LastPass Alternatives

KeePassXC can be synchronized to/from any public or private cloud platform using your existing sync tools specific to each platform. [1] The benefit being cloud-agnostic and avoiding vendor lock-in.

[1] - https://keepassxc.org/docs/#faq-cloudsync

I just use Firefox sync. It integrated with iOS and Android. You just install the app and use the system settings to set Firefox as the default password store for the system. It works in all apps, as far as I can tell. I wish it integrated with Linux& gnome a bit better, but I just work around that by bookmarking the browser link to the password page in Firefox.

I trust Mozilla more than any random app that advertises on random podcasts. I like that it warns me when sites I use have been compromised, and that it is generally easy to use. That said, I am not a security expert, so I am interested to see if anybody has any concerns about this setup.

Bitwarden. Very straight forward and open source

Throughout the years I've tried most of the more popular ones on the market, some times forced via work and other times because I was curious.

- KeePassXC: tried this when I was looking for a self-hosted, open-source alternative to LastPass years ago. Was surprised at how well it worked, but syncing was too much of a hassle so I gave up fairly quickly.

- 1Password: my favorite of the bunch so far, great UI and UX, works seamlessly across all my devices with all the stuff I want and need: credit card info, logins, 2FA, automatic hidden email generation via Fastmail, easy sharing and family accounts work really well, CLI for use in scripts and now builtin SSH-key management. Not a huge fan of the subscription model, but probably the service I am most happy to pay for.

- LastPass: was forced to use this at my previous job, absolutely hated it. The UI and UX feels ten years behind 1Pass and Bitwarden, it's slow and not nearly as featureful as the alternatives. I switched from them when they were bought out by LogMeIn, but it doesn't look like the product has meaningfully changed since then.

- BitWarden: played around with this for a while, but didn't switch from 1Pass mostly because I am not willing to host something like this myself and it costs the same as 1Pass with less features and polish.

Personally, I would recommend 1Pass for a "it just works" and Bitwarden hosted yourself if you want the same but on your own premises via https://github.com/dani-garcia/vaultwarden.

1Password for me - not overly happy that they moved over to a subscription based pricing, but I’ve been using it for years now and it works well across all of my devices.

As someone historically adjacent to the security industry, and having worked with some of the best, all I can say for sure is that questions like these really bring out some of the worst, most bespoke, and operationally insecure password management strategies that fail miserably to understand the problem.

I use 1pass. I don’t know if they’re actually better. I wouldn’t recommend rolling your own here, however, even if you can’t think of why your solution would have flaws.

It takes a special kind of mind to accept the limitations of your perspective, and this is a field ripe with that exact kind of bias.

KeepassXC is a thick client password manager. Password store might be even more secure.

If you want “seamless sync of your secrets” by a trusted 3rd party with an online vault, well, then, Bitwarden or 1Password. But the architecture is roughly the same as that of lastpass (though they also encrypt URLs, and might have better KDF, and operational security).

In particular, you should assume that 3-letter agencies snapshot data in cloud placed at their feet, have your vault, and may attempt to crack it should that be needed.

Isn’t the solution obvious? Just don’t store the entire password in the manager. Add a memorized manual prefix or suffix to the randomly generated/filled in password when you log in. Trust nobody. It’s not too much extra work and protects against anything like this in the future.

Keepass (I use KeepassXC on Linux, MacOS and Android) family or Bitwarden self hosted (never used) are probably going to be the top comments.

I use KeePass and just save the encrypted file in iCloud.

Easy, end to end encrypted, always up to date, free.

https://open.substack.com/pub/magoop/p/how-to-manage-500-pas...

I use and generally recommend 1password. I've used it on every major mobile and desktop OS browser. (I've had some issues on Android, but it was not a standard Android OS.) The UX is generally nice.

First, they encrypt with the secret key AND the master password. This is the most important thing, and I was shocked to learn Lastpass doesn't do it.

