People are creatures of habit. Nerds, doubly so. That’s why we all had that one job that was still using a DOS inventory management program on its computers well after 2000, and it’s why we’re still getting Pokemon games while some of the original “gotta catch ’em all” generation are now grandparents. It takes a lot to change the way a nerd does things, is my point.
And on that note: LastPass. I was a happy user of LastPass for years, and an evangelist of the service for my less technical friends and family. (No, Aunt Laura, you can’t just have “password1” as your password for everything.) But if you’ve been following the news lately, you know that LastPass and its parent company GoTo have been getting an absolute shellacking among users of all levels after a series of high-profile hacks.
LastPass deserves no sympathy
Now, a company getting hacked isn’t necessarily its fault, and it doesn’t necessarily indicate any kind of deficiency. After all, criminals are criminals, and they’ll hack any high-profile target that they can. But in the case of LastPass, the hacks absolutely were its fault — a series of lax security standards and vulnerabilities to targeted phishing attempts were how the malefactors got in.
And perhaps more damning, LastPass’s failure absolutely indicates a severe deficiency. Aside from the general convenience of remembering your passwords for you, keeping them safe from prying eyes is LastPass’s entire business model — and one that it charges you for if you want to use it on more than one device. If you’re going to ask people to pay for basic functionality, functionality that’s built into the base level of operating systems and browsers at this point, you had better nail it.
LastPass did not nail it. And with the scope of its failure, it’s hard to see how anyone can trust the company ever again. If you need a reason to get rid of software you’ve been using for years, it’s hard to think of a better one than putting every single bit of your online life in danger.
A few alternatives
But I’m still human, and I have [checks notes] one hundred and forty-two different websites and services that I have to log in separately at this point, and that list is only growing. So a password manager, and moreover, a password manager that’s both reasonably secure and cross-platform, is a necessity for both my personal and professional lives.
the best overall password manager
At this point there are several options if you want to ditch LastPass. I tried 1Password, and in full disclosure, I did this because the company offers free upgrades to its premium service for members of the press. But unlike LastPass, there’s no free version of 1Password, just a free trial, and I felt like that makes it something very difficult to recommend to the average user. I ran into the same issue with PCWorld’s pick for the best overall password manager, Dashlane, which only offers access on one device on its free tier.
Enter Bitwarden, PCWorld’s favorite free password manager, and the password manager that sells itself on being open-source. That doesn’t actually matter to me personally, since I can code software about as well as I can practice alligator dentistry. But there’s a bit of comfort knowing that there’s an army of nerds that can check Bitwarden’s work if they want to. And since, again, this is a company you’re trusting with the keys to your proverbial castle, they’re motivated to do so.
The ups and downs of Bitwarden
“Open-source” comes with a few expectations. One is that it’s free, or at least has a free option. Check: Bitwarden’s free personal tier gets all the basic functionality of storing and recalling passwords, plus the essential extra of a randomized password generator. (This is absolutely something you want, unless you’re great at inventing 14 randomized characters at the drop of a hat.) And as a plus over both LastPass and 1Password, the free tier includes access via apps and browser extensions on unlimited devices. That’s hard to beat.
Another expectation of open-source is a somewhat lackadaisical attitude towards the user interface. Alas, this too is the case. Bitwarden’s UI is frankly ugly and a bit janky next to its competition. But after using it for a few months you get the ins and outs of its mostly menu tree-based system…if only by dint of going through each and every menu looking for that one little tweak.
Bitwarden is also missing a few creature features. For example, though the Windows app is more or less redundant if you have a browser extension, you can’t set up access to your vault via Windows Hello fingerprint or face scanning without it. That’s despite the fact that Chrome can handle Windows Hello authentication on the web just fine. Bitwarden’s mobile apps are similarly unintuitive — at least once a week I have to manually copy and paste my credentials into some app or another.
You can’t beat free
But despite that jank, it’s hard to argue with Bitwarden’s value proposition. You only need to pay for some extra authentication features and premium access to support, and even that’s shockingly cheap at just $10 a year. So I’ll continue to use Bitwarden for myself, and recommend it to my friends and family, except for those few who are willing to pay for a good-looking menu interface.
…and even then, I’ll recommend 1Password over LastPass, at least for the foreseeable future. Because 1Password has yet to have a catastrophic hack or leak…that we know about. That’s how you change a nerd’s habits: Give them something free, functional, reliable, and when it comes to security software, something trustworthy.