Friday 22 February 2019

Password Manager Showdown: LastPass vs. 1Password

Until a better security standard is accepted by everyone, we're stuck using usernames and passwords.

You're not going to remember the kind of long, gibberish passwords that work best—something like E%LDMfND4LAQFSfi%c9ujmwwo#MEpT doesn't exactly stick in your memory or lend itself to being typed out. That means most people just don't bother with strong passwords. Using a password manager fixes that, letting you use strong passwords everywhere while only having to remember a single master password.

Of the best password managers on the market, two have taken the lead as the most popular: LastPass and 1Password. So, how do they stack up against each other?

Common Features and What We Looked For

1Password and LastPass both generate and store all your passwords, keeping them in a vault that you can use across all your devices and filling them in for you on websites you visit. Both use one master password to secure your vault, meaning you only need to remember one password to access all of your accounts.

Because you use these services in connection with all your other apps, subtle differences in how they work can have a big impact, namely for ease of use. How easy is it to share logins with other people? How about changing your passwords? Or toggling between multiple accounts?

Here are the features we're highlighting in our showdown. Jump to the one that matters most to you, or skip ahead to the end for a complete feature comparison.

Apps and Platform Compatibility

LastPass and 1Password both have robust app support across many platforms

A password manager isn't very useful if you can't use it everywhere. If you're going to have passwords that are difficult to remember and type in, you're going to need the software to help you enter your passwords no matter what site you're on.

Overall, platform compatibility is not a huge point of differentiation between the two services. LastPass has slightly more robust support for obscure browsers and operating systems, but unless you're using Windows Phone, it's unlikely that's going to be a deciding factor.

LastPass 1Password
Chrome, ChromeOS Yes Yes
Firefox Yes Yes
Opera Yes Yes
Safari Yes Yes
Edge Yes Yes
Internet Explorer Yes Yes*
iOS Yes Yes
Android Yes Yes
Windows PC Yes Yes
macOS Yes Yes
Linux Yes Yes (command line)
Other Dolphin browser for Android
Windows Phone
Windows RT
N/A

*The Internet Explorer extension for 1Password requires you to use 1Password 4, an old version of the software that doesn't receive feature updates anymore, only security updates.

LastPass and 1Password operate almost identically on mobile platforms, since Android and iOS both support password management and autofill. Both services also have browser extensions for Chrome, Firefox, Safari, Opera, and Edge that work similarly.

On the desktop, however, there's a bigger difference. 1Password has local apps for Windows and Mac that you can use offline to access your passwords or any other information you have stored in your vault. Chrome OS has a browser-based app, which is common for apps on the platform, and there's a command-line tool for Linux.

Notably, 1Password requires the desktop app to be installed in order to use the browser extensions. However, the company offers an alternative in 1Password X. This second browser extension is billed as "the future of 1Password," but it's not the present.

Currently, 1Password X only works on Chrome, Firefox, and Opera. So far, there's no Safari version, and it's not quite as fully featured as the regular app/browser combo—for example, its password generator isn't as robust. But it conveniently lacks the requirement for a desktop app, which also makes it accessible on Linux. For clarity's sake, we'll be focusing on the regular version of 1Password for the bulk of this comparison, but if you're on Linux or don't want to download a full app, this option might be for you.

LastPass, on the other hand, has a more complicated desktop app situation. The company offers a "universal installer" for both Mac and Windows that will download browser extensions for every browser, or you can download them all individually. On Mac, there's a whole desktop app that lets you access your vault, but on Windows this app is no longer maintained. You can use a local app called LastPass Pocket, but even the company itself doesn't recommend it as it's not supported anymore. Instead, LastPass recommends that you use a combination of browser extensions and mobile apps. Finally, on Windows there's a utility called LastPass for Applications that will attempt to add autofill to non-browser logins. Though, from experience, this doesn't always work.

Overall, the differences between the services exist only on the edge cases. Both apps support most major browsers and operating systems. However, if you want to use a local app for offline use, you may want to consider 1Password. If you use a more obscure platform like Dolphin Browser for Android or Linux, then LastPass might have more for you.

Setting Up Your Vault

LastPass and 1Password are both easy to set up, especially if you already use saved passwords.

LastPass pop-up after logging in with a new account, confirming that you want to add it to your vault

Both services require you to create an account to begin. Like any other web service, you enter and verify your email address, select which plan you want to use, and create a password. Since this password will protect all of your other passwords, you'll want to make sure it's strong and that you never use it anywhere else. So take some time to create a long, hard-to-guess password.

