Password Managers: LastPass vs 1Password vs Bitwarden vs KeePassXC

A brief comparison of top password managers - LastPass, 1Password, Bitwarden, and KeePassXC.

In a recent post, I talked about the need to replace passwords with more secure forms of authentication. While the industry is taking steps in this direction, a truly passwordless future is several years away. In the meanwhile, good password hygiene is of utmost importance to reduce our exposure and resulting data loss.

While there are different streams of thought on password hygiene, I believe that the best password is one you don't know have to remember. Barring a handful of passwords (social accounts used for recovery, critical financial institutions, device passwords and, of course, the master password used to unlock the database), you should consider a password manager for everything else. Are you a techno-enthusiast, early adopter who loves to sign up for new services? You most definitely should use one. Modern password managers are generally secure, easy to use, sync across devices; overall, a much better bet than remembering passwords.

The table below explores standalone personal solutions only, and excludes native options offered by OS/browser vendors e.g. Apple iCloud Keychain or Google Password Manager. It also ignores Enterprise or Business features and pricing plans, as well as dedicated corporate solutions like Hashicorp Vault. Granted, this list does not cover all the password managers out there, but it would be my short list of options if I were searching for one today.

One other thing - support for hardware security keys was high on my list, so I've only included options that support security keys e.g. Yubikey (USB-A/NFC, USB-C/NFC or USB-C/Lightning).

ⓒ alphasecLastPass1PasswordBitwardenKeePassXC
Strong encryptionAES-256 E2EEAES-256 E2EEAES-256 E2EEAES-256 / Twofish
Open sourceNoNoYesYes
Supported desktop OSWindows, macOS, LinuxWindows, macOS, Linux, ChromeOSWindows, macOS, LinuxWindows, macOS, Linux
Supported mobile OSiOS, AndroidiOS, AndroidiOS, AndroidNo
Supported web browsersChrome, Firefox, Opera, Safari, EdgeChrome, Firefox, Brave, Safari, EdgeChrome, Firefox, Brave, Safari, Edge, Opera, Vivaldi, TorChrome, Firefox, Brave, Chromium, Edge, Vivaldi, Tor
Two-factor authenticationYesYesYesYes
- Hardware security keyYesYesYesYes
- Biometric login (mobile)YesYesYesNA
Secure password generationYesYesYesYes
Secure password sharingYesYesYesNo
Sync between devicesYesYesYesNo
Password autofillYesYesYesYes
Password health dashboard (weak/reused/old)YesYesYesYes
Password leak detectionYes (Enzoic)Yes (HIBP)Yes (HIBP)Yes (HIBP)
Digital records walletYesYesYesYes
Import passwords fromBrowsers, password managers, CSVBrowsers, password managers, CSVBrowsers, password managers, CSV, more1Password, CSV
Export passwords toCSV, XMLCSV, 1PUXCSV, JSONCSV
Emergency access/recoveryYesYesYesNA
Pricing (individual plan)$36/year$36/year$10/yearFree
Free planYesNo / 14-day free trialYesYes

So, what's the verdict? Clearly, each option has strengths and weaknesses, and your decision will boil down to your use cases, pricing or must-have features. LastPass is very easy to use and has a generous free tier, but has been plagued by security issues recently. 1Password is quite popular among security enthusiasts, but does not offer a free tier. Bitwarden is open-source and offers a free as well as an affordable premium tier. Finally, if you do not want to sync passwords over the internet and prefer a local database, KeePassXC offers a good open-source option.

Update: If you got here reading about the latest LastPass breach, I no longer recommend using LastPass due to their extremely cavalier attitude. I've been in security long enough to know that breaches are inevitable, but a poor response is not. If you are affected by this breach, read this post for implications and next steps.

Subscribe to alphasec

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.