Switching from LastPass to 1Password - wdyt?

I’d be OK with 1Password, and would prefer it over Lastpass. I’ve used it as my main password manager for the last few years, until recently.

If we haven’t, I’d consider like us to consider using Bitwarden. It’s open source and I personally switched from 1Password to it once 1Password started to push for cloud/subscription/whatever only model. So far so good, and I know a bunch of other people use it at Status too (@arnetheduck IIRC?). It seems to align more philosophically with us as well. It has a reasonable iOS app and extensions you’d expect.

They seem to support teams: https://blog.bitwarden.com/password-sharing-is-here-organizations-cf9e7a2098d2 but I haven’t tried that part of them, nor have I evaluated our requirements thoroughly compared to Lastpass/1Password. See more here https://bitwarden.com/

1 Like

+1 for Bitwarden.
I too wouldn’t mind teaching the commerical ones a lesson in good UX and user retention :slight_smile:

Yeah, I’m using bitwarden, works fine for me though I’m a light user - using it on ff, chrome through extensions and android app so far - they have a web ui too where the heavy lifting is done, the extensions don’t have all features which is fine (they’re more simple to use that way). Just about to upgrade to their personal pro version after having tried free for a bit.

+1 for going with an open source alternative.

I will look into this to make sure it handles what we need from an organizational standpoint. The sharing aspects of this is crucial, as well as member management (revocation). I’d imagine pricing is similar.

LessPass is interesting. https://github.com/lesspass/lesspass https://lesspass.com/
It derives a unique reproducible password from a master password vs. domain + username.
This seems safer then a vault file (credetintials encrypted database) and more portable.

If an attacker obtains the vault file, but does not have the password, and depending on user password strength, a brute-force can be effective.

Both 1Password and LessPass are vulnerable to a spyware, in the same scenario, 1Password would leak more secrets, while with LessPass the attacker still need to know domain and usernames.

Also LessPass is safer against data corruption, as all you need to remember is the login details (domain + username) and master password.

Notice that LessPass is not safe for generating cryptocurrency private key seeds, as there is no login information to input, i.e. public key cannot be used to derive private key, because private key derives public key. Although something similar was built for Bitcoin ( https://keybase.io/warp/ ) using user email as salt and password as seed, together with many rounds of slow hashing, to prevent mass email lists being attacked with password lists or other bruteforcing.

Thanks everyone for weighing in! A quick update that we took a look at Bitwarden and it’s looking good as a replacement password manager. It gives us all the team and organisation features we want, has all clients we need, is open source, and works out cheaper than the non-OS alternatives.

I’ve been speaking with LastPass about the process for extracting our password data now that our license expired (TL:DR - they don’t make it easy - we can only export passwords if an admin buys a bridging license and that admin can only see folders they were previously added to, there is no way to make one person a super admin to export all the vaults). We may not be able to migrate every password so we may need to reset passwords on some accounts (extra effort, but has security benefits).

I’ll be in touch with a plan, and also will be reaching out to people who may hold passwords to our company accounts (or are admins on folders in LP) to help me migrate this info across.

Please lmk if you have any questions or concerns. Thanks!

1 Like

Do we want to self-host the organization vaults? This is an option but will add slight additional cost and time for us to set up and maintain.

Hey @petty! I didn’t hear much feedback on this either for/against - what are you thinking about it?

I’d like to move forward with self-hosting. The cost is minimal and we own everything, not relying on anything but ourselves, which is the way I’d prefer it. All functionality stays the same.

Porting over is as simple as an export/import (I’m hoping that’s the case for collections as well)

Me and Jakub will work on this this week.

2 Likes

So here’s what we’ve discovered as we have implemented the self-hosting instance of BitWarden:

If we use the self-hosted instance of bitwarden:

  • we have a complete control (potentially not if an expired license file revokes access or not) of our data and control of secrets (and high resolution access) across the company.
  • users have premium access options and can use it for personal use as well
  • We will restrict sign-up to this to @status.im emails
  • If a user leaves the company, they will lose access to personal passwords (will need to export them and start a new personal instance), meaning they are better off using a separate password manager of their choice (especially if they plan to do family plans or other organizational sharing outside of status)
  • all clients work with self-hosted instance with some tweaking at login. This makes it quite annoying switching between personal use and work use if both are bitwarden.
  • It is now our responsibility to maintain the infrastructure security and uptime. This is covered quite well with how we set up infra and then our monitoring services.

