Thanks to the recent PR debacles with LastPass, I decided I needed to look for a new password manager solution. (And the recent data breach clinched it.) I’ve looked at several good options, but in the end, the answer was pretty obvious: Bitwarden. I haven’t fully switched myself, but I wanted to test drive it for my audience (aka you).
I’ve read several password manager reviews by sites I trust, and there are several that show up towards the top in most lists: LastPass, 1Password, and Bitwarden. I have a lot of respect for 1Password and I know people who swear by it. But I wanted something I could wholeheartedly recommend to my audience. My criteria would be:
- Easy to use
- Supported on all major platforms (Mac/Win, iOS/Android)
- Respects your privacy
- Has a viable free tier (this is the one that put it over 1Password)
I often recommend avoiding free products because in many cases that makes you (or more specifically, your data) the product. The main exception to this is when the company has a viable business model that doesn’t rely on selling your data. In this case, Bitwarden has premium and business tiers that charge money. So, Bitwarden meets all the criteria.
Bitwarden has a couple other important bonuses. First, it’s completely open source. Theoretically, this would mean that it’s security and privacy claims can be vetted by anyone. Second, Bitwarden is subjecting itself independent third party security audits. Finally, it’s compliant with top privacy standards like GDPR, HIPAA and CCPA.
All that said, 1Password is a solid solution and probably more feature-rich and polished than Bitwarden. But 1Password has no free option and it’s not open source (though they have submitted to security audits).
Moving from LastPass to Bitwarden
Getting all your data from LastPass to Bitwarden is surprisingly easy. However, because of this, there’s an important security safeguard you need to take. LastPass and Bitwarden both keep your password vault encrypted locally on your device, but in order to transfer that data, you need to export it to a plain text (unencrypted) .csv file. That CSV file needs to be imported immediately and then securely deleted. I wouldn’t even want my backup software to snapshot it. Maybe I’m just paranoid. But definitely don’t put this file in DropBox or similar (which will create a cloud copy that will exist for some time even if you then delete it).
So to sum up:
- export your LastPass vault as a CSV file
- import the CSV file into Bitwarden
- delete that CSV file!
- set up 2FA authentication (and save your recovery code)
You’ll then want to install the plugin for your browser and install the app for your smartphone. The desktop app is optional, really, but it’s good that they have one.
Bitwarden is very similar to LastPass and the free version has many of the same features. I’m not going to try to go through it all here, but Bitwarden has some really good user help and getting started tutorials – definitely check those out (maybe before you even sign up for it).
Personally, I may stick with LastPass a while longer. I’m used to it and it’s worked well for me for many years. Also, my entire family is using it. Switching them to something else would take some time, effort and coordination. If I go that route, I may very well switch to 1Password’s family plan.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!