemed to have in fixing it. What really got me to switch to Bitwarden though was how it started "recommending" that I change my master password with a modal popup every single time I unlocked my account.

On the flip side they offered very little value in premium compared to free (for me) so there was no reason to upgrade even when I wanted to pay (I did pay for 2FA but TBH o could live without it)

I moved to Bitwarden about a year ago when I got fed up with the terrible UI in Lastpass. Bitwarden isn't the pinnacle of UI either, but at least it's way cheaper. Been very happy with it.

My topics: - Bitwarden is becoming risky to use? - the next Bitwarden?

So many people recommend Bitwarden now. I am a paying customer from the first day and have been using it on all my devices. Bitwarden followed my Lastpass experience, similar to what OP has described.

Now, Bitwarden's popularity is troubling me. It has become already large enough to be an attractive target for attacks. The bigger it gets, the more lucrative it is for attackers. Similar to the Windows vs. OSX discussions 10 years ago: viruses spread on Windows, because it was big.

Hence, I am starting to worry about using it and asking myself what "the next" Bitwarden is.

What do you think? Is my reasoning going into the right direction? Do you see the point reached where Bitwarden has reached critical mass? What would you recommend as "the next" Bitwarden?

Bitwarden is open source and regularly audited, which is not something you can say about Lastpass.

Your thinking about Bitwarden becoming a more valuable target is probably directionally correct, but at least anecdotally, I think the biggest target in this space is going to remain either the built-in Chrome/iOS password managers, or Dashlane, which is a product that advertises widely on Podcasts, etc.

The way that Lastpass and Bitwarden (which seems to have followed most of the security architecture of LP) is designed, it makes it very resistant to attacks.

The passwords and all data are encrypted on the client side and the server has no way to decode your passwords so even if Bitwarden's password was stolen, the passwords within the accounts are as secure as the Master password you chose.

Also the fact that the server side is fully open-source (and not just the client) means you could switch to using your own servers at any time.

How big the target is has very little to do with how safe it is.

virus' spread a lot more on windows because of MS's shit stance on security. It an even more popular OS now but the virus landscape is a hell of a lot more limited because they started to take security more seriously. They still have a way to go.

How well does it work on iOS? I’ve been happy with how well LastPass integrates with iOS so far.

It works great on iOS. Full integration as you would expect, pops up at the top of the keyboard for app & website autofills. FaceID is also implemented to authenticate before opening your vault.

edit: One note about something that was bugging me for a while...items created on my computer sometimes wouldn't show up in the vault for immediate use. Painful when you sign up for a service using your computer and then try to immediately sign into it on your phone.

In the iOS app settings there is 'Swipe down to refresh' (or similar) - turn that ON. Not sure why it was off by default, but it totally fixes the issue. Just swipe down to refresh the vault and your new item appears.

I think with any install of BitWarden, be it a browser add-in or separate app, the one you are adding a new credential into knows enough to sync to the cloud, but the others won’t know that new data awaits in the cloud until they do a scheduled query/poll or you manually sync through those clients.

Having a push feature only works if you can engineer your app or add-in to open up the necessary ports or tunnels in the OS itself. Polling on the client end will always be easier to implement.

Also: just checked BitWarden v2.8.0 (449) on iOS 14.4, no setting for “swipe to refresh” anywhere in its settings.

> just checked BitWarden v2.8.0 (449) on iOS 14.4, no setting for “swipe to refresh” anywhere in its settings

Settings -> Manage -> Sync -> Enable sync on refresh

Absolutely. I don't know what eventually triggers the vault on my iOS device to update. It definitely isn't a push notification when the vault is modified on other devices. Probably just a simple duration-since-last-update timer, like the Chrome extension.

My trouble was specifically related to the 'Pull down to refresh' behavior being disabled by default though. If that feature is disabled the new items will appear sometime, with no way of knowing when that will be. I honestly don't even know why that feature has an ON/OFF switch, it should just be permanently enabled.

It works well for me on iOS, not sure how it compares with LastPass's app but BitWarden does everything I need on the phone.

Integration is the same as LastPass, in my experience.

Works well on iOS. I've switched from LastPass years ago, and never regretted it.

same story here! Happy with it since. Bitwarden is open source too!

I very happily pay $10/year for Bitwarden. It is in my opinion superior to Lastpass, and I don't have the doubts of the corporate governance.

I've tried really, _really_ hard to like Bitwarden. But I ran into 2 huge issues, that ended up being blockers for me:

1. Sharing is super-confusing. I was trying to organize things for my mom, as well for my wife and I. And you have to create these "organizations". And they makes things really confusing for a variety of reasons. They are a different pricing/SKU. And the UX around them is not good. It's not clear where things are being created a lot of the time, and who may or may not have access. It just was a really bad experience.

2. It was outrageously slow for me. I use Enpass otherwise, and it comes up right away, and searching is relatively fast. But Bitwarden always had this delay. And it was a huge pain point because it wasn't clear immediately if there were just no results, or if I just had to wait a few seconds. And sometimes things would pop up unexpectedly.

So I've continued using Enpass. It has _by far_ been my favorite password manager. It's no open source, but it uses Sqlite and SqlCipher under-the-hood, and I have full control over where it syncs my data to. Sharing is still a problem (mainly because of the architecture decisions - there is no "central server"), but everything else is so great that I'm fine making that tradeoff.

Agreed on the sharing - I was trying to arrange a family plan for 5 people, and happy to pay $10*5 a year (coming from a shared lastpass instance), but have given up trying to figure out how sharing works. Ideally every person would have their own personal vault and there would be a shared vault for "family" accounts, that you don't explicitly have to switch to in order to use. We just share master passwords and manually sync things, but it seems like a missed opportunity to upsell individuals into family or small team plans with just a few new sharing features..

