I’ve got hundreds of accounts and passwords, and I absolutely appreciate and need a good password manager with good integration with my web browser. I’ve been using LastPass despite never having liked or fully trusted them. Then LastPass began stripping away platform support and I started looking for another password manager.
Instead of doing a full review, I thought I’d go through a few points that I feel are important when deciding on a password manager; and compare how Bitwarden better lives up to my expectations than LastPass.
Bitwarden and LastPass both offer free hosted password management services with clients available for multiple popular platforms.
LastPass have been pretty good about being available in every web browser and on every platform. However, they left the LastPass extension for Firefox for Android to rot for over a year before abandoning it, and they were slow to migrate their extension to Firefox Quantum. They’ve also got a long history of shipping outdated versions of their extensions to Firefox users over several years.
In my experience, the LastPass extension for Firefox has been only getting more and more buggy with time. My browser of choice, Firefox, clearly haven’t been a priority for LastPass.
Bitwarden have desktop apps for Linux, macOS, and Windows; as well as mobile apps for Android and iOS and browser extensions for just about all web browsers — including the underdogs like Vivaldi and Brave with their tiny marketshares. Bitwarden is everywhere I am and everywhere I can foresee finding myself — whereas LastPass suggest you switch your browser to continue using their service.
LastPass’ toolbar icon in my browsers used a glaring red color; a color normally reserved to indicate that something is broken or requires your attention. Bitwarden’s calm blue icon is less alarming and I subjectively strongly prefer it over LastPass’ icon. I’ve also found that Bitwarden displays error messages in situations were LastPass would just silently fail to perform the requested operation.
Open source and self-hosting
LastPass is a proprietary software and service. You have to rely on their infrastructure and will to continue operating the service without interference.
Bitwarden on the other hand is open source from top to bottom. Their apps, extension, and online services are all open source. If Bitwarden.com where to announce they were shutting down tomorrow, you could grab the source from their servers and host it yourself to ensure continued service.
Self-hosted instances of Bitwarden isn’t an after-thought either as the company behind it considered self-hosting a “first-class feature”. I’ve yet to dig into this in more detail, but I expect that I’ll look into hosting it for myself with time.
As a developer, I also value the ability to inspect their code and suggest changes when I encounter bugs. I’ve not really ran into anything that have needed my attention in Bitwarden, but I like knowing that I have the option to fix it myself. I’ve submitted quite a few concrete bugs and even suggested patches to LastPass through their support form, but they’ve always preferred to leave the bug unresolved in their browser extensions for years instead.
I don’t have the time nor ability to evaluate exactly how secure or insecure any password manager is compared to another. However, I have noted a few things of interest.
There hasn’t been a full independent security review of Bitwarden yet. The code is open and anyone can look at it, and hopefully it will be “the good guys” who’ll find any potential security vulnerabilities and report the issues to Bitwarden. The probability of that happening is much greater than with a proprietary product; seeing how everyone has access to Bitwarden’s source code.
I was positively surprised to learn that Bitwarden’s browser extension doesn’t auto-fill login information on pages as soon as they’ve loaded. The user has to interact with the extension to cause it to fill in stored usernames and passwords. While this is a slight inconvenience, it also effectively stops auto-fill theft as some advertisement networks were caught doing in . This issue has been known to browser vendors for over a decade already, yet the built-in password manager in most web browsers and most third-party password managers have all ignored it.
I’ve also got some concerns regarding Bitwarden’s use of third-party script resources which I’ll go into greater detail in the next section.
Security concerns over third-party resources
In my opinion, no external resources should be loaded from any third-party domains inside a high-risk high-security environment like a password manager.
LastPass hosts everything under their own domains and thereby can ensure that as long as they have control over their servers, they maintain control over everything that loads inside the password manager.
Bitwarden loads scripts and styles from Bootstrap CDN as well as Google Fonts and Google Hosted Libraries. These resources are loaded with Subresource Integrity enforcement, meaning that modern browsers will refuse to load them if the external resource don’t match a predetermined checksum. In other words, Bitwarden have a fairly good confidence that they don’t load anything malicious or unexpected by including these remotely hosted resources.
Including any third-party content is a potential avenue for malicious actors to get in to the password vault. I can’t see any strong reason why any of these companies should be able to execute code inside the password vault. They’re all well-established service providers and it’s not very likely that they’ll loose control over their domains. However, it’s an unnecessary risk factor and frankly their inclusion also seems entirely unnecessary.
The Bitwarden mobile apps, desktop apps, extensions, and web vault all integrate Google Analytis for tracking behavioral data from users. Users can opt-out by disabling the Analytics option by going to Settings: Other: Options.
This is another example of an unconstrained third-party script that don’t belong in a secure environment such as a password manager. Users should opt-in to tracking in this instance rather than having to opt-out.
It’s not enough to opt-out once in the web vault or in one of the apps or extensions. Users have to opt-out again in every client they use as the opt-out preference isn’t being synchronized between clients.
I completely understand the need and desire for tracking some behavioral analytics. However, what is good enough for a normal website isn’t necessarily good enough for a security critical environment like a password manager. In my opinion, there is no good reason for using Google Analytics — or any third-party analytics — in the way Bitwarden uncritically uses it.
Bitwarden and LastPass can export and import password, secure notes, and other secure notes to a comma separated value (CSV) format with headers denoting each value. Many password managers support importing from CSV files, but some manual shuffling of the data columns may be required (as with anything else that use CSV in lieu of a formally standardized interchange format).
Bitwarden being the underdog, can import data from LastPass. However, if you want to go the other way around, you’ll need to reformat the CSV export file for LastPass to accept it. CSVs are easy enough to work with, and the important point to note is that all data appears to be present when exporting from both password managers.
LastPass incorrectly encoded a few (but not all) UTF-8 characters when I exported data to be imported in Bitwarden. I had to manually correct these in the comma-separated export format before Bitwarden could import the file. (This is a bug in LastPass and not Bitwarden.) Having just run into an export issue, I also tested and made sure that Bitwarden didn’t do the same mistake when exporting.
Both Bitwarden and LastPass can store other types of information including secure notes and credit card information. These types of data are also part of the password database dump.
I choose to use Bitwarden over LastPass despite being more skeptical about their security practices when it comes to inclusion of third-party executable scripts inside the password manager. I hope we’ll see Bitwarden make changes to limit the number of possible attack vectors in the future.
Bitwarden doesn’t have a proven record of maintaining strict operational security for a decade like LastPass. However, my personal values, beliefs, and preferences lean heavily towards Bitwarden over LastPass as an optionally self-hosted open source application with clients for every platform.
I have no strong reason to trust LastPass over Bitwarden. I find that I like using Bitwarden whereas I never liked using LastPass.
If you require absolute security, you should however probably stick with LastPass as they have a decade of experience in offering hosted password management services. You could opt to self-host Bitwarden in an environment that isn’t exposed to the internet as an alternative. However, for most folks — the current level of security offered by Bitwarden is probably good enough. Hopefully, we’ll see Bitwarden undergo a full security audit soon.