I quit LastPass and moved to 1Password after 10 years
Zach Olivare
Posted on March 6, 2023
I've been a big advocate for LastPass for the last 10 years. I have encouraged probably around a dozen other people to use it. I even called it out specifically (along with 1password) in my Use a password manager post back in 2020.
But I've been growing increasingly frustrated with LastPass recently so I decided to try out 1Password. tldr I found 1Password to solve many of the issues that I have with LastPass; and even though it's not perfect, overall I think 1Password is a better product.
Please allow me to explain why:
1. LastPass had a major, concerning, data-compromising Hack in 2022
There are a lot of details to this hack. But my cliff note version is that:
- URLs and usernames have all been stolen in cleartext (not encrypted)
- Passwords and secure notes have also been stolen, but the information was encrypted.
- "Unencrypting" one of those passwords would cost the attacker somewhere between $75,000 and $1.5M
So unless you're super famous or work for the government, your passwords at least are reasonably safe. But the attackers now know which sites you use, which would make it easier to perform a phishing attack on you.
2. 1Password is more secure
1Password has a unique security concept they call a Secret Key. You can read this in depth explanation to how the secret key works, but again, here are my cliff notes:
- It's a 128-bit (i.e. really long) alpha numeric code
- It's combined with your master password to encrypt your data
- It makes it so that even if 1Password was hacked in exactly the same way as LastPass was in 2022, the hacker would not be able to crack a single password even if he put every computer on Earth to work on the cracking and ran them for zillions of times the age of the universe
1Password also encrypts your item URLs and titles. So even if 1Password were breached, the hacker would have no valuable information about you.
3. 1Password is a lot easier to use
3a. 1Password has an Archive
When you use a password manager for long enough, you undoubtedly have some passwords that gather dust. Passwords that you think you'll probably never need again; maybe an old job, or maybe you accidentally (or on purpose) created two accounts for the same website.
These are passwords that you don't want to appear in normal searches, and passwords that you don't want suggested to you to sign into stuff. But at the same time, deleting them is scary! It's hard to be certain that you'll never need these passwords for any reason ever again.
I made the mistake of assuming this once when I left a job. I deleted every "old" password related to that job, and thought I was fine. That was until I needed to log into my old HR platform to access tax documents 6 months later.
1Password's Archive gives you an easy place to toss these "old" passwords, with the confidence that if you do ever need them again for any reason, they'll still be there for you to go and find.
3b. 1Password makes sharing passwords with family a lot easier
LastPass conflates the concepts of item organization and item sharing. With a LastPass family subscription, the way you share passwords to other family members is to move the password from whatever folder you wanted it in into a special "Shared-" folder.
So if you have a folder in LastPass where you normally put all passwords of a certain type, e.g.
Streaming
, in order to share that password with your family you have to move it into a different folder,Shared-Streaming
. So your streaming passwords are now split up between two different folders. That's kind of annoying.
In 1Password, you share with family members by creating different "Vaults". Conceptually, a "Vault" is similar to a "Shared-Folder"; but for me there are some meaningful differences:
- Vaults are not the primary tool for password organization in 1Password (that's where favorites and tags come in). A vault's primary purpose is for sharing (think of having different safes in your house and giving different people the combination to different safes).
- LastPass "Shared-" folders inter-mingle too easily with regular folders. Vaults are distinct; you only have a few of them and they are not intermingled with Tags.
- You can name vaults whatever you want, they don't have to begin with "Shared-" (the detail oriented folks out there will understand)
3c. Tags are better than Folders
LastPass uses folders for organization, 1Password uses tags.
Any users of Gmail will immediately recognize the concept of tags and why they're inherently superior to folders: an item can only be in one folder, but it can have any number of tags.
By eliminating folders, 1Password also eliminated the dreaded LastPass (none)
folder. This is the place in your LastPass vault that all items that don't have a folder specified go. I'm pretty sure its intended purpose is strictly to shame you for having an unorganized LastPass vault.
I had dozens of folders and subfolders in LastPass (> 50). But when I moved over to 1Password I realized that most of those folders served no purpose whatsoever. Or said another way, looking at those items together as a group provided no benefit. The only reason the folders existed was to get them out of (none)
. I currently have 9 1Password tags.
3d. 1Password has built in "2FA codes"
You know your Authenticator app, right? The app on your phone that generates Time-based One Time Passwords (TOTP). You might use Google Authenticator or Authy, or even LastPass Authenticator.
1Password (mostly) replaces the need for that app. When you sign into an app that has 2FA configured in 1Password, the 2FA code will automatically be copied to your clipboard, so that without a single extra click or even picking up your phone, you can just paste the code right into the site and go.
Isn't not involving your cell phone (a 2nd device) less secure?
Short answer: No. If you keep passwords on the same phone that you have your Authenticator app on (which most everyone does) then you don't actually have a "2nd factor". You're better off spending your time focusing on keeping your 1Password master password long and secure.