Having just set up a free organization the other day, I agree it was slightly confusing. Mostly because I was kind of hoping to combine costs for an organization with the per user $10/year plan. In the end, I set up a FREE organization for two people, and paid for the per-user upgrade for one of us, for now, to get the reports on bad passwords.

If you're trying to set it up for three users, you'd need to pay for a organization, which starts at $9/month. On the other hand, I believe you could set up two free organizations where you are a member in each, and you add your mom to one and your wife to the other.



I don't think it was a particularly difficult process, but I did it on my computer, and once it was all figured out, helped my spouse with the rest. I don't find the sharing process confusing. You click Share on a saved password, choose the organization, and then you choose the collection you put it in (which can simply be Default.)

I haven't found BitWarden to be slow, but my laptop is a Ryzen 7 4800H and my old phone was a Pixel 3, so neither are slouches. Not sure how many records I have but I'd estimate about 500.

re:2 - interesting. I've used bitwarden regularly over the last year or so across windows and mac laptops and iOS devices. I can't recall ever having a notable delay. I wonder what this implies about configuration.

> and it comes up right away

I'd be a bit afraid of this. Secure key derivation takes time. Remember, you want to be able to defend against people with a few GPUs or the ability to configure a cheap FPGA at least and the ability to build custom ASICs or employ a GPU botnet at worst. Taking ~5 seconds to derive your key securely on your phone is a near inevitability.

Searching happens after the vault is already unlocked.

That's about searching, not unlocking the vault.

Same here, I'm happy to pay Bitwarden because they have a highly functional firefox addon. LastPass was garbage for like two years before I dropped them and that was itself years ago. It's been bad for a while.

I definitely don't trust LastPass with my information, definitely don't trust that it will actually work in my browser, and if you export your lastpass vault bitwarden imported it perfectly.

Take my advice at your own risk of course, I had both for a few months before I was confident it was safe to close my lastpass account.

I did the same switch too a while back, Bitwarden has been really solid.

Interesting thing: I just now remembered to delete my LastPass account, but the delete account flow breaks totally. Just end up in a modal without any content in it, both Firefox and Chrome.

I'm wondering if they are even deliberately blocking deleting accounts for damage mitigation?

Huh, you reminded me that I used LastPass for a while and still had that account. I went and deleted any passwords still in there, and then had to do a web search and found https://lastpass.com/delete_account.php which worked for me. I just had to confirm 2 or 3 times and then it claims it deleted my account. This is in Firefox on Windows.

Good to know, thanks. I'm on OSX. Maybe there's something funky with my account data then. I emailed their support, let's see what happens.

Honesty, I’ve been using LastPass for years and lately the chrome and Firefox extensions have been really buggy for me. Especially the chrome one. So I’m not sure it’s nefarious.

Anyone have a thorough guide to migrating to bitwarden. I’ve tried and failed . I have notes , multiple logins per site , about 1000 credentials .

I just did it. Exported to CSV in lastpass and simply imported it in bitwarden. No problems. search bitwarden's help for a guide.

Hey! I had this issue too twice before when trying to switch. I tried again today, and it seems to have gone off flawlessly this time....

I think the issue before was w/ multi-line nodes and special characters.

For reference, I imported the data by pasting in the lastpass export rather than using the .csv import.

Good Luck!

Import features alone should work, but if you’re absolutely desperate you can roll your own import process with bitwarden-cli (it’s on github and various package managers).

How does it compare with 1Password?

I think Bitwarden's UX is pretty poor. A few examples off the top of my head:

- 1Password's TOTP support is much better. 1Password autofills the code and the password, Bitwarden only copies the code. 1Password will scan pages for QR codes.

- They finally implemented encrypted backups but they half-assed it. From https://bitwarden.com/help/article/encrypted-export/:

> Warning

> Rotating your account’s encryption key will render an Encrypted Export impossible to decrypt. If you rotate your account encryption key, replace the old backup with one that uses the new encryption key.

- https://news.ycombinator.com/item?id=25868856

That said, I'm a Bitwarden user because I don't it's that bad and I don't think 1Password is worth 3.6 times as much.

All password managers have issues but as a user of 1Password I have a lot of gripes with the product:

- Fails to fill out passwords around 2% of the time (Firefox account for example)

- Sometimes I mash the "CMD+/" shortcut and nothing happens. It's very unstable.

- Password generator is rigid. I have to edit the generated password about 90% of the time to add capital letters, numbers etc. I made a comment a while back on how we should be using HTML data attrs on the password field to hint how a password should look for password generators. Perfect password every time.

- Can't remove a single item from the trash. It's empty all or nothing.

- The shift to the web. Introduction of Keepass X extension whilst supporting the legacy. No feature parity between them. It's a bit of a mess to be honest.

Re the generator, there's the passwordrules proposal: https://github.com/whatwg/html/issues/3518

Some systems are already using it -- e.g. I know that Apple's generate-password helper reads it, and I believe that 1Password also does.

This is exactly what I was thinking. I knew the idea was too good to be mine.

Man, that password attributes idea is very good. How does one go about proposing that to a standards committee or something?

It's probably tough to find a thorough review where someone put basically all their passwords in different password management tools and lived with them for long enough to compare them. Then again, people have undertaken more arduous tasks before.

For a while, I had the horrible practice of using the same username and very simple password everywhere. Eventually my "one true password" became slightly more complex, but I still had some bad habits. I eventually started letting Chrome save all my passwords except for, of course, my Google one.

I switched to LastPass (free) for a while. (My memory of this is a bit fuzzy.) At some point I wanted to switch to something less, eh... corporate? So I got BitWarden. I really like the password generator, and use it exclusively now. (There was a web site I used to use for this, but of course this is much more convenient.)