The main difference in the setup is that 1Password also gives you a secret key, which you'll need to access your vault on other devices. LastPass requires just your master password, while you can't get into your 1Password vault without your master password and secret key. This gives 1Password a slight edge in making unauthorized access to your vault more difficult, without much extra inconvenience.

So, now that you have an account, how do you get your password vault up and running? It depends where you're coming from. If you've been using another password manager or saved passwords in your browser, you can import them into LastPass or 1Password.

Both work similarly: You export a .csv or .xml file from your old password manager, then import that file into your new one. You can do this on the web from 1Password's dashboard by clicking [Your name] > Import. LastPass doesn't seem to have an import option through the web app, but you can use the browser extension. Click the icon in your browser bar, then select Account options > Advanced > Import.

If you don't have saved passwords, then you need to build your vault, which refers to all the logins you have stored in your account (1Password also refers to smaller, more specific groups as vaults, while LastPass calls them folders). Both make this pretty easy to do. Install the extension in your browser, and then log in to any given website like you normally would. Once you've logged in, there will be a pop-up on the screen, asking if you want to add the login to your collection. Go about your web browsing like normal, saving your sites as you log in, and you'll have your vault built up in no time. It works similarly on mobile. When you log in to a recognized app or webpage, it'll save the login information to your vault.

Both apps also let you add passwords to your vault manually. In the 1Password browser extension, click the settings icon and select Save new login. In LastPass, click the extension button in your toolbar and select Add item, then Password (or whatever kind of information you want to add), which opens a screen where you can enter the web address, username, and password. LastPass will automatically fill in the URL for the site you're on, while 1Password will also offer to update existing logins for the site you're on, if you already have one in your vault.

Given how well both apps tend to capture passwords when you first log in, though, you're unlikely to need to use this feature often. On the whole, both make it easy to add your existing passwords to your vaults, whether it's all at once or over time.

Logging In to Your Accounts

LastPass is more streamlined, while 1Password manages multiple account logins more easily.

On the left is the LastPass dropdown for account selection. On the right is the 1Password dropdown for account selection.

If LastPass recognizes a login page, it fills the username and password fields in by default, letting you just click the sign in button and be on your way. If it doesn't recognize the site or you want to use a different account, you can click the LastPass logo in the login box which will open a list of your accounts connected to that site. Click the account you want to log in with and LastPass will autofill that username and password.

1Password is a little different. You can click on the 1Password extension icon in your browser's toolbar to see a list of your available accounts related to the site you're on. Click on one of them, and it will automatically fill in your username and password. Alternatively, you can click on the username or password fields, and press Command + \ (Ctrl + \ on Windows). This will automatically enter whatever credentials 1Password thinks are most likely to be the right one. If you'd rather pick from a list of accounts, you can press Command + Option + \ (Ctrl + Alt + \ on Windows) to pull up a dialog box that will let you choose which account you want to log in with. Alternatively, you can right-click, select 1Password, and then select your account.

LastPass wins on speed. Having your password automatically filled in as soon as the page loads is just faster and easier. But 1Password is easier to use on websites where you have multiple accounts, so it may be preferable if you have many different accounts on most of the websites you use.

Creating New Passwords

LastPass and 1Password both have robust password generators, with a slight edge to LastPass.

On the left is the LastPass password generator. On the right is the 1Password password generator.

The best passwords are long, random ones you can't remember. Of course, humans aren't good at creating actual randomness, which is why LastPass and 1Password have password generators to take care of that for you.

With LastPass, whenever you're creating a new account, you'll see an icon in the password field that you can click to create a random password. If you select Generate and fill, it will generate a password and enter it into the password and confirm password fields. Once you create your account, it'll update your vault. This doesn't even give you a chance to see the password, so it's secret even from you.

You can choose More options to change the parameters, like the length of the password, whether or not it includes numbers or special characters, and even an option to make the password easy to read or easy to say out loud. These last options are especially helpful for passwords you might still need to interact with, like your Wi-Fi or Netflix password.

1Password works a little differently. To generate a password, click the 1Password extension icon in your browser's toolbar, then click the dial labeled Password Generator. You can customize the parameters to make a long nonsense password or a passphrase made up of random unrelated words and tweak things like whether it uses numbers or symbols or which symbol is used to separate words in a passphrase. Once you have a password you like, you can copy and paste it into the password field.