If we use hosted instance:

  • we can share organizational secrets with a user’s personal account, having a single login with all secrets available
    • note there is no difference in security here, only convenience.
  • we are reliant upon bitwarden to not be breached and to have constant uptime
  • If we revoke access, the user keeps their personal secrets access, but loses premium features (if they don’t have them).
  • The cost is slightly more than hosted version, but minimal as the infrastructure isn’t that much in terms of demand.

It was my goal in this switch to lower the barrier of entry to individuals using password managers for personal use as well as work. While the self-hosted instance gives us more control of our data and narrows the attack surface, it drastically increases the friction of personal password manager use. It is my opinion that security practices that are obtuse to use simply won’t be used.

I’d love it if we had some conversation around this, as now is the time to make the choice between the two options.

Generally I would vote for self-hosted, always, but given that “self” in our case implies AWS anyway and Bitwarden is likely also hosting there, I’d say go with the one that has a lower barrier of entry and smoother UX.

Bitwarden is on Azure AFAIK, but yeah. I personally don’t use Bitwarden, but the convenience of hosted solution might be worth it for people who do.

@jakubgs can give details on what it’s deployed to, backup, and geolocation.

We don’t use AWS for Status infra. Our BitWarden service is hosted on DigitalOcean.

And we have daily backups of the MSSQL database which are encrypted and uploaded to a private DO bucket. Not sure what “geolocation” means in this context though.

I could swear I saw something AWS related in our infra at one point. My mistake.

You might have seen the setup for https://dap.ps/. But that’s quite separate from Status. Separate GH org, separate repos, separate infra, separate costs, so on.

1 Like

I naturally lean towards anything self-hosted, but since I’ve set this up I’m biased so I’ll let others decide.

I think that using a self hosted is better because we control all this data, but we have to sort out a safe backup policy for this data.
Regarding the users putting their personal data inside this vault, they should be advised to don’t do it, and use it only for Status related passwords, because it would be like storing your personal items in someone else vault.

1 Like

I currently use both 1Password and Lastpass and do have a mix of Personal and Status on Lastpass. I don’t mind putting in some effort to clean up and use Bitwarden only for Status accounts.

Here’s how I’d likely use it:

  • Maintain 1Password and export all Personal accounts there and all Status accounts to Bitwarden.
  • The bulk of Status accounts, the ones I already have, will live there.
  • If I’m setting up an new account (e.g. for a new tool) 2 min before UX testing as a last resort when all infra is failing me and I have 10 other things on my mind… I will probably go for 1Password
  • New accounts might grow like this on 1Password and I’ll manually move these to Bitwarden manually, potentially 6 months later.
  • I’ll likely also use a 1Password generated secret to get into Bitwarden so I only have to worry about losing 1 Master password.

@petty I’ll totally leave it up to you to judge whether this sounds acceptable. It’s my most realistic imagination of how I’d use Bitwarden in practice.

Another perspective: I have no clue how much of an investment this is for you @petty and @jakubgs, I’d say we’re looking for a proven secure solution that enables our work. If either option leaves any time to spare to speed up product development, while using a proven secure solution, I’d opt for that one.

The goal of the original idea in bitwarden was exactly for this.

Optimally, you’d switch everything to bitwarden, as it’s free for personal use but being part of the Status org gives premium services across the board while you’re a part of it. This would allow you to have everything in the same UI, but organization secrets stay in the org “collections” which you could add to and we could manage appropriately.

Transferring from a password manager to bitwarden is quite easy as they import all common app export formats. Setting up collections within a given “group” is pretty easy from there to share with whoever is doing things with you.

My main concern with the self-hosted solution is that all of the previously mentioned ease of use goes out the window. A self hosted solution is the same as using a completely different password manager, but actually a bit more obtuse if you happen to also use bitwarden as you have to change the endpoint back and forth when switching