It was a bit rocky in the earlier days. Integration with the browser on Android could sometimes be a little shaky. It's still not perfect, but I don't have good comparisons there. I use Firefox on Android, Windows and Linux. It works really well on the desktop and mostly really well on Android, though with the browser it's unreliable if you rely on the Android app, so I install the Firefox Add-On for BitWarden, and that works reliably.

My spouse set up her own account, and we share some of our important passwords via a free organization. This is a great feature and gives us both some peace of mind if we were ever required to get into each other's accounts. We also paid the $10/year so she could see reports on her passwords, and get rid of breached, insecure and duplicate passwords. She has adapted readily to using the password manager though she mostly just uses it on the computer, not on the phone.

Overall we are very happy with it and I believe it's an excellent option. I cannot, however, compare it to 1Password.

Unless you have strong opinions about either one's UX, the most significant difference that matters to most users between Bitwarden and 1Password is that Bitwarden has a free plan and 1Password doesn't. Sometimes the "free" price tag is the difference between being able to convince someone (or yourself) to use a password manager and not being able to convince them.

About UX: between BitWarden and 1Password, I haven't seen any actually compelling discussion of the two password managers' UX that goes beyond just the typical way in which anonymous internet commenters enthusiastically assert preferences. They both do their jobs well enough the vast majority of the time. If you're genuinely in doubt about the UX, try Bitwarden for free and then try 1Password if you can't stand Bitwarden's UX.

I'm sure it's not a perfect comparison, but the Wirecutter does have a comparison on their password manager page:


Bitwarden doesn't have a Safari extension anymore since Safari's extensions are their own format... Safari since said they'd allow Chrome's extension api but I haven't heard if Bitwarden will start developing the Safari extension again.

That's not true. If you install it from the Mac App store, you do then get the extension and can activate it within Safari. I just switched from LastPass to Bitwarden and by all accounts it seems better than LastPass (for my basic usage) and the Safari extension is working fine for me.

Thanks for this, by the way. There was a time where the author had announced that he wouldn't be supporting the Safari extension for Catalina and beyond, and I never realized it came back. My work life is better now ;)

Good to hear, I want to make the jump myself some day. At the moment I have a personal (paid) LastPass merged with my companies enterprise Lastpass and for sanity sake I get both in one UI with Youbikey support.

I'm a bit concerned that Bitwarden might also follow a similar path later on, if we keep using the free version. Any thoughts on that?

Honestly I pay for the premium even though I use absolutely none of their premium features. At €10/year, it's the cheapest subscription I've ever encountered, and I don't want to store OTP at the same place as my passwords to avoid single point of failure for my most important stuff.

Hopefully they do. Services as important as a password manager should be paid unless you host it yourself. Bitwarden is only $10 a year.

It's open source (both client and server) and there's a third party reimplementation of the server

I pay for it without using the premium features.

The title is slightly off. The limit is to a single device type, not device.

If you only use LastPass on 2 devices of the same type (on your desktop and your laptop or if you only use it on your Mobile and your Tablet) you will be fine to stay on Free, However if you use it on your Desktop and your Mobile (like me) you will need to swap password managers or pay up for the service.

Before LogMeIn brought them the service was free on "Computers" but you had to pay up for Mobile (Although you were able to access your vault via their website, the mobile app just made it easier).

Guess it's time for me to invest my time into actually settings up and exporting my passwords to something like KeePass (I've been meaning to do it ever since LogMeIn brought them, I was just far too lazy to do it until now).

$30~ for a year (the offer they included in the notice) aint that bad, but I just don't like having the rug pulled from under me and would rather support something like KeePass than support LastPass.

Maybe I will change my mind after I've had some time to digest the news and play with KeePass (and its alt's).

I've been using KeePassXC for a few years now. Before this, I was using LastPass and then before that, the original KeePass. Feature-wise, KeePassXC does a really good job replacing and going beyond LastPass.

It can have folders, it generates passwords, it can hold TOTP (2FA) tokens and it can even hold SSH keys acting as your SSH agent. Having your password safe be an SSH agent is a really nice feature which means less copying passwords around. The browser plug-ins have worked well for me as well.

I like that it can use any file sync tool for storing the key database - similar to why I like Joplin for note taking. I also like that there are many different clients for it since it is an open standard. To keep things secure you can use a password plus a key file. As long as you keep the keyfile only on the devices or on separate sync services, it raises the bar of security quite a lot.

There are KeePass clients on Andriod (Keepass2Android and KeePassDX) as well as iOS (Keepassium and another that I forgot the name of). All of the mobile clients support filling passwords. I have them all looking at the same file share and have not had any issues with corruption or file sync. I have it configured to immediately save all changes to disk and it writes and merges conflict files automatically as needed.

There are a few areas that it isn't as strong. First is sharing passwords - it has a feature for it but I haven't actually tried it out yet. Since you need to have the shared file ahead of time, you're really relying on your file sync provider to share that part of things. Second, the integration between programs works well but it isn't as seamless as a cloud service would be. For example, prompts will pop up in KeePassXC when there is a request to access a new password by a website. I believe this is probably more secure but it is an extra thing to come up when auto-filling passwords.

I have yet to try bitwarden but I would guess that sharing and lower-friction in web browsers would work better with it since those were the key benefits of LastPass when I'd used it.

FYI Bitwarden is only $10 a year. Before Bitwarden I used a combination of Keepass and Google Drive to sync all my passwords between devices. That was a workable solution, but Bitwarden is certainly easier, and I think more polished too.

I should also note that the free bitwarden does support syncing across unlimited devices (and device types), and can be self-hosted if you like that kind of thing. The premium version unlocks additional features like 1GB of encrypted file storage, a built-in TOTP authenticator, and priority support - but I was using the free version for multiple years prior to paying and it was great.

