Alternatives to LastPass
LastPass has been my go-to password manager for as long as I can remember. Longer than I can remember, really. I know I have an invoice from them from 2013, so I've been a user for their product for at least 7 years. I have also previously paid for the product. I stopped paying because my card expired, and I never got round to updating the details. I don't recall much in the way of lost functionality from not paying, so I never got round to doing so again.
On 16th February, LastPass announced changes to their free product, which I what I use. If you stick with the free tier, you can only use LastPass on one type of device. Either a computer, or a mobile device. Not on both. As I use it on my laptop and my mobile and tablet devices I now have to pay to continue using it across devices.
I don't mind paying for software. Especially something I get such value from. What annoys me about the whole thing is I had to find out through tech media outlets like Techradar and PC Mag before LastPass had told me.
The timing of it also sucks. We are in the middle of a global pandemic where people are on reduced hours, have faced redundancies, and individuals' budgets are seriously restricted at the moment. On top of that, HSBC told BBC News that they, and others in the banking industry, are "receiving higher than normal reports of fraud". Security is serious, and limiting people's security in difficult times feels like a serious faux pas by a security company.
Now that I need to pay for a password manager to enjoy the functionality I currently have and need, I thought I'd look through a few different options to see which may be the best value for my money. When looking at prices, I'm not factoring in the discount LastPass are offering to existing users to "upgrade" their account to keep the current functionality.
This only looks at the pricing for an individual, not any family or business plans.
Starting with the whole purpose behind this, LastPass. It is owned by LogMeIn - more commonly known for their remote access software. They bill themselves as the "#1 password manager", so it makes sense to open with them as the benchmark.
LastPass will be all that most people need. It has clients for Windows, Mac, and Linux, as well as for Android, iOS, and Windows phone (that's still a thing?). It also covers the current major browsers; Chrome, Firefox, Safari, Opera, Edge, and Internet Explorer. For those browsers which aren't directly covered, then you can log in to the LastPass website and access your vault there.
Everything you would expect from a password manager is available with LastPass. You can generate passwords, auto fill passwords, and search through your vault for individual credentials. It also has "dark web monitoring" where they check your email addresses against known credential breaches, and alert you so you can change your passwords on the affected services.
Interestingly, it also has a "username generator". Not many places use usernames which are separate to email addresses, but that could be handy for any odd edge cases where you want to reduce the cross-use of usernames for any reason.
LastPass are happy to point out that their encryption is AES-265 bit, with Password-Based Key Derived Function 2 (PBKDF2) using SHA-256 salts. It all sounds impressive, but for most people it is complete gibberish. What it basically means is that it uses your password and random string of characters to generate an encryption key. It then uses that to encrypt the passwords and send them to the LastPass servers for safe keeping. The passwords aren't stored in plain text, even at LastPass. All encryption and decryption is done at device level, so passwords are never sent over the wire between your device and LastPass in plain, readable text.
To further secure your account, various two-factor authentication (2FA) methods are supported. Free accounts can be secured with LastPass Authenticator, Google Authenticator, Microsoft Authenticatio, Toopher, Duo, and Grid. The paid Premium level adds the abiliy for fingerprint/smart card and YubiKey options for 2FA. Lots to choose from, so plenty of flexibility there.
To get all of the premium features, LastPass costs £2.60/$3 per month, but needs to be paid annually up-front.
Bitwarden is an open source offering which has paid tiers of their product for access to premium features. The code for their product is available on Github. That may be a concern for some, but should give some level of confidence. The code being available means if there's a glaring issue, anyone can point it out, or fix it. It is a relatively new platform (initial release was August 2016) so shouldn't have any legacy parts which have needed odd patches to get the job done.
As you would probably expect for something open source, integrations have been made for almost everything you could possibly need. The normal Windows, Mac, and Linux operating system support is there, as well as iOS and Android. On top of the browsers which LastPass covers, there's also the option for Vivaldi and Brave browsers, as well as Tor for the really security conscious. On top of that, there's command line integration for the operating systems, NPM, as well as a Snap package for installation. If that's still not enough coverage and your preferred browser isn't listed as having an integration yet, there's still the web vault which you can use.
Password generation, password storage, and password sync across all devices is something Bitwarden offers even from their free tier. If you don't want to sync your passwords up to the Bitwarden cloud, you can host the server element of the application yourself. A premium account adds additional 2FA options, emergency access, and health reports of your vault. You can also have 1GB personal file attachments.
Looking at the vault, one great thing about it which I've not seen in LastPass is the ability to add multiple domains to a single record. If a site you have a password for uses the same login for multiple subdomains, then you can add each additional subdomain to the record. You can also change the URL match for records to use RegEx, a base domain, or even specific pages on a site. Setting up a site can also allow Bitwarden to manage the one-time password for you, so you don't need an additional authenticator for different services.
