Zach Olivare - 2023 Feb 22
And here's why
I've been a big advocate for LastPass for the last 10 years. I have encouraged probably around a dozen other people to use it. I even called it out specifically (along with 1password) in my Use a password manager post back in 2020.
But I've been growing increasingly frustrated with LastPass recently so I decided to try out 1Password. tldr I found 1Password to solve many of the issues that I have with LastPass; and even though it's not perfect, overall I think 1Password is a better product.
Please allow me to explain why:
There are a lot of details to this hack. But my cliff note version is that:
So unless you're super famous or work for the government, your passwords at least are reasonably safe. But the attackers now know which sites you use, which would make it easier to perform a phishing attack on you.
1Password has a unique security concept they call a Secret Key. You can read this in depth explanation to how the secret key works, but again, here are my cliff notes:
1Password also encrypts your item URLs and titles. So even if 1Password were breached, the hacker would have no valuable information about you.
When you use a password manager for long enough, you undoubtedly have some passwords that gather dust. Passwords that you think you'll probably never need again; maybe an old job, or maybe you accidentally (or on purpose) created two accounts for the same website.
These are passwords that you don't want to appear in normal searches, and passwords that you don't want suggested to you to sign into stuff. But at the same time, deleting them is scary! It's hard to be certain that you'll never need these passwords for any reason ever again.
1Password's Archive gives you an easy place to toss these "old" passwords, with the confidence that if you do ever need them again for any reason, they'll still be there for you to go and find.
LastPass conflates the concepts of item organization and item sharing. With a LastPass family subscription, the way you share passwords to other family members is to move the password from whatever folder you wanted it in into a special "Shared-" folder.
In 1Password, you share with family members by creating different "Vaults". Conceptually, a "Vault" is similar to a "Shared-Folder"; but for me there are some meaningful differences:
LastPass uses folders for organization, 1Password uses tags.
Any users of Gmail will immediately recognize the concept of tags and why they're inherently superior to folders: an item can only be in one folder, but it can have any number of tags.
By eliminating folders, 1Password also eliminated the dreaded LastPass
(none) folder. This is the place in your LastPass vault that all items that don't have a folder specified go. I'm pretty sure its intended purpose is strictly to shame you for having an unorganized LastPass vault.
I had dozens of folders and subfolders in LastPass (> 50). But when I moved over to 1Password I realized that most of those folders served no purpose whatsoever. Or said another way, looking at those items together as a group provided no benefit. The only reason the folders existed was to get them out of
(none). I currently have 9 1Password tags.
You know your Authenticator app, right? The app on your phone that generates Time-based One Time Passwords (TOTP). You might use Google Authenticator or Authy, or even LastPass Authenticator.
1Password (mostly) replaces the need for that app. When you sign into an app that has 2FA configured in 1Password, the 2FA code will automatically be copied to your clipboard, so that without a single extra click or even picking up your phone, you can just paste the code right into the site and go.
Using a native app to organize your saved passwords is just a better experience. It also lets 1Password use features like Touch ID and Apple Watch integrations that only native Mac apps have access to!
I've encountered a number of websites over the years that have let you log in at a couple different urls. Or sometimes you need to log into multiple different subsystems of an app that share the same credentials (like corporate SSO for example).
LastPass makes that a real pain to deal with. You have to duplicate the login credentials over multiple LastPass entries, and then LastPass will yell at you for having "duplicate passwords" unless you dig deep into the settings and configure "Equivalent Domains". What a nuisance.
In 1Password, you can just add another website when editing an existing entry. Couldn't be simpler.
If you use LastPass personally, and your workplace uses LastPass to store shared credentials, you're shit out of luck. You cannot sign into multiple LastPass accounts at the same time.
The only solution is to either never access personal passwords in your work browser, or copy personal/work passwords to the other vault.
1Password lets you sign into multiple accounts at the same time and easily switch between them.
A LastPass entry has a set number of fields depending on its type. A password type entry will have a name, url, username, password, and notes. And that's it. If you want to save any extra information about that site it has to go in the notes field.
1Password entries feel kind of like a "phone contacts" application in that you can add any number of different types of fields to the entry.
I have kind of torn LastPass to shreds in this article, and I think rightly so. But there are a couple things that I think they do better than 1Password; features I would like to see 1Password adopt:
The Notes field is a catch all for credential entries. You can put any helpful information in notes for that entry. One common thing I like to include in notes are some aliases to help me find this entry later.
But 1Password doesn't search on the notes fieldddddd!!!!
What the heck, come on guys.
In LastPass you can share any password with any other LastPass user. Doing so frequently is annoying because the share has to be managed inside of that one password, and you have to re-enter the email every time, but nonetheless it's a nice feature to have.
1Password only allows you to share passwords to one of the other people in your family or organization subscription.
LastPass has a "Save All Entered Data" option for saving all the data you typed into long forms. I personally use this feature for testing websites, but it's useful for any repetitive form-filling.
1Password doesn't appear to have anything similar.
The ability to control which entries are suggested for auto-fill at which time, and easily toggle between them.
Say for example that you only want it to suggest your work passwords when you're at work, and your home passwords when your at home. Or you have a vault/folder that contains family member accounts that you need to have access to to help them do something in once in awhile.
LastPass identities are, in concept, exactly what I'm looking for here. Each identity has certain passwords that are only suggested while you're acting as that identity or when you're acting as the "All" identity.
But it's far from perfect:
The experience of moving sites between identities is frustratingly difficult
The new browser plugin popup doesn't let me switch between identities (without going all the way into my vault). This feature existed before their recent re-skin of the browser plugin popup.
When adding a new site, it gets added to whatever identity you currently have active.
1Password does not have a way to only auto-fill credentials from a certain "active" vault.
What they should do is (this does not currently exist):
The closest 1Password gets to something like this is the ability to Disable Vaults. If this setting could be toggled more quickly, it might be an acceptable solution to the problem.