Bitwarden vs LastPass: Which is the best password manager?
One of the critical issues that every business faces is how to do password management securely and conveniently.
Specifically, it's daunting trying to choosing which password manager to use in your organization.
There are so many options out there, and quite frankly, you might not even know what to look for because—let's face it—security and cryptography are probably not your fortes!
In this article you'll learn some password management basics to get a grasp on the issues.
Then I'll answer some common questions you may already be asking.
And finally, I'll review two of the biggest players in the passwords game:
Lastpass and Bitwarden.
Table of Contents
ToggleProblems with LastPass and a move to Bitwarden
You've got hundreds of accounts and passwords.
And you need a user friendly password manager with good integration with all the web browsers and mobile devices you and your team are using.
On the other hand, your password management app MUST be safe and reliable.
After all, a hack of your customers' sensitive details could have a huge negative impact on your customers and their customers.
To say nothing of the legal woes you would likely encounter shortly thereafter.
On top of rock solid security, you need the ability to share data across your team.
LastPass is one of the most popular password management apps in the world, and has some (but not all) of these features.
In fact, we used Last Pass for years before switching to another solution.
It's convenient, allows you to share passwords (and accept shares).
It also has a Chrome extension that works somewhat slowly and buggily, but works all the same.
However, LastPass had some flaws that were getting worse with time and undermining our confidence of its security:
A) proprietary code
B) reported hackings
C) reports of decreasing quality of support after its acquisition by LogMeIn (though we never had occasion to request support ourselves)
D) Resource hogging of your browser since its introduction of JavaScript (aka, the Devil)
So we started to search for alternatives and now, after months of using one of these alternatives, we are ready to recommend a solution that we feel passes muster at a higher level.
The password manager we now use and recommend is BitWarden.
The Search for the perfect Password management app
We’ll go through a few points that we feel were important to us when deciding on a password manager, and compare how Bitwarden vs LastPass lives up to our expectations.
Platform availability
Bitwarden and LastPass both offer free hosted password management services with clients available for multiple popular devices, operating systems, and browsers.
LastPass have been pretty good about being available in every web browser and on every platform. However, the LastPass extension for Firefox has been only getting more and more buggy with time.
Firefox—the browser of choice for many people due to its relatively strong focus on privacy—clearly haven’t been a priority for LastPass.
For Google Chrome browser the issue we've found is that it's very slow and buggy. Sometimes you have to login to the web vault for an update to take effect or a share to show up.
This is on top of the fact that Chrome already consumes a huge amount of memory, with LastPass making matters worse.
Bitwarden has desktop apps for Linux, macOS, and Windows; as well as mobile apps for Android and iOS and browser extensions for just about all web browsers.
Bitwarden is everywhere we are and everywhere we can foresee finding ourself — whereas LastPass suggest you switch your browser to Chrome to continue using their service (seriously, ya'll?)
Open-source and self-hosting
LastPass is a proprietary software and service. That means you’ve got to rely on their infrastructure and their will to continue operating the service.
Bitwarden, on the other hand is open-source from top to bottom. Their apps, extension, and online services are all open-source.
You could argue under normal circumstances that LastPass has the better market incentive to produce a secure and user friendly password manager. But objectively, that's not been the case. Perhaps that's because security is a universal concern that doesn't need direct monetary incentives for developers to contribute to it.
If Bitwarden.com were to announce they are shutting down tomorrow, you could grab the source from their servers and host it yourself to ensure continued service.
You could improve upon it, “fork” it, and use it as you see fit.
It's also important to understand that as open source software, you have the ability to inspect Bitwarden's code in its entirety. You can identify inefficiencies and vulnerabilities. You can suggest changes when you encounter bugs, etc.
We haven’t run into anything that has needed our attention in Bitwarden, but we like knowing that either way, there is an entire universe of developers out there battle-testing this code.
Maybe that's the not-so-obvious incentive that makes Bitwarden such an excellent app and community.
By the way, open source does not mean free.
We pay for our Bitwarden account. 🙂
Security
LastPass has been in the news for getting hacked, more than once.
Bitwarden has managed to stay away from controversies and hacks, so far. In November 2018 a crowdfunded independent security audit by Cure53 found no major issues with the software.
Some non-critical issues were discovered, the most important of which were patched immediately.
Technical security
This is probably the most important part when you are comparing password managers.
It's also the most opaque if you have no background in data security.
So here's a layman's explanation:
Both parties use AES-256 encryption to protect your data. It is end-to-end encrypted, which means even they can’t read your data. Plus, they use salted hashing and PBKDF2 SHA-256 hashing function to protect your data.
The data is encrypted and decrypted on your device, so nobody can read or access it once it leaves the device.
Both LastPass and Bitwarden offer 2FA support like email, authenticator apps, FIDO U2F security keys, and Yubico.
There is also support for biometric authentication for mobile apps in LastPass and Bitwarden.
