This week, the company that owns the well-known password manager LastPass disclosed that a breach of its systems last summer was far worse than the company previously acknowledged and involved “personal information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses customers used to access LastPass services,” as explained in a report from Ars Technica.
This near-catastrophic breach is part of a troubling pattern of lax security at LastPass that has concerned cybersecurity professionals for a long time. It ought to be the final straw for the company’s remaining users. It’s understandable that LastPass customers might be prompted by this incident to wonder if any password manager can be trusted, and the answer is yes: there are competitors in the industry offering trustworthy products with an excellent track record.
If you are a LastPass user, don’t let the news of this breach deter you from using a password manager. Managers are integral to a well-organized online life and to good cybersecurity hygiene. It’s important that you use one, just not the one offered by LastPass. Here are three alternatives you can switch to that have been vetted by NPI and other publications, including the NYT’s Wirecutter.
Our team uses 1Password and have found it to be very secure and very well thought out. What we like best is its dual-key encryption: “Instead of relying on an account password alone, 1Password uses unique dual-key encryption. Without both keys, no one can access your account – not even us.”
There are subscriptions for individuals, families, and teams available.
Robust credential sharing and secure amalgamation of different accounts (letting you manage individual and organizational vaults from within the same mobile and desktop apps) are among 1Password’s standout features.
It’s reasonably priced and the support is very good. The company is based in Canada. A guide on how to import your passwords from LastPass is available. 1Password will also cover the costs of switching to their platform.
Bitwarden is the best choice if you want a password manager for individual use that won’t cost anything and supports cross-platform sync (e.g. access passwords across Android, iOS, Windows, Mac, GNU/Linux) without requiring you to pay. Two-person teams are also supported at no cost. The company is based in Santa Barbara, California, and enthusiastically embraces open source.
Dashlane is a third option to consider.
The company proudly states upfront that it has never been breached. It has deprecated its desktop apps in favor of browser add-ons; it still offers mobile apps for iOS and Android. Cross-platform sync is a paid feature.
If you go with Dashlane, we recommend the cheaper Advanced plan and not the Premium plan, which includes a bundled VPN offering. The company is based in France. A guide on how to import your passwords from LastPass is available.
What you can expect regardless of which manager you pick
All of these managers support:
- Cross-platform password sync
- Multifactor authentication
- Monitoring (1Password calls this Watchtower, Dashlane calls it Dark Web Monitoring, Bitwarden calls it Data Breach Report)
- URL encryption (“Prevent an attacker from knowing which websites you frequent, mitigating the risk of targeted phishing attempts”)
- Item title encryption (“Protect sensitive information within item titles so attackers wouldn’t know a credit card from a cookie recipe”)
- Vault title encryption (Names you give to buckets or categories of passwords will also be protected)
As mentioned by Ars Technica, LastPass doesn’t offer URL, item title, or vault encryption. Dashlane, Bitwarden, and 1Password all do, and that makes them much more secure and worthy of your trust.