Switching from LastPass to 1Password - wdyt?

TL:DR - any objections to switching to 1Password? [if we can migrate from LastPass]

Hi everyone!

As you might be aware, our annual license with LastPass recently expired, and we’re looking to renew our password manager. Thank you to those that emailed me back to confirm whether you do/don’t still need one :+1:

For those that do - we’re considering using this opportunity to change from LastPass to 1Password.

I’m currently speaking with LastPass support to see how we can migrate our data (we’ve been locked out of it since our license expired, so I’m seeing what our options are), but in the meantime, I wanted to check if anyone had any objections with potentially switching to 1Password if that’s an option we can pursue?

More info below. Would love to hear your thoughts, cheers!

Effort involved

  • If we were to migrate, we’d try to do as much as possible of the work of migrating passwords centrally, but there may be folders I can’t help with, e.g. your own personal folders, so it’s possible I might have to ask people to take responsibility for migrating their own vaults/folders. It looks like there’s an export vault function which works pretty seamlessly between LP <> 1Password though, which should make migration easier: https://support.1password.com/import-lastpass/
  • In terms of the amount of data (passwords), we have 16 shared folders, with 27 passwords. This doesn’t include personal vaults created by each user in their own account (which I don’t have visibility on).
  • We currently have 35 licensed users, and a few more people using free accounts who have been added to shared folders. 8 people responded to let me know they no longer need access to a password manager. Those people accessing LastPass right now from a free account may need to be converted to paid users to use 1Password.

Cost

  • LP per license (user) per year is $64
  • 1Password
    • The cheapest subscription level (Team) should be sufficient for us - we don’t need VIP support or a huge amount of storage. Team sub doesn’t include free family accounts, so there may be an issue there with people managing two accounts if already using 1Password privately (work + personal)
    • Cost is $48 p/p/p/a (or if we want Business with slightly more features, that’s $96).

1Password imo is the better choice - we would save money and get a better user experience, likely without a prohibitive transition cost - assuming there are no strong objections. Lmk what you think!

cc @petty

2 Likes

As long as I can migrate easily, I don’t mind switching :+1:
(bonus points if 1Password has a mobile app just like LastPass)

1 Like

It does :slight_smile: https://support.1password.com/getting-started-ios/

1 Like

I’d be OK with 1Password, and would prefer it over Lastpass. I’ve used it as my main password manager for the last few years, until recently.

If we haven’t, I’d consider like us to consider using Bitwarden. It’s open source and I personally switched from 1Password to it once 1Password started to push for cloud/subscription/whatever only model. So far so good, and I know a bunch of other people use it at Status too (@arnetheduck IIRC?). It seems to align more philosophically with us as well. It has a reasonable iOS app and extensions you’d expect.

They seem to support teams: https://blog.bitwarden.com/password-sharing-is-here-organizations-cf9e7a2098d2 but I haven’t tried that part of them, nor have I evaluated our requirements thoroughly compared to Lastpass/1Password. See more here https://bitwarden.com/

1 Like

+1 for Bitwarden.
I too wouldn’t mind teaching the commerical ones a lesson in good UX and user retention :slight_smile:

Yeah, I’m using bitwarden, works fine for me though I’m a light user - using it on ff, chrome through extensions and android app so far - they have a web ui too where the heavy lifting is done, the extensions don’t have all features which is fine (they’re more simple to use that way). Just about to upgrade to their personal pro version after having tried free for a bit.

+1 for going with an open source alternative.

I will look into this to make sure it handles what we need from an organizational standpoint. The sharing aspects of this is crucial, as well as member management (revocation). I’d imagine pricing is similar.

LessPass is interesting. https://github.com/lesspass/lesspass https://lesspass.com/
It derives a unique reproducible password from a master password vs. domain + username.
This seems safer then a vault file (credetintials encrypted database) and more portable.

If an attacker obtains the vault file, but does not have the password, and depending on user password strength, a brute-force can be effective.

Both 1Password and LessPass are vulnerable to a spyware, in the same scenario, 1Password would leak more secrets, while with LessPass the attacker still need to know domain and usernames.

Also LessPass is safer against data corruption, as all you need to remember is the login details (domain + username) and master password.