Cheers for the info, I'll look into it. I'm not against paying for the service (I've used the hell out of LastPass) I just not a fan them pulling my use case from under me.

That will always be a risk, as long as you rely on cloud services.

I started using Lastpass as well, but moved to Keepass as soon as they were eaten up by Logmein. I moved to Keepass and I keep the keyfile on OwnCloud. It works very well, and even better than Lastpass (at least as it was when I last used it). Keepass has actual desktop clients, so you don't have to use a janky web-app.

>That will always be a risk, as long as you rely on cloud services.

True, but it seems that Bitwarden offers the option to self host which could help mitigate that. However as a paying customer you have more of a leg to stand on if the company does try and pull the rug from under you.

As for LastPass, I rarely used the "WebApp Vault" (Only to copy my passwords for native apps on my desktop) and did it all via the context menu / LastPass button injected into the User/Password fields in the browser.

Their iOS app was very handy (As my local supermarket self scan app keeps logging me out) as for most app's it would offer autocomplete. So I'm going to be looking more into the mobile intergration then the Desktop intergration (as its far easier for me to C+P between things on Desktop then it is for me on Mobile.)

I am going to give KeePass a try but I've not settled on which system I will actually switch to yet.

To me, the unbeatable feature of Keepass is the fact that I'm not limited to user/password combination. I use it to store important notes and even files.

Bitwarden has the ability to store secure notes as well. I don't think it has the ability to store arbitrary files though.

[You can](https://bitwarden.com/help/article/attachments/), but it's a premium feature.

Also the fact that you can avoid the cloud entirely by using a peer to peer sync tool.

last pass also has secure notes

Bitwarden is awesome. I use the free version and it covers all that I need. All the clients and the server are open-source, you can self-host it for free, and there are even alternative server implementations like https://github.com/dani-garcia/bitwarden_rs

The whole distinction between mobile and computer is such a frustratingly artificial concept, a concept that has been imposed for monetization and control.

>would rather support something like KeePass than support LastPass.

curious what "support" means in this context, as keepass is free. do you donate or otherwise contribute to the project, or does support just mean use?

At this moment in time, I'm not against paying for my password manager as it has been handy to me. However because I feel that LastPass has pulled their product from me with a demand to pay up to continue to use it, it feels different to me then it would be for me to opt into a paid account because I liked the service but the free account would probally work just fine for my use case (The current free tier of Bitwarden for example).

So at this point in time I would rather switch providers and give them the 30 bucks LastPass are now demanding for my use case out of the sheer principle of the matter.

So If I do Swap to KeePass or KeePassXC I will be donating that 30 bucks to them. If I swap to something like Bitwarden I'll pay them for what ever package is as close to that $30.

I don't know why the title was neutered, it even says in the 3rd sentence:

> Starting March 16, 2021, LastPass Free will only include access on unlimited devices of one type.

I read it as editorialized, not neutered, in order to be more inflammatory and improve the chances of people agreeing with the OP.

I'm all in for paying for services that handle your personal data. If you don't pay them, how do they make money? So I'm okay with this.

Something to consider, however, is the alternatives. Bitwarden seems cheaper[0]. Anyone has a preference for either?

[0] https://bitwarden.com/pricing/

When a service has a free part and a paid part, the free part is more like "try before you buy" than the data being money.

This move to limit to a device type is shitty marketing trying to convert more people to buy.

It will fail by angering existing free users and pushing them to alternatives, while also reducing new users signup.

This is a sad post-acquisition state for a product, trying to make the most possible money out of it instead of focusing on real value.

Bitwarden is awesome and open source. I host it myself. Used Lastpass before.

The only problem I had with BitWarden was you cannot add/update entries on mobile when you're offline. This might not be a big issue for many, but it was a deal-breaker for me. I'm now rocking a local KeepassXC (PC) + Keepass2Android + Syncthing setup that syncs when I'm on my home network.

I use Bitwarden (not self-hosted) and I'm happy with it.

On my mobile device (One Plus 3T) it's rather slow, but that might be due to the device age.

Don't use a service, use (Free) software and handle your personal data yourself. https://keepassxc.org/ is one option to do so.

Bitwarden is a F/OSS software that you can install its server on premise [1]. I hope it to be lighter, though (its minimal memory requirement is quite large).

[1] https://bitwarden.com/help/article/install-on-premise/

You could try bitwarden_rs [1], much lighter on resources.

[1] https://github.com/dani-garcia/bitwarden_rs

What are the options for using KeePass on Android? Is there a way to get auto-filling in apps? How about in Firefox for Android?

I'm using Keepass2Android Offline; it supports the auto-fill service that was introduced in Android 8, so it shows up anywhere a password manager is supposed to show up and yes, works with Firefox for Android.

either Keepass2Android or KeepassDX. They both have virtual keyboard support[1] and at least one of them has android auto-fill support.

[1] to use it you have to open/unlock the database, select the entry (although I think it's also possible to associate to android package ids so you don't have to do this), switch back to the app, change your keyboard to the keepass keyboard which will have buttons for entering user and password.

Just switched to Bitwarden. Took me ~15 minutes to get the browser extension + app installed and to complete the migration using the export/import features.

I've performed the switch as well, however, a couple of things to consider about Bitwarden:

- field detection is much poorer in Bitwarden (ie. it will fill both signup and login fields in some websites... including HN)

- Bitwarden timeout doesn't survive browser restarts (at least, this was the last time I've tried it), making it difficult to use for people with a complex password and frequent browser closing/opening

I'd always assumed point 2 was intentional

It is. Go to Settings > Vault Timeout. I've set it to 'On Browser restart' but you can set it to Never

I don't like using browser extensions for password managers (I read in the past these are usually the easier attacks, might not be true nowadays) and switched from LastPass to Bitwarden.