The same type of AES-256 and PBKDF2 SHA-256 encryption which is used by LastPass is also used by Bitwarden. the basic, free account allows Google Authenticator or email verification to be used for 2FA, but the premium account adds Yubikey, Duo and FIDO U2F.
You can make your account more secure by increasing the number of "rounds" which the PBKDF2 process iterates through to generate the key. The default is 100,000, and increasing this increases the time it takes to generate a key, and reduces the speed at which brute for attacks can take place. Setting this too high, though, might make logging in unusable.
For most people, the free version of Bitwarden will be sufficient, though the premium offering is only $10 per year. Less than $1 per month. It might not be as polished in some areas as LastPass, but certainly worth a test-run ahead of paying.
Dashlane is the more corporate looking password manager out there. It looks, on the surface, as though it wants business users to be their customers. Their site is set up as such. It's very much a "please get on with it, and don't ask too many questions" build. Just finding information for this article was a pain on their site, so factor that in to your decision making process. If you need to find information, you'll have to look hard.
Dashlane only covers Windows and Mac as native operating systems, plus iOS and Android, with other users told to use Dashlane for web. That won't be a problem for most, but the lack of support to quite a lot of people will be off putting.
Browser support is limited to Firefox, Safari, and Chromium based browsers. Okay, that's most of them, but unless you know Opera and Brave are Chromium based (as is Edge), then you might be worried about your lack of supported browser here.
Oddly for a password manager, Dashlane makes no mention of a password generation feature on its plans page. It does have one, but information about it is buried in a link under "more information" at the bottom of each page - again, information hidden and hard to find. It will autofill forms for you, and you can have unlimited passwords (you only get 50 on the free account), and comes with Dark Web monitoring and alerts, much like LastPass.
As with LastPass and BitWarden, Dashlane employs AES-256 encryption with PBKDF2 in the mix for key generation. However, they only use 10,000 iterations compared to 100,000 for Bitwarden. Whilst I admire the transparency, it is something which could and should be changed as computers become increasingly powerful and able to compute keys via cryptographic functions faster.
All plans allow the use of YubiKeys, but other 2FA options include Authy, Google Authenticator and FreeOTP.
A serious limitation is the length of password you can generate with Dashlane. This is limited to 40 characters. That shouldn't be a problem for a long time, but is a limitation some people will not be happy with.
Dashlane offers two methods of pricing, annual or monthly. If you buy an annual subscription you save 20%, bringing the "monthly cost" down from $3.99 to $3.33.
I signed up for a free trial with 1Password, but I could not progress through the process of testing it without providing credit card details. I wasn't prepared to do that as I'd forget to cancel the trial. However, as it has apps for Mac, Windows, Linux, iOS, Android and Chrome OS (the only one which is listed as having Chrome OS support), and costing from $2.99 a month when billed annually, it is an option some may wish to consider further.
All of the options are viable, but reading the comparisons could be done via their websites, so I've scored the 3 different options I could try out to give a more quantifiable view. Each section outlines how they were scored.
A point was given for each OS supported (to a maximum of 3), a point for iOS, a point for Android. A point was then awarded for each browser that was officially supported outside of the "web vault".
- LastPass: 11 points
- Bitwarden: 13 + 1 bonus point for CLI offering - total of 14 points.
- Dashlane: 9
A point awarded for each of: form autofill, password generation, online vault, data breach monitoring, encrypted file storage, solid documentation. Fairly simple and standard features you would expect for these products.
- LastPass: 6
- Bitwarden: 6 + 1 bonus point for the intelligent setup for matching sites to domains, RegEx, specific pages etc. Total of 7 points.
- DashLane: 4
Whilst all options offered the same method of encryption, they are all at different levels and need adjusting accordingly to some arbitrary level. This was based on availability of 2FA, length of generated passwords, rounds used in PBKDF2 functions (or 1 off for not being listed).
- LastPass: 3 (hard to find, but documentation lists 100,100 rounds within PBKDF2)
- Bitwarden: 3 + 1 bonus point for allowing the adjustment of the PBKDF2 rounds to increase Security
- Dashlane: 1 (limited password length to 40 characters for generation and only 10,000 rounds in PBKDF2 drops points here)
Listed out of 3, where the cheapest gets 3 points, next gets 2, and the most expensive gets 1 point.
- LastPass: 2 points ($36 per year)
- Bitwarden: 3 points ($10 per year)
- Dashlane: 1 point
A tabular rundown of the points:
It's a clear win for Bitwarden, out in front by 6 courtesy of a lot of bonus points, and a fantastic price for premium features. It might not look as pretty as LastPass in some areas, but it is certainly a functional offering and should be given some serious consideration ahead of any purchase.