Notice that LessPass is not safe for generating cryptocurrency private key seeds, as there is no login information to input, i.e. public key cannot be used to derive private key, because private key derives public key. Although something similar was built for Bitcoin ( https://keybase.io/warp/ ) using user email as salt and password as seed, together with many rounds of slow hashing, to prevent mass email lists being attacked with password lists or other bruteforcing.

Thanks everyone for weighing in! A quick update that we took a look at Bitwarden and it’s looking good as a replacement password manager. It gives us all the team and organisation features we want, has all clients we need, is open source, and works out cheaper than the non-OS alternatives.

I’ve been speaking with LastPass about the process for extracting our password data now that our license expired (TL:DR - they don’t make it easy - we can only export passwords if an admin buys a bridging license and that admin can only see folders they were previously added to, there is no way to make one person a super admin to export all the vaults). We may not be able to migrate every password so we may need to reset passwords on some accounts (extra effort, but has security benefits).

I’ll be in touch with a plan, and also will be reaching out to people who may hold passwords to our company accounts (or are admins on folders in LP) to help me migrate this info across.

Please lmk if you have any questions or concerns. Thanks!

1 Like

Do we want to self-host the organization vaults? This is an option but will add slight additional cost and time for us to set up and maintain.

Hey @petty! I didn’t hear much feedback on this either for/against - what are you thinking about it?

I’d like to move forward with self-hosting. The cost is minimal and we own everything, not relying on anything but ourselves, which is the way I’d prefer it. All functionality stays the same.

Porting over is as simple as an export/import (I’m hoping that’s the case for collections as well)

Me and Jakub will work on this this week.

2 Likes

So here’s what we’ve discovered as we have implemented the self-hosting instance of BitWarden:

If we use the self-hosted instance of bitwarden:

  • we have a complete control (potentially not if an expired license file revokes access or not) of our data and control of secrets (and high resolution access) across the company.
  • users have premium access options and can use it for personal use as well
  • We will restrict sign-up to this to @status.im emails
  • If a user leaves the company, they will lose access to personal passwords (will need to export them and start a new personal instance), meaning they are better off using a separate password manager of their choice (especially if they plan to do family plans or other organizational sharing outside of status)
  • all clients work with self-hosted instance with some tweaking at login. This makes it quite annoying switching between personal use and work use if both are bitwarden.
  • It is now our responsibility to maintain the infrastructure security and uptime. This is covered quite well with how we set up infra and then our monitoring services.

If we use hosted instance:

  • we can share organizational secrets with a user’s personal account, having a single login with all secrets available
    • note there is no difference in security here, only convenience.
  • we are reliant upon bitwarden to not be breached and to have constant uptime
  • If we revoke access, the user keeps their personal secrets access, but loses premium features (if they don’t have them).
  • The cost is slightly more than hosted version, but minimal as the infrastructure isn’t that much in terms of demand.

It was my goal in this switch to lower the barrier of entry to individuals using password managers for personal use as well as work. While the self-hosted instance gives us more control of our data and narrows the attack surface, it drastically increases the friction of personal password manager use. It is my opinion that security practices that are obtuse to use simply won’t be used.

I’d love it if we had some conversation around this, as now is the time to make the choice between the two options.

Generally I would vote for self-hosted, always, but given that “self” in our case implies AWS anyway and Bitwarden is likely also hosting there, I’d say go with the one that has a lower barrier of entry and smoother UX.

Bitwarden is on Azure AFAIK, but yeah. I personally don’t use Bitwarden, but the convenience of hosted solution might be worth it for people who do.

@jakubgs can give details on what it’s deployed to, backup, and geolocation.

We don’t use AWS for Status infra. Our BitWarden service is hosted on DigitalOcean.

And we have daily backups of the MSSQL database which are encrypted and uploaded to a private DO bucket. Not sure what “geolocation” means in this context though.

I could swear I saw something AWS related in our infra at one point. My mistake.

You might have seen the setup for https://dap.ps/. But that’s quite separate from Status. Separate GH org, separate repos, separate infra, separate costs, so on.

1 Like

I naturally lean towards anything self-hosted, but since I’ve set this up I’m biased so I’ll let others decide.