The feature I miss is that LastPass has a Mac MenuBar app which provided a global shortcut to search my wallet, for Bitwarden I always have to open the app.

Also, the iPhone app doesn't let you view attached images in the app, you have to first download them to the phone's storage.

Also bit wardens enterprise feature is very different than anyone else’s enterprise feature.

It’s in my opinion a bad system. The issue revolves around that you always have a personal account, that has work access. Well.... for enterprise, I want to be able to help user reset their password, override there to MFA, revoke access to a share, audit what shares they have access to.

I REALLY wanted to use Bitwarden company wide, but the enterprise product is just not there.

The concept is that you have your personal vault, and then you can also be a member of multiple organisations, each with a vault.

If you want, you can choose to disable the "personal ownership" option, so that employees lose their personal vault and can only use the organisation's vault. You can also select the "single organisation" option to prevent an employee from joining a second organisation.

Once you have done that, you can audit all of the shared "collections" in an organisation and revoke access to specific "collections" for specific employees.

And if you want enterprise-y control, then you can manage employee credentials using LDAP, etc.

It is a bit confusing to be fair, but I think you can do the things you mention?

re: field detection

How does it do with sites that insist on using a 'password' type field for both username and password? This is my biggest pet peeve on the internet today!

It handles fidelity fine, and they do a sort of masked password field for the username where you only see the last 3 characters.

Firefox on the other hand used to want to save my username as ****ABC

Don't forget to delete your account!

Also just switched and the whole process took about the same time.

Amazingly painless import of literally hundreds of accounts including my "Secure notes" and credit cards and such that I also had in Lastpass.

Works great on iOS, Firefox and native that I've tried so far.

I've been wanting to move away from LastPass for a while now for different reasons - it feels very heavy and clunky. It's slow and the autofill can be glitchy.

Does anyone have any recommendations from this perspective? 1password seems more Apple-oriented, but my devices are all Windows (chrome), and Android.

There's lots of discussion here about "terrible UI," but I imagine none of these password managers are consistently great across all platforms. E.g. Someone using an app solely on a linux desktop in Firefox will obviously have a vastly different experience than someone using the app primarily on an iPhone with safari.

I just switched (literally in the last hour) from Lastpass to Bitwarden. Quick painless import and works great across iOS, Firefox (browser extension) and native client.

Free and open source (client and the server too if you want to self-host).

We moved away from LastPass for the reasons you mentioned and for the problem that I couldn't recover the password of a business account. The account was just not usable and they couldn't even delete it, so once someone made a mistake while opening it, their email address was blocked. I think they fixed this since we moved, but 1Password is not standing in my way and does everything reliably and quietly.

They have apps for all (mobile) OSes and even a native Linux app, what I really appreciate. I just saw they also have a CLI, I have to test this, too.

I'm just a happy customer with ~60 users and not affiliated.

I am very happy with Bitwarden. Fully open-source (including the server), free tier has everything I need (and the premium is just $10 a year), self-hostable (and there are even alternative server implementations). The UI isn't "sleek" but you'll get used to it very quickly. And it has a nice import wizard that will walk you through the process of exporting your passwords from other password managers.

I recently migrated from LastPass to 1Password. Honestly it's been great. The UI is better, sharing vaults is easier, they have integrations with haveibeenpwned.com, and integrations are seamless. There's no free tier, but the cost feels worth it to me. I was able to get my whole family on 1Password without too much hassle.

I use 1-password and I don't agree with it being Apple-oriented. Their integration with Apple OSs is awesome, but their Windows solutions work really well as well.

I'm very happy with it.

Hasn’t been mentioned elsewhere here but I can recommend MasterPassword anecdotally, which has a novel approach to cross-device password management.

I found 1password on windows to work just great. It's not as great as the Apple version but it's way better than the alternatives.

This is a feature not a productTM.

I switched to using safari’s password sync across mobile and desktop. It only works on iPhones and macOS desktop safari, but I adjusted my workflow.

It’s both free, and reliable as long as Apple supports it. But I trust Apple to exist or migrate better than a dedicated product company like lastpass. Both for a decent user workflow and for not being breached (much scarier to me).

I know that companies learn from security incidents and that we should reward, not punish companies for being transparent in their responses. But lastpass [0] has had issues with breaches and potential breaches and I’m nervous about storing bank passwords and whatnot with third parties.

I used to recommend lastpass because it was easier to use and better than others. But now, for people who don’t know how computers work, I just recommend to buy an iPad or iPhone and use their password managers.

I think it’s going to be tough, even if free, to compete with this.

Doing stuff like making users choose between desktop and mobile, completely arbitrary with no real engineering driver, will just move more users away, I think.

[0] https://en.wikipedia.org/wiki/LastPass

What you need to worry about being tightly integrated with Apple is not a hacker getting your data - it is being stuck with you or your surviving family not having access to your own data. This is my primary worry about walled gardens such as Apple or Google where you could be locked out of your own data because, you know, you looked at your phone the wrong way.

In this instance, you are better of relying on someone whose primary business is to save passwords. They are more likely to have thought about this.

For example, 1Password, explicitly offer an emergency kit[1] for your surviving family should something bad happen to you. They also used to have a zero-install reader called 1Password Anywhere, but that seems to have been discontinued.

[1] https://support.1password.com/emergency-kit/

This is a good concern, and one I mitigate by keeping a file with trusted people that is to be used in case of my death.

I think I’m better off relying on Apple’s business of protecting my identity (and selling me more apps, music, phones). And the effort spent on this by Apple is likely better than the primary purpose of a much smaller company. I also don’t think the incentives for a password as a service company that makes money off a monthly fee are lined up with mine. In time, I think they will only get worse as they layer on “features” to grow revenue from a fixed, and shrinking, market.