Second, the master password runs through PBKDF2 with 100000 rounds, but a precursory Google search suggests the very earliest versions used around 10000. Lastpass's problem was a low 5000 rounds, and did not update the number of rounds. I don't know if 1password updates the number of rounds.

Third, they use a zero-knowledge proof protocol called "secure remote password". When I was sharp in cryptography, this is what made me choose 1password over the others. I don't understand all the details anymore, and I don't know if it is "post-quantum secure."

Fourth, the UX is nice and I can recommend it to anybody who is literate. (This is not a cynical take-- I don't know how good the UX is for someone who is not fluent in a language 1password uses.) (Also, 1password recently released "1password 8", a new UI. I have not tried it and cannot speak to it.)

Fifth, 1password's biggest (only?) controversy was moving to a subscription model. I actually prefer this. (I want devs to be paid in perpetuity to keep this secure! I assume 1password has security holes somewhere, and I want 1password to pay their folks to find them first.)

Unfortunately, the monthly price "billed annually" is $3/month, but it seems the true monthly price is hidden behind a signup wall. I feel comfortable assuming the price is less than $10 per month.

Sixth, and most importantly: If your payment lapses, you can still access all your passwords, but you no longer get sync. (But I have not tried this in practice.)

---

1password security whitepaper: https://1passwordstatic.com/files/security/1password-white-p...

1password security overview: https://support.1password.com/1password-security/

Secure Remote Password (SRP) overview: https://blog.1password.com/developers-how-we-use-srp-and-you...

I use a KeePass database stored on iCloud, with the KeePassium client on IOS, and the KeePass client on Windows. Works like a charm.

1Password.

The UX is simple enough so every person in my family from wife to kids can use it. Because ensuring your family's cybersec is important as well. Teach your kids good cyber hygiene from day one.

1Password deals with the infra and software stack which is a time saver for me.

I just switched to Bitwarden after seeing it recommended on HN a bunch of times. Bought a subscription right away.

I previously stored everything in Firefox, transfered it easily to Bitwarden. Linux app seems to work fine, tested in Firefox, Chrome, Android phone, smooth transition.

The only thing that I've noticed is that you have to change existing passwords manually by editing records in the vault, the Firefox extension does not prompt you to update password once it detects a succesful login with another one.

Does anyone know of an open source tool that will reliably export LastPass entries to the other formats or even a csv?

The LastPass exporter IME is very unreliable.

Used to use Password Safe early on before switching to KeePassXC. Have the KDBX file synced across my phone and desktop with Syncthing

For a while I used an encrypted excel spreadsheet (AES-256 but no idea about other tuning) and stored in OneDrive. Could open just about anywhere since Office is everywhere and OneDrive pretty ubiquitous (I’m guessing no Linux though except Wine?). I have moved to BitWarden now because so many passwords a spreadsheet is cumbersome and prone to fat fingers.

I use a locally saved version of supergenpass

https://chriszarate.github.io/supergenpass/mobile/

It combines an easily recalled password with domain to generate a longer password. I feel quite safe using this as no data is stored anywhere.

I've tried Bitearden, and it's great (and free) but the best option is 1Password if you ask me.

Enpass, an offline password manager with option of syncing vault to third party apps like Dropbox or Google drive. https://www.enpass.io/

I will add another voice in favour of Bitwarden. It even has some nice visual polish after many years. I pay the 10$ per year because that's basically free and the value prop is obvious (to me). YMMV

BitWarden as Home Assistant Addon. Make sure to also run the 'Google Backup' addon for HA to have a backup for your passwords. Running it for 2+ years now (Raspberry Pi 3). Works like a charm.

I would love to use iCloud Keychain, but it doesn’t have extra fields, support OTP, or even really have a proper GUI.

Rumor was Apple uses 1pass internally???

Been using KeePassXC for the last five years.

Look at https://spectre.app/

KeePass with db stored on OneDrive

I've been very happy with the built-in Chrome/Google password manager.

Passwords for nextcloud

+1 for - Bitwarden

vim ~/docs/passwords.gpg

bitwarden is the obvious choice