My Profile Photo

Sheogorath's Blog

Password safes - LastPass vs. Bitwarden vs. Keepass vs. Pass

on

Password safes are maybe one of the most important tools these days when it comes to security in our online life. I use them every day, multiple times and already wrote about it here. You can go for my KeePass article or the LastPass article of my co-author Alex.

All in all, I want to compare these password safes now in a few fields like UX, official support, security, pricing, and licensing.

LastPass

LastPass is maybe the most popular password safe in the world and very good in their marketing. They provide a modern UI and have clients for all major platforms including modern browsers as well as a desktop and a CLI application.

UX

From a UX perspective, LastPass is for sure the most user-friendly service in this comparison. The modern design allows very intuitive usage and since they provide clients for all browsers as well as your smartphone, you can also easily integrate it, in your daily web workflow.

Official support

Since LastPass provides ready to use clients for all kind of platforms it also supports them officially, which means people don’t have to trust another 3rd party tool.

But they also provide an API so 3rd party tools can be written, which makes it nice to integrate LastPass with own applications.

Security

When it comes to security LastPass becomes a bit difficult. There were multiple security flaws in LastPass that were published in the past few months. They are fixed now (as far as I know), but there was one, based on the previous, so the security work is maybe not perfect. On the other hand, they fixed these issues very fast.

Anyway, they provide bug bounty for security flaws which help to improve the security of the program and makes it less attractive to abuse security problems.

Last but not least, many people have concerns with storing their passwords in a cloud. Right now, LastPass doesn’t support a local use only and the only way to sync passwords is to use their cloud service.

Pricing

LastPass provides a free as well as a paid version of their service. The paid service costs $2 per month, which means $24 for a year. That’s pretty cheap and allows you to access additional security features as well as the usage of the desktop client with native fill-in to desktop applications.

I personally used it without a paid subscription. The free version was okay, for me.

There are additional plans for business use-cases and organizations.

License

As a FOSS person the license is important to me and here LastPass is a disappointment because it’s totally proprietary. The servers as well as clients.

The only client project they provide under a free license is the lastpass-cli and it’s published under GPL-2.0.

Rating

UX: ✱✱✱✱✱
Official support: ✱✱✱✱✱
Security: ✱✱✱
Pricing: ✱✱✱
License: ✱

Bitwarden

Bitwarden is an awesome project as password safe. It works similar to LastPass but is 100% FOSS. Clients, as well as servers, are provided under GPL or AGPL and it provides a modern UI.

UX

From a UX perspective, Bitwarden is very intuitive for non-tech users. They also provide very understandable help section on their website which allowed me to migrate from LastPass to Bitwarden in less than 5 minutes.

But they are still a young company with a lot of products, which sometimes let you run in a dead end. So it’s already easy to use, but some places still need work.

Official support

Right now, Bitwarden provides a web-extension for all major browsers including the tor browser. They also provide a mobile app and web access to your vault on their web page as an in-browser app.

A native desktop application as well as and CLI version are planned but not finished yet.

Security

Here it comes to a problem.

As well as LastPass, Bitwarden only supports storing your passwords in a cloud. Of course, they are encrypted with your master password and they also allow 2 factor-authentication, but I couldn’t find any security audit of their backend.

The good news is: Their backend is open-source as well, so you can host and audit it yourself.

So this is now a question of trust. If you are interested in this topic you can easily follow the GitHub issue about it.

Update 2018-11-12: There is now a security audit along with a blog article about it.

Pricing

For private people, Bitwarden provides two plans. The free plan is the default plan and includes all basic features. It’s comparable to LastPass free plan, but without ads and you can use all applications including the upcoming desktop application.

The premium plan only costs $10 a year and is way cheaper than LastPass. It provides additional features like extended 2FA features for login to your password safe, 1GB storage and priority support.

As well as in case of LastPass I stayed with the free plan.

There are additional plans for business use-cases and organizations.

License

From the licensing perspective, I love Bitwarden.

Their entire applications are provided under a free license: GPL-3.0 or AGPL-3.0.

But there are some features require a premium license to use. I’m not sure how this works, but and how this impacts the AGPL but if you want to follow the GitHub issue you’ll probably learn it.

Rating

UX: ✱✱✱✱
Official support: ✱✱✱✱
Security: ✱
Pricing: ✱✱✱✱
License: ✱✱✱

Update 2018-11-12: The security rating is definitely no more correct. I would tend to put it to 4-5 stars from today on. Please notice that due to the nature of the article, I’m not about to change the rating, since this would require me to rework the whole thing for each password manager.