If you’re worried less about hackers and more about big brother, such as crossing borders, they also have a Travel mode that drops from your devices any password vaults not marked safe for Travel. Then toggle them back on after you don’t consider yourself or your data subject to inspection.

> But I trust Apple to exist or migrate better than a dedicated product company

I'm staring at my huge Aperture photo library (with tags, edits, versions and albums). Apple left me hanging. I would not assume anything of a huge company.

For all kinds of reasons, I hate what they did there, abandoning Aperture functionality — there remains zero other software that fills what Aperture did for me. Even though Capture One and Adobe Lightroom Classic can both import from it to a degree:


That said, Aperture could still open an Aperture library using the final versions of Aperture up until Mojave. So from the time Aperture was discontinued, Aperture itself worked through six versions of MacOS, until Catalina.

As of Catalina, Aperture no longer ran native[1], but Photos itself could still open and migrate those libraries (note: I have not tried in Big Sur). While Photos didn’t recognize everything initially, before Aperture became unsupported, Photos did eventually handle tags, non-destructive edits, JPEG+RAW pairs, referenced files, and albums.

Apple eventually got the parity enough I was able to move a quarter million photos over into Photos, and haven’t needed to re-open Aperture in a couple years. While I haven’t needed it, I did test the software linked in [1] below, and it worked great.

What to do if you’re on Catalina or newer, and need to migrate Aperture to Photos: https://support.apple.com/en-us/HT209594


1. NOTE: Open Aperture on Big Sur or Catalina using ‘Retroactive’: https://github.com/cormiertyshawn895/Retroactive

From README: ”All Aperture features should be available except for playing videos, exporting slideshows, Photo Stream, and iCloud Photo Sharing. If RAW photos can't be opened, you need to reprocess them.”

Read more: https://petapixel.com/2019/10/29/this-app-lets-you-use-apple...

> This is a feature not a productTM.

Hard disagree -- this is a product, not a feature.

If it's a feature then it's tied to a single product. The whole reason I don't use Apple's or Chrome's built-in password syncing is because I need my passwords to also work on Android and on Firefox.

LastPass is one of the only ones that supports MFA on Linux and iPhone with my Yubikeys. Their security track record is a bit meh, but generally speaking, I’m very happy with how they integrate everywhere.

BitWarden supports that too, I don't know about others.

I mean to each their own, but for a password manager security trumps integration for me.

Are some of the options discussed more or less secure than the others?

Well, pedantically yes unless every option is exactly as secure as all the rest.

Less pedantically there's stuff like: https://hackaday.com/2016/08/01/lastpass-happily-forfeits-pa...

It only handles login and passwords though. No other fields.

They’re accessible outside of a browser, via a “keychain”, and the entire OS is built to use this keychain, which also syncs appropriately among your devices.

On iOS, it’s Settings > Passwords. On MacOS, it’s Keychain Access, which looks like this:


There is also a UI in Safari itself, which on MacOS has added some advisory features, including easily guessed, seen in a data leak, or used on multiple sites:


On MacOS, you can also use the keychain with ssh on the command line:


Well, time to switch it is. I can't justify more than a couple of dollars a year for a password manager. Also artificial limits, especially when companies limit existing features like this piss me off (cough google photos cough). Why not add new features and make them premium only?

Plus I recently changed my Lastpass password and they had added symbol/number requirements since the last time I had changed the password and it would not let me use just a word based password. Bitwarden let me without issues.

Checking out the extension now, it's also much easier to use than Lastpass. For me I don't care, but for my parents the Lastpass chrome extension interface is really confusing.

> Also artificial limits, especially when companies limit existing features like this piss me off (cough google photos cough).

On the one hand, I tend to agree that changning existing features to paid is not-great (disclaimer, I was paying for Google Photos/One/Whatever even before they announced the changes), I wouldn't call space limits "artificial"

Yes, perhaps that wasn't the best example, the issues get lumped together in my head.

But for google, I believe the issue was people were abusing it. The proper solution would have been to stop the abuse, not what they did. Or for example, they might have removed unlimited video uploads which would make more sense, or had soft limits. Also you can't tell me google did not foresee this happening, which just tells me they used the free storage as a lure.

Why isn't it artificial? If they already had sync between devices, making it unavailable is purely artificial.

The reply to me correctly pointed out that I compared it to the new google photos storage restrictions which could be interpreted as not being artificial, not that the lastpass restriction aren't.

Even though I know the answer, I think it's interesting to note that none of the "questions" posed ask "Why?"

I guess they felt the obvious cash grab was obvious enough to have no need for explanation.

I'll be moving off to somewhere else, despite being pretty deeply entrenched in lastpass. Hopefully there are some migration tools available. I have hundreds, maybe thousands of passwords stored--generated passwords which I do not know at all.

Based on comments here, I'm likely to end up with a self-hosted bitwarden. I'll feel better about that, anyway. I'm trying to eliminate my cloud dependencies, besides my VPS.

> Hopefully there are some migration tools available

LastPass will export your saved passwords into a CSV file. Dunno about importing into another program, though.

Those of you looking for an alternative, consider moving your data to a Keepass database. Its a more or less open file format, which a lot of different tools can read.

My goto tool currently is Keeweb - https://keeweb.info/. Its basically a SPA, can be used offline or online.

Keeweb + a google drive hosted keepass database file keeps my passwords available and synced across 5-6 different devices.

Never again on Keepass. The dollar savings is not worth the hassle of it.

You have to use a different client on every device because the official client is Windows only, and I’ve even experienced bugs a client I used that caused me to lose data entered into secure notes.

