Goodbye LastPass! You're fired!
Caution: Rant ahead.
I've been reasonably happy with LastPass for around 5 years. My whole family used paid premium subscriptions. When I first had to make a choice of password managers, it essentially came down to 1Password or LastPass. At the time I preferred 1Password but had to rule it out due to a severe case of platform lock-in. Native browser password stores were out due to browser lock-in. LastPass worked everywhere, even on exotic systems like my FreeBSD desktops. For the most part it seemed Good Enough.
Over the last year or so, the LastPass irritations started piling up. Then came the problems, and now the showstoppers.
My wife was the first to lose her trust in LastPass - she complained bitterly that it kept forgetting to save passwords it had generated and she started refusing to use it.
I too had been growing increasingly unhappy with it. They took the sub-par UI from the Chrome flavor of the addon and brought it to Firefox as V4.0. It was a distinct step backwards in terms of performance and usability. Then they made a series of horrendous gaffes like shipping a broken addon where critical UI menus were 1 pixel wide.
Then came the really hair-raising things like removing support for the Amazon Android devices and implying to people that they should break their security by jailbreaking their devices to use other builds.
All this time, the LastPass browser addon had a nasty habit of failing to capture new account passwords. It had a plan-B though - it saved the generated password "in case". If it didn't catch the actual account info from the form submit then at least the random password was still safely stashed and recoverable.
After another lost-password incident, I went to show my wife how to retrieve the previously saved generated passwords and discovered that the feature was gone! Reliably saving random generated passwords was the One Job that the addon had - and LastPass stopped doing it.
It appeared that to work around the unreliable capturing of its generated passwords, I would be forced to copy/paste the plaintext to a text document on my computer which defeated the point of the exercise. This is an absolutely stupendous showstopper. While I'm sure there could have been workarounds - the primary user interface was dangerous to use. LastPass: What on earth were you thinking?!
I asked for suggestions on twitter and received enthusiastic recommendations for BitWarden, and a few others like pass. I was actually looking for a well integrated, spouse-friendly KeePass-based system but never found one that I liked, that she would accept, and had a way to be used on all our platforms.
BitWarden was love at first sight. It was streamlined. It does things in the right order. It is open source. Data is encrypted on your device and only reaches the server in encrypted form. You can either use their hosted service or run a private server yourself.
For BitWarden, the user experience for creating an account with a strong random password on a new site is something like this:
- Hit the + and type the username you want, then generate, then save.
- Then once it is saved, use its form filler (or copy/paste).
- If everything is fine, the account is created using the data you already saved.
- There are a minimum of clicks and it doesn't get in the way.
It does the One Job of a password manager - save the damn password, no matter what! - right up front in the cleanest manner I have come across so far in browser-based password addons. It sure beats LastPass approach with "cross fingers and hope that this time, perhaps it won't screw up, maybe."
It was relatively easy to export my LastPass vault and import into BitWarden. There are instructions on the BitWarden site.
BitWarden is spouse friendly, works on every platform I have (including my FreeBSD desktops), and frankly, should be causing the loss of sleep for the likes of LastPass and 1Password.
If you are looking for a better alternative to LastPass then I strongly recommend you take a good look at BitWarden. I wish I had found it sooner.
PS: don't get me started on 1Password's enforced cloud subscription "service".
Links:
- BitWarden: https://bitwarden.com/
- 1Password: https://1password.com/
- LastPass: https://lastpass.com/
- Pass: https://www.passwordstore.org/
Comments? Twitter or Contact info
Disclosure: I'm seriously annoyed at LastPass (you can tell by the fact that I risked using my lousy graphic skills to add an image to this post), but otherwise have no connection to BitWarden.