This article is more than 1 year old
For password protection, dump LastPass for open source Bitwarden
After the security breach last summer, staying put is playing with fire
Opinion For better or worse, we still need passwords, and to protect and organize them, I recommend the open source Bitwarden password manager.
LastPass is perhaps the world's most popular password manager. It's also arguably the most broken password manager. There's a better, safer open source alternative.
But before I dive into Bitwarden, let's talk a little bit about why LastPass is problematic. Late last year, LastPass CEO Karim Toubba revealed that an August security incident had been much worse than they'd first admitted. Instead of simply losing internal source code and developer documents – bad enough – they'd also lost customer account information and vault data.
What does that mean? It means that, at the least, someone out there may have your unencrypted subscriber account data. That includes your LastPass usernames, company names, billing addresses, email addresses, phone numbers, and IP addresses. They also have your vault data. That includes website URLs and your encrypted usernames and passwords.
Has your account been breached? LastPass isn't saying. How many people's account data has been stolen? We don't know. Has everyone's data been swiped? Maybe.
Toubba claims that the encrypted data remains "secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password using our Zero Knowledge architecture." So, in theory, your passwords should be safe.
Yeah. Right. If you used a weak password for your master password, say, the ever-popular "123456," you're as good as cracked. And with that, all your other passwords will fall right into the attacker's hands. Even the best encryption lock in the world won't help you if you've given the attacker the key with an easy-to-guess master password.
I also find it more than a little sketchy that LastPass isn't telling anyone any further details of what's what with the break-in. Bitwarden, on the other hand, is transparent with its audits and certifications besides its open codebase. The difference is clear.
LastPass recommends you change your master password and all your other passwords. I recommend you kiss LastPass goodbye and switch to another password manager.
There are many good password managers. They include 1Password, DashLane, and NordPass. But for my money, or no money at all, you can't beat Bitwarden.
Bitwarden is a kinda sorta open source program. The company admits the Bitwarden License does not qualify as open source under the Open Source Initiative (OSI) definition, but they "believe that the license successfully balances the principles of openness and community with our business goals."
- LastPass admits attackers have a copy of customers' password vaults
- Intruders get their hands on user data in LastPass incident
- LastPass source code, blueprints stolen by intruder
- Popular password manager LastPass to be spun out from LogMeIn
I wish it were under, say, an Apache license, but it's still more open source-friendly than anything else out there so I'll live with it.
Leaving aside the licensing issue, the practical side of Bitwarden is it's free to use both on a server or a client. For example, as a client, you can run it on Linux, Windows, macOS, Android, iPhone, and iPad. With its browser extensions, you can also use it on Brave, Chrome, Edge, Firefox, Safari, Opera, Vivaldi, and Tor. The cost? You can run it for free on every device and browser you've got.
For free, you also get a cloud-based store for all your passwords, Bitwarden Web Vault; a random password generator; two-factor authentication (2FA); and the added safety of Bitwarden's database breach feature. This last feature checks to see if any of your passwords have already been exposed.
Spoiler alert: odds are your passwords are already out there. Don't believe me? Check your email address or phone number on HaveIbeenPwned and prepare for an unpleasant surprise.
Suppose, however, you don't trust anyone with your IDs and passwords? In that case, you can do what I do and run your own Bitwarden server. If doing it from scratch is too daunting for you, you can set Bitwarden up pretty easily on your own machine using Docker containers. Don't have a server of your own? You can even install and run Bitwarden off a Raspberry Pi.
Let's say you're not a Linux system administrator, and not as paranoid as I am. In that case, you may want to invest in one of Bitwarden's commercial tiers.
For $10 a year, you get a password strength report; a gigabyte of storage for encrypted file attachments; and 2FA hardware secure login support for YubiKey and/or Duo. I'm a big believer in physical 2FA keys. It's just way too easy to crack texting/SMS 2FA. The most popular authenticator apps, such as Google and Microsoft's, are tied at the hip to major companies.
If you have a family or small group, there's a $40-a-year plan for six users. You can also share passwords with this plan. Do not, I repeat, do not do this. Maybe you trust your brother. Me? I'm not so trusting.
Finally, there are two Bitwarden business plans. The first, Teams, for small organizations, costs $3 a month per user. The bigger and more full-featured Enterprise plan will run you $5 per user monthly.
Whatever you decide to do, I urge you to quit LastPass and switch to another password manager. I don't know what's going on there. No one does. Frankly, I just don't trust them anymore. And neither should you. ®