And while a single page app client is nice, it’s not good for password managers. 1Password integrates with the iOS password management API and browsers to fill in passwords and even credit card info, and I’m guessing most competitors like Bitwarden (open source just like Keepass!) do the same.

Saving ~$10-50 a year on something as useful and vital as a password manager in order to “roll your own” is such a bad tradeoff.

I switched off of Keepass when I almost accidentally lost data due to a client sync conflict. I had to go back to my Dropbox history and do a bunch of surgery to repair the damage. It’s just not worth it.

>Saving ~$10-50 a year on something as useful and vital as a password manager in order to “roll your own” is such a bad tradeoff.

This. I find it really strange that tech-savvy folks---who almost certainly have thousands of dollars worth of equipment---would cheap out on a password manager. You want a password manager that's secure, reliable, well-maintained, and usable. And doubly so if you want your less tech-savvy family to get the benefits and conveniences of using a password manager. Those things cost money. And $60/year (on the high end of things) is a bargain for what you're getting.

And doubly so if you want your less tech-savvy family to get the benefits and conveniences of using a password manager.

Definitely agree with this. I might consider setting up Keepass for myself (though I actually just pay for 1Password), but my lay friends would bounce off the setup and maintenance work of rolling your own Keepass setup immediately, and then I'd be on the hook to help them troubleshoot. I'd rather just point them at Bitwarden or 1Password. It works well enough and has good enough support that they get an operational password manager with minimal hassle and I don't have to spend time supporting it. Sure, you don't control their clouds, and 1Password isn't open source, but even so it's a dramatic improvement on a lay user's account security.

> All that hassle so that you can save $10 a year.

You are talking as if KeePass's only advantage is being free and it is only preferred by people who cheapen out. That's not true, just as it's not true for similar arguments for Android vs iOS, or Linux vs Windows, or Windows vs MacOS. People have different preferences and priorities.

Even if the pricing was reversed, I am sure many people would prefer KeePass, as I do, just as in general preferring paid desktop programs to free online services.

> something as useful and vital as a password manager

Indeed, even if one day I give in and start using those online services for everything, something as vital as a password manager would be one of the last places where I would cave in.

I understand that KeePass wasn't for you, and it probably isn't for heavy mobile users as it is primarily a desktop program (official KeePass client works on macOS and Linux by the way, though it feels more at home in Windows). I am sure you could find excellent mobile clients too (I wouldn't know as I never had the need), but I understand that lack of official clients and having to choose among non-official clients, some of whom might be buggy, can be frustrating. But it is perfect for my use case, and for my non-technical parents that I introduced it to, regardless of price.

Bitwarden is 100% open source and self-hostable.

Keepass is simply not the best solution anymore, even if you want to stay in the FOSS realm. It’s just clunky old software that makes it far too easy to accidentally lose data.

I have kept my PC version of database as master. All of my tablets mobiles access it in read only basis. This is to avoid the sync conflicts.

So you voluntarily prevent yourself from updating passwords when you’re on your phone or tablet just so that your password manager doesn’t lose data?

Isn’t that a ridiculous design oversight? To completely handicap any situation involving more than one computer? That’s exactly why I stopped using Keepass.

All that hassle so that you can save $10 a year.


My use case is different. My all passwords are in Chrome. Simple. Keypass has some specific passwords like Chrome Sync Phrase, some zip file passwords, some other things. Plus initially I used to use keypass when i started using any password management instead of same password everywhere.

At that time, & still now, I use Dropbox to sync PC KP db with Dropbox. Then FolderSync to sync one way (read only) from Dropbox to Phone. If i need to add password, I wanted to make sure I can add only on PC. PC had the official Keypass, phones had the Offline Keypass App.

$10 now is nothing for me, but few years ago in India it is about 2 days salary of a manual laborour. About 5 meals. Or about 10 litres of Petrol.

I am always wary of anything online which has my passwords. The same reason Chrome does not have all my passwords, but still I trust Google more than any other relatively smaller software like Lastpass or bit warden or anything.

Bitwarden is 100% open source and self-hostable.

Keeweb looks nice. On macOS I use KeePassXC[0] but I'm not a huge fan of it. Will give Keeweb a try.

On iOS I switched to KeePassium[1] for my database a while back and its very nice. It integrates with biometric unlock and iOS password management so I can get at easily from anywhere and it stays in sync with the stored database (via a self-hosted Seafile[2] instance) nicely.

The setup has served us (two users) well with few hiccups and good support for dealing with the rare conflicts that do arise.

[0] https://keepassxc.org/ [1] https://keepassium.com/ [2] https://www.seafile.com/en/home/

Second on this. I've been using it for almost six years now, never had any issues on my desktop or Android. Probably requires a bit more setup than LastPass, but it has been able to do anything I've ever wanted to do, including apps/plugins for Android, Chrome, Firefox, SmartFTP, and more.

Can you explain what "more or less open" file format means?

I've tried LastPass and 1password, but neither has a good implementation of auto-type on desktop, where my definition of good is KeePass.

To those that dismiss KeePass as being too clunky I hear you, but I think the situation is better than it used to be thanks to the development of several high quality and open-source clients for non-Windows platforms: iOS (StrongBox, KeePassium), MacOS (StrongBox, MacPass), Android (Keepass2Android), and KeeWeb as well. I would pay special attention to whether or not these clients support KeePass' built in database sync/merge feature [1], especially if you don't use a cloud back-end. Most cloud providers will save two versions of a file when there's a sync conflict ensuring you don't lose data.

As for storage back-ends I've used OneDrive, sFTP, and WebDAV [2], and I'm currently migrating everything to WebDAV. sFTP works well but some clients take too long to open and close the connection.