However, while LastPass is a proprietary software, Bitwarden is open-source, which means the code is available to security audits which is a superior feature in our view.
Security reports
LastPass will scan your passwords to create a Security Challenge report. This will tell you what’s your password health score is and where you need to change it.
Bitwarden does one better with multiple reports like weak passwords, inactive 2FA where available, passwords that you have reused, and even data breach reports.
Security concerns over third-party resources
In our opinion, no external resources should be loaded from any third-party domains inside a high-risk high-security environment like a password manager.
LastPass hosts everything under their own roof and thereby can ensure that as long as they’ve got control over their servers, they maintain control over everything that loads inside the password manager.
Bitwarden loads scripts and styles from Bootstrap CDN as well as Google Fonts and Google Hosted Libraries.
These resources are loaded with Sub-resource Integrity enforcement, meaning that modern browsers will refuse to load them if the external resources don’t match a predetermined checksum.
In other words, Bitwarden has a fairly good confidence that they don’t load anything malicious or unexpected by including these remotely hosted resources.
Data portability
Bitwarden and LastPass can export and import passwords, secure notes, and other secure notes to a comma-separated value (CSV) format with headers denoting each value.
Bitwarden being the underdog, can import data from LastPass.
However, if you want to go the other way around, you’ll need to reformat the CSV export file for LastPass to accept it.
CSVs are easy enough to work with, and the important point to note is that all data appears to be present when exporting from both password managers.
Both Bitwarden and LastPass can store other types of information including secure notes and credit card information. These types of data are also part of the password database dump.
Pricing
LastPass has a free plan, which is good. For $3/month, you get 1GB encrypted file storage, secured sharing, Yubikey and Sesame 2FA support, and an ad-free vault. Yes, ad-free. LastPass says these ads will be for premium LastPass features only.
They also have an enterprise plan where prices begin at $4 per user per month.
Bitwarden also has a free plan but with one additional feature. The ability to self-host it on your server.
For $10 per year, you get 1GB encrypted file storage, sharing for two users, 2FA support for Yubikey, and advanced reports.
The five user team plan begins at $5 per month, and enterprise plan starts at $3 per month per user.
BitWarden vs LastPass: Bitwarden wins!
We choose to use Bitwarden over LastPass here and for a good reason.
LastPass' reputation is working against it. Bitwarden is open-source, offers more compatibility, more features in the free plan, and offers plans that are less costlier than LastPass.
It's also faster (both the web vault and the browser extensions), and has a friendlier UX.
The only mild concern we have with Bitwarden is the inclusion of third-party executable scripts inside the password manager.
Here, however, we could inspect Bitwarden's source code and check what and how do they load, in contrast to LastPass which remains a trojan horse in this matter with it's closed source code.
Read Next: How to migrate from LastPass to Bitwarden
Now let’s hear from you!
Are you using any password managers in your business?
Tell us which ones in the comments section below!
What do you think of this tutorial?
Article Title: LastPass VS Bitwarden: Endgame
Short Description: Getting hard times to choose a password management solution? Click here to read our comprehensive review and tutorial!
Author: Viktor Nadeyin
Publisher - Orgnization: MemberFix
Publisher Logo:
what about managing teams and have passwords in groups?
Hi Carl,
BitWarden allows you to create multiple teams/groups and assign particular collections to each of them with either read-only type of access or full access.
From LastPass perspective, it is missing the only one useful feature – an ability to share login credentials with any person who has a LastPass account. BitWarden only allows sharing within the team.
Our team has been working with LastPass over a year. I have to admit, that I’m not 100% happy with it. It’s slow to update, logging in and out to get password database updated. On my previous job, we used 1password, but I don’t have much opinion of it.
I will definitely explore Bitwarden to see if it would be a good fit for our team.
Hi Antti,
Yep, it’s been getting slower and slower over the past year and that was one of the reasons why we moved away from it.
Another reason was a HUGE security breach found by my team, you were able to get a password even if it has been shared to you without “make a password visible” option enabled. Without any additional things but your browser, just by going to ‘Inspect’ and changing field type from ‘password’ to ‘text’! (They have fixed that by now, but you know, I’ve been insulted when saw that)
I have just been reading a bunch of comparisons and found a lot of repeated text from this site
https://www.guidingtech.com/lastpass-vs-bitwarden-password-manager-comparison/
So one of you has been nicking content form the other.
This is so obvious that’s its the handiwork of a marketing hack that probably was recenlty on-boarded to Bitwarden and whose first job was to commission this pay-to-play piece! LastPass doesn’t play well with Firefox?? Have you even tried it before attempting to write a hit job?? Sorry, this is a load of crock!
Duh? Bitwarden is NOT a for-profit business, it is open source and most people use the free version. They charge almost nothing for the paid version. Your comment about ‘marketing hack’ doesn’t make any sense to me.