1Password's head of security has a much more in-depth write up on that topic here.
Pro tips for using 1Password as your Authenticator app:
- The "Scan QR code" button seems to be broken on the Mac app currently; use the one in the browser extension instead
- If the site doesn't give you a QR code, and instead only the "copy this code into your app" function, 1Password supports that too, it's just not as obvious.
- Choose Edit on the password you want to save a OTP code for
- Choose add another field
- One-Time Password
- Paste the code you copied from the website
- Done! That process is equivalent to scanning the QR code.
3e. 1Password has a native apps for your computer instead of just a browser extension
Using a native app to organize your saved passwords is just a better experience. It also lets 1Password use features like Touch ID and Apple Watch integrations that only native Mac apps have access to!
3f. 1Password supports saving multiple different websites for the same credentials
I've encountered a number of websites over the years that have let you log in at a couple different urls. Or sometimes you need to log into multiple different subsystems of an app that share the same credentials (like corporate SSO for example).
LastPass makes that a real pain to deal with. You have to duplicate the login credentials over multiple LastPass entries, and then LastPass will yell at you for having "duplicate passwords" unless you dig deep into the settings and configure "Equivalent Domains". What a nuisance.
In 1Password, you can just add another website when editing an existing entry. Couldn't be simpler.
3g. 1Password has first class support for multiple accounts
If you use LastPass personally, and your workplace uses LastPass to store shared credentials, you're shit out of luck. You cannot sign into multiple LastPass accounts at the same time.
The only solution is to either never access personal passwords in your work browser, or copy personal/work passwords to the other vault.
1Password lets you sign into multiple accounts at the same time and easily switch between them.
3h. 1Password has customizable fields on every entry
A LastPass entry has a set number of fields depending on its type. A password type entry will have a name, url, username, password, and notes. And that's it. If you want to save any extra information about that site it has to go in the notes field.
1Password entries feel kind of like a "phone contacts" application in that you can add any number of different types of fields to the entry.
4. Things LastPass does better
I have kind of torn LastPass to shreds in this article, and I think rightly so. But there are a couple things that I think they do better than 1Password; features I would like to see 1Password adopt:
4a. LastPass lets you search on the Notes field
The Notes field is a catch all for credential entries. You can put any helpful information in notes for that entry. One common thing I like to include in notes are some aliases to help me find this entry later.
For example the HR software that my company uses is called DayForce. But I can't remember that name for the life of me. So I always search for one of the aliases that I entered in the notes field ("SkySlope HR") and it pops right up in LastPass.
But 1Password doesn't search on the notes fieldddddd!!!!
What the heck, come on guys.
4b. LastPass lets you share passwords with people outside your family subscription
In LastPass you can share any password with any other LastPass user. Doing so frequently is annoying because the share has to be managed inside of that one password, and you have to re-enter the email every time, but nonetheless it's a nice feature to have.
1Password only allows you to share passwords to one of the other people in your family or organization subscription.
4c. LastPass lets you save arbitrary form data
LastPass has a "Save All Entered Data" option for saving all the data you typed into long forms. I personally use this feature for testing websites, but it's useful for any repetitive form-filling.
1Password doesn't appear to have anything similar.
5. A Feature both are lacking
The ability to control which entries are suggested for auto-fill at which time, and easily toggle between them.
Say for example that you only want it to suggest your work passwords when you're at work, and your home passwords when your at home. Or you have a vault/folder that contains family member accounts that you need to have access to to help them do something in once in awhile.
5a. LastPass has Identities
LastPass identities are, in concept, exactly what I'm looking for here. Each identity has certain passwords that are only suggested while you're acting as that identity or when you're acting as the "All" identity.
But it's far from perfect:
- The experience of moving sites between identities is frustratingly difficult
- The new browser plugin popup doesn't let me switch between identities (without going all the way into my vault). This feature existed before their recent re-skin of the browser plugin popup.
-
When adding a new site, it gets added to whatever identity you currently have active.
- That makes sense when you first think about it but is frustrating in practice. You never think about which identity is active when saving new credentials, which means that later you have to go figure out where your lost credential ended up and then move it to the correct identity (probably "personal" or the equivalent).
- At least let me choose the default identity that new credentials should always be added under (probably "personal") [1Password does let you choose which vault to add new credentials to by default]
- But preferably, let me choose which identity these credentials are added to in the creation process
- A configurable default would also be nice here
5b. 1Password has nothing of the sort
1Password does not have a way to only auto-fill credentials from a certain "active" vault.
What they should do is (this does not currently exist):
- Let me right click on a vault and choose Make active vault, and then only auto-fill credentials from that vault
- If I want to auto-fill from all vaults again, I would right click and Remove active vault on that same vault I originally made "active"
Boom, done.
The closest 1Password gets to something like this is the ability to Disable Vaults. If this setting could be toggled more quickly, it might be an acceptable solution to the problem.
Posted on March 6, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.