Cybersecurity graphic
Cybersecurity artwork by JanBaby, reproduced under a Creative Commons license

This week, the com­pa­ny that owns the well-known pass­word man­ag­er Last­Pass dis­closed that a breach of its sys­tems last sum­mer was far worse than the com­pa­ny pre­vi­ous­ly acknowl­edged and involved “per­son­al infor­ma­tion and relat­ed meta­da­ta, includ­ing com­pa­ny names, end-user names, billing address­es, email address­es, tele­phone num­bers, and IP address­es cus­tomers used to access Last­Pass ser­vices,” as explained in a report from Ars Tech­ni­ca.

This near-cat­a­stroph­ic breach is part of a trou­bling pat­tern of lax secu­ri­ty at Last­Pass that has con­cerned cyber­se­cu­ri­ty pro­fes­sion­als for a long time. It ought to be the final straw for the com­pa­ny’s remain­ing users. It’s under­stand­able that Last­Pass cus­tomers might be prompt­ed by this inci­dent to won­der if any pass­word man­ag­er can be trust­ed, and the answer is yes: there are com­peti­tors in the indus­try offer­ing trust­wor­thy prod­ucts with an excel­lent track record.

If you are a Last­Pass user, don’t let the news of this breach deter you from using a pass­word man­ag­er. Man­agers are inte­gral to a well-orga­nized online life and to good cyber­se­cu­ri­ty hygiene. It’s impor­tant that you use one, just not the one offered by Last­Pass. Here are three alter­na­tives you can switch to that have been vet­ted by NPI and oth­er pub­li­ca­tions, includ­ing the NYT’s Wirecutter.


Our team uses 1Password and have found it to be very secure and very well thought out. What we like best is its dual-key encryp­tion: “Instead of rely­ing on an account pass­word alone, 1Password uses unique dual-key encryp­tion. With­out both keys, no one can access your account – not even us.”

There are sub­scrip­tions for indi­vid­u­als, fam­i­lies, and teams available.

Robust cre­den­tial shar­ing and secure amal­ga­ma­tion of dif­fer­ent accounts (let­ting you man­age indi­vid­ual and orga­ni­za­tion­al vaults from with­in the same mobile and desk­top apps) are among 1Password’s stand­out features.

It’s rea­son­ably priced and the sup­port is very good. The com­pa­ny is based in Cana­da. A guide on how to import your pass­words from Last­Pass is avail­able. 1Password will also cov­er the costs of switch­ing to their platform.


Bit­war­den is the best choice if you want a pass­word man­ag­er for indi­vid­ual use that won’t cost any­thing and sup­ports cross-plat­form sync (e.g. access pass­words across Android, iOS, Win­dows, Mac, GNU/Linux) with­out requir­ing you to pay. Two-per­son teams are also sup­port­ed at no cost. The com­pa­ny is based in San­ta Bar­bara, Cal­i­for­nia, and enthu­si­as­ti­cal­ly embraces open source.

A guide on how to import your pass­words from Last­Pass is avail­able.


Dash­lane is a third option to consider.

The com­pa­ny proud­ly states upfront that it has nev­er been breached. It has dep­re­cat­ed its desk­top apps in favor of brows­er add-ons; it still offers mobile apps for iOS and Android. Cross-plat­form sync is a paid feature.

If you go with Dash­lane, we rec­om­mend the cheap­er Advanced plan and not the Pre­mi­um plan, which includes a bun­dled VPN offer­ing. The com­pa­ny is based in France. A guide on how to import your pass­words from Last­Pass is avail­able.

What you can expect regardless of which manager you pick

All of these man­agers support:

  • Cross-plat­form pass­word sync
  • Mul­ti­fac­tor authentication
  • Mon­i­tor­ing (1Password calls this Watch­tow­er, Dash­lane calls it Dark Web Mon­i­tor­ing, Bit­war­den calls it Data Breach Report)
  • URL encryp­tion (“Pre­vent an attack­er from know­ing which web­sites you fre­quent, mit­i­gat­ing the risk of tar­get­ed phish­ing attempts”)
  • Item title encryp­tion (“Pro­tect sen­si­tive infor­ma­tion with­in item titles so attack­ers wouldn’t know a cred­it card from a cook­ie recipe”)
  • Vault title encryp­tion (Names you give to buck­ets or cat­e­gories of pass­words will also be protected)

As men­tioned by Ars Tech­ni­ca, Last­Pass does­n’t offer URL, item title, or vault encryp­tion. Dash­lane, Bit­war­den, and 1Password all do, and that makes them much more secure and wor­thy of your trust.

Hap­py switching!

About the author

Andrew Villeneuve is the founder and executive director of the Northwest Progressive Institute, as well as the founder of NPI's sibling, the Northwest Progressive Foundation. He has worked to advance progressive causes for over two decades as a strategist, speaker, author, and organizer. Andrew is also a cybersecurity expert, a veteran facilitator, a delegate to the Washington State Democratic Central Committee, and a member of the Climate Reality Leadership Corps.

Adjacent posts