[1] https://keepass.info/help/v2/sync.html

[2] https://news.ycombinator.com/item?id=26157184

Oof, this is a rough one! Id rather have a device number limit than a device type limit.

Main Takeaway:

"We’re making changes to how Free users access LastPass across device types. LastPass offers access across two device types – computers (including all browsers running on desktops and laptops) or mobile devices (including mobile phones, smart watches, and tablets). Starting March 16th, 2021, LastPass Free will only include access on unlimited devices of one type. "

"I'd rather have" == "this is what I need to stay within the limits of the free tier"

Lastpass reasons for doing this are perfectly clear. They want people to use and trust their platform, and there's no better way for doing that than allowing users to use the full version of their product. At the same time, they want revenue, and targeting the people that use Lastpass as an integral part of their workflow (e.g. myself) is a valid strategy.

I've used Lastpass for years. I was a premium user, but at some point the free tier started covering my use case, so I stopped paying. Now I'm probably back at the point where I'll start paying again. I could definitely live without mobile access, but it's a convenient thing to have and I can easily afford it. Maybe I'll look for an alternative too, but it has to be just as convenient.

I was previously a paying member but when they doubled their price, I realized the free tier worked for me and I move to it. Id gladly pay $15 a year for the service and not hassle with moving. But I might as well try out bitwarden for $10 now.

It would also be easier for me to recommend to less technical users like my family if I knew they could sync 1 mobile device and 1 computer. Its already hard enough to get any of them to use password managers to begin with.

I've been on 1Password since 2007. Unfortunately, software quality seems to have taken a nosedive since version 7 came out (disregarding the subscription issue). Random beachballs and slowdowns, annoying 2FA and duplicate password warnings, and decoupling of stored files from login entries.

I have been considering a replacement but haven't found anything up to the ease of use and Mac/iOS integration of 1Password yet.

I dont like the new safari web extension that adds little in page pop-ups everywhere. When I enter my master password, how can I be sure that the pop-ups are coming from the 1-password web extension and not from the website or another extension? Is it sharing the DOM with the website? If not, how are they separated? I realise I don’t understand how web extensions work but even so I don’t see why these pop-ups couldn’t easily be imitated by the site I’m on and I feel that it’s just asking for trouble doing stuff like that. After a bit of googling I realised that its possible to turn off, so I have.

1password has been feature complete for years now, I think they are changing things for no reason at this point. Just charge me for an update when operating system upgrades break the software. Sounds harsh I know, but TBH I wouldn’t mind if apple added family sharing to passwords and finally finished sherlocking them.

Yup. Since 7.7 my 1Password looks like this (https://imgur.com/a/Zz4WSdx) on my external screen, with the scaling of the background inexplicably broken. I also see other graphical glitches here and there. Meanwhile 1Password 7 for Windows every few months forgets that I registered it and I have to go find the license file (within 1Password!) again.

The paternalistic Watchtower "feature" is a whole other set of annoyances I wish I could disable.

Same boat here. 1Password is now the slowest piece of software I use on a daily basis. 15-30 seconds to get a password out of 1Password mini, laggy and unresponsive keyboard navigation, TouchID prompts that stack under other modals or windows so they don't work, random beachballs, ... the list goes on.

At least sync still works flawlessly?

1Password browser and Mac app work for me without the issues you mention, paying user since version 5. I'm on a late 2013 MacBook with Catalina. I had the beachball issue in Safari but it went way after I restarted once.

I tried LastPass but on the first day it didn't save a password I generated like 5 seconds earlier, and I stopped trying it immediately.

I tried 1Password, but there was a basic missing feature, you can't toggle reading the password.

This was a deal breaker for me when I have a ~90 character password (I often mistype one specific key everytime).

Bitwarden doesn't have this problem.

Why would you type a 90 character password instead of copy / paste or have the manager fill it in?

Also why 90 characters when 2FA would be the safer option? Or half that is already infeasibly long to brute force?

Also what do you mean 'reading the password', like via a screen reader? I mean that would be pretty bad for accessibility, but if you mean displaying the password, my version has buttons for it (regular inline, and a popup with the password pasted large on the screen).

I have so many questions.

I was not clear.

This is the password for the password manager (e.g. 1Password/ lastpass master password). The password to rule them all. It should be extra secure. I also have 2FA, but you must have heard of defense in depth.

Anyway, I want to be able to see the password and check for typos before entering it to unlock the vault. I don't want to retype the whole password in when I only mistyped 1 character.

When I say read, I don't mean screen reader. I mean read with my eyes, I didn't think this would be a sticking point.

Honestly, 90 digit password is only harder to type for you. It’s not more secure than only in theory when compared to, say, 20 digit password.

I choose to have the highest level of security I can afford, of course there are diminishing returns with each layer of security. Im happy to see evidence that a long password is only secure "in theory", until then I will keep my strategy. I can type 100WPM and this password is based off ~uncommon words, so I'm not uncomfortable: I didn't complain about entering, I claimed the issue is 1 wrong character requiring typing the whole thing password. It only takes a few seconds, but it is frustrating to type the whole thing again (regardless of length).


Well, considering the LastPass master password is stored as a 256bit string on the servers, your 90 character master password has 720 bits making it considerably more its that make up the hash thats stored on the servers! 1 ASCII character is 8 bits!

You don't understand encryption. The master password is not "stored as a 256bit string on the servers".

Yeah it is!!

LastPass stores our master password hashes as a SHA-256 bit key.

All I was quipping at, was the fact that the password you enter in length is a whopping 720 bits!

I find it funny that this bit length gets reduced to a hash which is only 256 bits in length.

Your password has more entropy than the hash that gets produced from it.

Try Enpass? Only the mobile app is paid once, everything else is free. No subscriptions, too.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact