I have quite a few gripes with Bitwarden, but I've never used LastPass so don't take this as a comparison.
1. Their auditing ("Event Logs") feature is unusable. It refers to items by some magical identifier which does not correspond to the name in the vault, e.g. "Viewed password for item ebabefac".
2. Payments by anything other than Credit Card are a mess, which is a serious pain if you have a lot of users. It took us weeks and many support interactions to get something as trivial as a bank transfer sorted.
3. It's still (!) lacking a feature to actually send people passwords ... as in sysadmin creates some account for a user, presses a magical button in BW, and it ends up in the user's vault (or maybe they get a message and are asked to import it, whatever). BW recommends you use the "Send" feature, which is basically a glorified pastebin.
4. The UX is .... not great. Organization vs Personal Collection view is confusing. Every time we onboard a new user we get questions about how they should store personal passwords.
It works well enough, but I don't think the enterprise plan is worth the 60/user/year price tag.
> 1. Their auditing ("Event Logs") feature is unusable. It refers to items by some magical identifier which does not correspond to the name in the vault, e.g. "Viewed password for item ebabefac".
Names and all other identifiers can be changed freely, so Bitwarden refers to passwords by their unchangeable UUID, so you can keep track of an entry across any such changes.
What bitwarden lacks is an easy way to search for passwords by UUID, but that's a rather minor UX improvement.
> It's still (!) lacking a feature to actually send people passwords ...
Yeah, that surprised me as well. Back in 2014 or so we added magic password://uuid links to our internal password management tool, you can just send people the link, and when they clicked it, it opened that particular password, as long as they had access. I would've expected the competition to have picked up on it ages ago, but c'est la vie.
For exchanging passwords with external users, Send is reasonable enough IMO.
> The UX is .... not great.
Agreed. But given that everything else is solid and open source, I'll take it over any competitors, or continuing maintenance of our own tool, which quickly gets a whole lot more expensive...
I switched to BitWarden when they dropped the subscription requirement for mobile, continued charging for my subscription for over a year and then announced they’d start charging again.
It’s… fine, but many areas of integration with browser and on iOS are significantly less polished and pleasant to use. Things like credit cards are entirely manual on iOS. It’s definitely a worse experience on the convenience side.
That, and even though it’s relatively easy to migrate, it’s even easier to not spend the effort reworking your workflows and ways you use password tools.
> it’s even easier to not spend the effort reworking your workflows and ways you use password tools.
Yeah, this. I've been using LastPass since 2012 - four years before BitWarden even existed. BitWarden actually looks excellent and I'm tempted to switch, but the easiest thing is just to not do anything.
Although I understand your point from a psychological point of view, in my experience switching from LP to BW was an easy task.You can create a temporary CSV to export your Lastpass vault and import it in Bitwarden. It takes 2 minutes maybe. The rest is just switching which app you use to fetch your passwords.
Although that was prior to the shenanigans this post's article talks about.
I thought it would be time consuming too but it's literally just 1 minute to sign up for an account, export from Lastpass and a 2 click import into Bitwarden.
It transferred EVERYTHING -- passwords, notes, credit cards etc. It's super easy.
You have the option of paying for BitWarden if you prefer :)
But everyone that I know that uses it, hosts their own anyway (I don't agree with Moxie's thing of "people don't want to host their own servers and never will - clearly not true for some people). But that was beside the point anyway, open server design means you can choose who runs your server for you.
They have compelling premium plans fairly cheap. In my opinion it's a more trustworthy relationship because their software is open source and is fairly straight forward to host yourself if they start misbehaving. No such option on most alternatives.
I'd be ok paying for BW, the issue for me is not knowing what's going to happen if they close down or decide to pull a LastPass. So I've transferred my stuff to KeepassXC and been pretty happy with the ux. Having to deal with syncing the password database across devices is a bit of a pain but it's one of the things I absolutely need control over.
Try 1Password - Great app and I can vouch that they help you when things go wrong (because things went wrong for me and they went above and beyond to help).
LastPass has been around for a very long time. I'm still using it because I haven't had much reason to migrate and I installed it probably a decade or more ago.
Lack of information. LastPass was also relatively decent software for a while. I only stopped using it two years ago, but also noticed at the time that they have significant marketing efforts compared to the competition.
It seems like LastPass is angling to become the AOL of password managers, and by that I mean they want a bunch of old customers who never bother to switch to something better.
At any rate there is no reason to use LastPass. There must be tens of password managers all geared towards a different kind of user and all better than LastPass.
I have been there few times. The amount of incompetency will result to self doubt. It will kill you mentally. I suggest you talk to your boss and tell this story exactly as you described it here, if you are lucky, they will guide help you find your way, and if not, you will be fired and will do good for your mental health.
Once upon a time, when I was in that situation, I requested a salary cut for myself. (They promoted me instead).
Looking into the response headers, I couldn't find any cache related header. I hope the site is using cache to prevent extra unnecessary load. Brilliant idea by the way.
By the way, what was the last time we experienced such catastrophic bugs in Python/Erlang/Ruby/Go... libraries? I think simplicity is deeply interconnected with security. Perfection comes from simplicity, and the choice of programming language can and will affect the security of your platform. Although I have to admit, bad engineering and over usage of libraries could happen in every environment, but Java technologies are unnecessarily complex compare to others tech stacks.