KeePass

KeePass! The first password safe I used and very popular from the old times. It’s basically completely offline and designed as own application. It provides rock solid and proven security and has a standardized file format called .kdbx.

It’s provided for all major Linux distributions as well as Windows and MacOS.

UX

From a UX perspective, KeePass is very old school. It looks like a Windows XP application, but once you created your password file it’s very straightforward. You create a new entry, get a pre-generated password and simply add the details you need to identify the password later. You can also add a web address or similar, where you want to use the password. Once you did that, you press save and it’s done.

KeePass is very extensible as I already mentioned in my previous article. When you use plugins it becomes a bit difficult. You need to install them into the right location and since they are all 3rd-party you have to trust the authors or check them yourself.

Official support

KeePass provides an awesome collection of plugins on their web page, but you have to keep in mind, they are all no officially supported. If they work, fine, if not, well, not a KeePass problem.

But what KeePass provides by default is an auto-fill into the most application by simply send the key presses to the application.

When it comes to supported platforms, they list various Linux distributions as well as Windows and MacOS. But of course, since .NET is built by Microsoft the best experience for KeePass appears on Windows.

Since the KeePass file format is standardized there are various alternative applications that can read and write .kdbx files

Security

When it comes to security, KeePass is one of the most secure applications in this comparison. It doesn’t use any cloud by default and allows you to encrypt your password with a master-password and a cryptographic key file. This way even when your password database is stolen, it’s way more secure than the usual master-password-only setup, that LastPass and Bitwarden provide where the second factor is only used to prevent access the database on their server.

You can place this key file on an USB device and carry it with you around so even when your notebook is stolen your passwords are safe.

Pricing

KeePass is free. And since it’s a local program only, there is neither a cloud version nor premium feature.

But of course, they love donations: https://keepass.info/donate.html

License

KeePass is a wonderful free & open source software. 100% GPL-2

Rating

UX: ✱✱✱
Official support: ✱✱✱
Security: ✱✱✱✱✱
Pricing: ✱✱✱✱✱
License: ✱✱✱✱✱

Pass - The password store

Pass is a command line-based password safe that manages all your passwords in a git repository encrypted with your GPG key.

So if you are familiar with both technologies, it’s a perfect solution.

UX

Since pass is a command line utility, it’s not very perfect for non-tech people that jump out of windows when a black box with white letters appears on their screen.

But for those who are familiar with git, it’s super easy to use. pass generate <someidentifier> generates a password, encrypts it with your GPG key, stores, and commits it to the repository in one step. As identifier, it’s recommended to use a webpage.tld/username-scheme but that’s it.

It also allows you to store normal files in it. Simply use the -m flag. This as well as, when you edit your password, will open your default editor (in my case vim) with the file content and let you insert all you need.

And since it uses git as data store, you can simply move your passwords around as any other git repository. For example, I use a private GitHub repository as my personal password cloud storage.

Official support

Pass is a command line tool only. So it’s feature setup is also only around the CLI. But everyone who uses the command line on a daily basis knows the power of UNIX. And that’s why there exist a lot of other tools that simply use the output and pass it to your target application. A browser, another CLI tool, even Ansible has a wonderful integration for pass.

Security

When it comes to security it’s as secure as gpg and git. Both are very well known and used programs and proven to be secure.

And since it encrypts every password like this, using asymmetric encryption, it’s maybe even more secure than KeePass with a key file.

Pricing

It’s free. No premium features, no cloud storage.

License

It’s free and open source software. Licensed under GPL-2.0+.

Rating

UX: ✱✱
Official support: ✱✱
Security: ✱✱✱✱✱
Pricing: ✱✱✱✱✱
License: ✱✱✱✱✱

Conclusion

All in all, all password safes are usable. LastPass and Bitwarden are very easy to use and something I would suggest to my parents. While KeePass is a bit more difficult to use and of course, they don’t provide an official plugin for browsers.

Pass itself is not very perfect for people who don’t like CLIs. But there are various 3rd-party GUIs and nice integrations made by the active community. So maybe they are better for you.

I use and used all password safes for a while. I switched from LastPass to Bitwarden for my typical browser passwords, because I like the fact that they are Open Source. I use KeePass for my very sensitive passwords and recovery keys and pass for everything I deploy with Ansible. So there are many different use cases out there.

Which password safe is the perfect for you? That is a question you have to answer yourself. But if you decide which one it is, let me know in the comment section.

Keep your passwords safe!

Update 2018-11-12: Please notice the updates to Bitwarden are not put into account for the conclusion, since I’m not about to rework the entire article.