I’ve used the LastPass password manager at home and at work for eight and a half years, since only a couple years after they launched, so it makes sense that when I came to Quantopian as its VP of Operations (and later CISO), I brought LastPass with me and we adopted it as our corporate password manager. For several years, we were happy with LastPass as a product and with the quality of support provided by the company.
However, in 2015 LogMeIn acquired LastPass, and things started to change. We have been increasingly dissatisfied with the quality of the product and its support since the acquisition, until recently we finally decided to spend some time evaluating alternatives to LastPass.
We created a detailed evaluation checklist and ran five password managers through the gauntlet: LastPass, 1Password, Dashlane, Bitwarden, and Keeper. At the end of our evaluation, we decided that Bitwarden is the best choice for our company, and we’ve begun the process of migrating from LastPass to Bitwarden.
Obviously, our priorities and requirements might not be the same as yours, so what follows is a description of the functionality and features we focused on in our evaluation.
Even if our priorities are different from yours, you can still benefit from our evaluation! Included below is an interactive grid which you can tweak to focus on just the requirements you care about and then pit any two of the five products we looked at head-to-head and see how they fare against each other.
We use our password manager on Mac OS, Windows, Linux, Android, and iOS. Our password manager needs to support all of those platforms. Most importantly, full functionality can’t be dependent on an app which is only available on Mac OS and/or Windows. In other words, lack of full Linux support is a show-stopper for us. This ruled out 1Password and Dashlane.
We have recently begun the process of issuing YubiKeys to all of our employees and requiring the use of the Yubikey for two-factor authentication for all applications and services which support it. Therefore, although we didn’t consider Yubikey support to be a hard-and-fast requirement for our new password manager, it was a factor. Certainly, any password manager which lacked any support for 2fa would have been rejected out-of-hand. Fortunately, all five products we looked at support some form of 2fa.
We encourage our employees to use a password manager for their personal passwords in addition to their work passwords, and we want to make that easy. Despite the various problems we’ve had with LastPass, we have to acknowledge that their “linked personal account” functionality is the gold standard for solving this particular problem, so we evaluated the other products to see how their solution to this problem compared. Dashlane and Keeper have poor solutions to this problem; the others are adequate.
Obviously, since we were going to be migrating from LastPass to a new service, the ability to import our LastPass data into the new service was essential. Fortunately, all the products we evaluated had this capability.
A number of features we looked at are only relevant in an enterprise (i.e., business) environment. For example, for just personal use, you probably won’t care about linked personal accounts, fine-grained access control, or what abilities company administrators have, but all of these questions were important to us.
It’s important to us that our password manager is actively maintained, and that the people maintaining it are responsive to support inquiries, feature requests, and bug reports. We definitely found that to be the case with Bitwarden. For example, at one point during our evaluation we submitted a bug report about Bitwarden through its Github project; one of the product’s maintainers committed a bug fix seventeen minutes later, and just a few days after that the fix was released to the public.
To see the evaluation table, click on the “Result” tab in the embed below. Initially, all of the checklist items we considered in our evaluation are listed in the table. If you scroll to the bottom, you will see a list of feature tags. Uncheck the features you don’t care about, and they will be removed from the grid. Then, you can select any two products from the two drop-down menus at the bottom, and the grid will add a column doing a head-to-head comparison of those two products with an overall score at the bottom.
Did you find this article useful? Have you undertaken a similar evaluation for yourself or your company? If so, what was your final choice, and what were the deciding factors? We’d love to hear from you. Feel free to comment here, email our security team, or email me directly.
Let’s be careful out there!
— Jonathan Kamens, Quantopian’s CISO