Switching from LastPass to 1Password - wdyt?

password-manager

#1

TL:DR - any objections to switching to 1Password? [if we can migrate from LastPass]

Hi everyone!

As you might be aware, our annual license with LastPass recently expired, and we’re looking to renew our password manager. Thank you to those that emailed me back to confirm whether you do/don’t still need one :+1:

For those that do - we’re considering using this opportunity to change from LastPass to 1Password.

I’m currently speaking with LastPass support to see how we can migrate our data (we’ve been locked out of it since our license expired, so I’m seeing what our options are), but in the meantime, I wanted to check if anyone had any objections with potentially switching to 1Password if that’s an option we can pursue?

More info below. Would love to hear your thoughts, cheers!

Effort involved

  • If we were to migrate, we’d try to do as much as possible of the work of migrating passwords centrally, but there may be folders I can’t help with, e.g. your own personal folders, so it’s possible I might have to ask people to take responsibility for migrating their own vaults/folders. It looks like there’s an export vault function which works pretty seamlessly between LP <> 1Password though, which should make migration easier: https://support.1password.com/import-lastpass/
  • In terms of the amount of data (passwords), we have 16 shared folders, with 27 passwords. This doesn’t include personal vaults created by each user in their own account (which I don’t have visibility on).
  • We currently have 35 licensed users, and a few more people using free accounts who have been added to shared folders. 8 people responded to let me know they no longer need access to a password manager. Those people accessing LastPass right now from a free account may need to be converted to paid users to use 1Password.

Cost

  • LP per license (user) per year is $64
  • 1Password
    • The cheapest subscription level (Team) should be sufficient for us - we don’t need VIP support or a huge amount of storage. Team sub doesn’t include free family accounts, so there may be an issue there with people managing two accounts if already using 1Password privately (work + personal)
    • Cost is $48 p/p/p/a (or if we want Business with slightly more features, that’s $96).

1Password imo is the better choice - we would save money and get a better user experience, likely without a prohibitive transition cost - assuming there are no strong objections. Lmk what you think!

cc @petty


#2

As long as I can migrate easily, I don’t mind switching :+1:
(bonus points if 1Password has a mobile app just like LastPass)


#3

It does :slight_smile: https://support.1password.com/getting-started-ios/


#4

I’d be OK with 1Password, and would prefer it over Lastpass. I’ve used it as my main password manager for the last few years, until recently.

If we haven’t, I’d consider like us to consider using Bitwarden. It’s open source and I personally switched from 1Password to it once 1Password started to push for cloud/subscription/whatever only model. So far so good, and I know a bunch of other people use it at Status too (@arnetheduck IIRC?). It seems to align more philosophically with us as well. It has a reasonable iOS app and extensions you’d expect.

They seem to support teams: https://blog.bitwarden.com/password-sharing-is-here-organizations-cf9e7a2098d2 but I haven’t tried that part of them, nor have I evaluated our requirements thoroughly compared to Lastpass/1Password. See more here https://bitwarden.com/


#5

+1 for Bitwarden.
I too wouldn’t mind teaching the commerical ones a lesson in good UX and user retention :slight_smile:


#6

Yeah, I’m using bitwarden, works fine for me though I’m a light user - using it on ff, chrome through extensions and android app so far - they have a web ui too where the heavy lifting is done, the extensions don’t have all features which is fine (they’re more simple to use that way). Just about to upgrade to their personal pro version after having tried free for a bit.

+1 for going with an open source alternative.


#7

I will look into this to make sure it handles what we need from an organizational standpoint. The sharing aspects of this is crucial, as well as member management (revocation). I’d imagine pricing is similar.


#8

LessPass is interesting. https://github.com/lesspass/lesspass https://lesspass.com/
It derives a unique reproducible password from a master password vs. domain + username.
This seems safer then a vault file (credetintials encrypted database) and more portable.

If an attacker obtains the vault file, but does not have the password, and depending on user password strength, a brute-force can be effective.

Both 1Password and LessPass are vulnerable to a spyware, in the same scenario, 1Password would leak more secrets, while with LessPass the attacker still need to know domain and usernames.

Also LessPass is safer against data corruption, as all you need to remember is the login details (domain + username) and master password.

Notice that LessPass is not safe for generating cryptocurrency private key seeds, as there is no login information to input, i.e. public key cannot be used to derive private key, because private key derives public key. Although something similar was built for Bitcoin ( https://keybase.io/warp/ ) using user email as salt and password as seed, together with many rounds of slow hashing, to prevent mass email lists being attacked with password lists or other bruteforcing.


#9

Thanks everyone for weighing in! A quick update that we took a look at Bitwarden and it’s looking good as a replacement password manager. It gives us all the team and organisation features we want, has all clients we need, is open source, and works out cheaper than the non-OS alternatives.

I’ve been speaking with LastPass about the process for extracting our password data now that our license expired (TL:DR - they don’t make it easy - we can only export passwords if an admin buys a bridging license and that admin can only see folders they were previously added to, there is no way to make one person a super admin to export all the vaults). We may not be able to migrate every password so we may need to reset passwords on some accounts (extra effort, but has security benefits).

I’ll be in touch with a plan, and also will be reaching out to people who may hold passwords to our company accounts (or are admins on folders in LP) to help me migrate this info across.

Please lmk if you have any questions or concerns. Thanks!


#10

Do we want to self-host the organization vaults? This is an option but will add slight additional cost and time for us to set up and maintain.


#11

Hey @petty! I didn’t hear much feedback on this either for/against - what are you thinking about it?


#12

I’d like to move forward with self-hosting. The cost is minimal and we own everything, not relying on anything but ourselves, which is the way I’d prefer it. All functionality stays the same.

Porting over is as simple as an export/import (I’m hoping that’s the case for collections as well)

Me and Jakub will work on this this week.