This method takes a few more steps than LastPass, but if you're using the more experimental 1Password X, you'll see a box appear below the password field without having to click anything at all. You can just click to accept the suggested password and be on your way.

LastPass is generally easier to use than 1Password's standard browser extensions, but if you use 1Password X, then they're on equal footing. If a site has special requirements for passwords, the generator in LastPass is slightly more convenient to tweak, though 1Password's generator opens in a separate window which can be handy.

Changing Your Passwords

LastPass has a strong edge with the experimental Auto Change Password feature.

LastPass vault open to a site with the Auto Change Password feature
LastPass vault open to a site with the Auto Change Password feature

It's best practice to change your passwords every once in a while. And even if you ignore those best practices, you'll eventually get locked out of an account or a website you have an account on will get hacked. Regardless, when it comes time to change your password, LastPass and 1Password will both attempt to pick up the new password and update your vault. LastPass gives you a brief pop-up telling you that it's changed the password in the vault, while 1Password will ask if you want to use the new password. LastPass's approach is more proactive, but 1Password gives you more flexibility.

More importantly, both services have ways of letting you know if your password is out of date or needs to be changed. LastPass has a feature called the Security Challenge that will scan your database for duplicate, weak, or old passwords, as well as comparing your passwords against a database of known security breaches. All of this adds up to an overall security score that will tell you just how safe your online life is.

The feature will also tell you in what percentile of LastPass users your security practices rank. When it comes to security, it's often less important to be perfectly impenetrable than it is to be more secure than someone else. This standing score can help give you some perspective on how good or bad your practices are.

1Password's Watchtower offers similar features, but a bit more directly. In the sidebar of the desktop app, you'll see several categories like Compromised Logins, Vulnerable, Reused, and Weak Passwords, as well as Unsecured Websites. This helps you actively keep track of security risks. 1Password doesn't offer any kind of scoring system, but it does make it easier to keep an eye on when you need to change your passwords.

All that said, LastPass has one ace up its sleeve: Auto-Change Password. This experimental feature allows you to click one button to automatically change your password on up to 75 websites including Facebook, Twitter, Amazon, and more. In your vault, some entries will say Auto Change Password under the password field. Clicking that opens a new tab, navigates to the password change page, generates and submits a new password, and updates the vault for you.

The process can take a minute or two—and you might need to manually enter a two-factor authentication code if you have that enabled—but otherwise you don't have to do anything. Even if the feature is only supported on a relatively small number of websites, it's incredibly useful and it's a clear edge over 1Password.

Sharing Logins with Others

LastPass has more features on the low end and includes sharing outside of teams.

The sharing center in LastPass, opened to share a single login with another user
The Sharing Center in LastPass, opened to share a single login with another user

When it comes to sharing login information with others, LastPass has a clear advantage on the cheaper plans. Even a free personal LastPass account can share logins with others. In the Sharing Center section of the web app, you can enter a colleague's email address and choose which items to share with them. You can even hide the password, letting them log in without letting them see the password in their vault. Since 1Password doesn't even offer a free tier, this is a strong advantage.

At the high end, the two are much more similar. Both 1Password and LastPass accounts at the family, team, and enterprise levels let you create "vaults" or "folders" containing multiple logins to share with your team. That allows you to share sets of passwords with specific groups, e.g., your Marketing team. Each service has a dashboard to manage who has access to what: The admin can give permissions to view and change all passwords, or restrict what can be done with them on a user-by-user basis.

The big difference between the two apps is how they think about sharing: 1Password works exclusively in vaults, while LastPass lets you share both folders and individual logins. Sharing of individual logins is available on all LastPass plans, while 1Password has no similar feature. Both allow sharing with guests outside of your team/organization, but to share just a single login with 1Password, you'd have to create a vault with nothing more than that single login, which can be an administrative headache if you have to share different sets of logins with a lot of different people.

If you're just managing your team's or family's passwords, there isn't a killer feature to distinguish the two. If you have to deal with freelancers or anyone else that's not a permanent member of your team, then LastPass offers a lot more flexibility.

Data Storage and Protection

LastPass and 1Password both store data on their servers, but 1Password has an older, offline-only option.

Even though you store your data on LastPass or 1Password servers, they can't access your vault or any of your logins. All the data is encrypted, which means it's an incomprehensible blob of data if you don't have the encryption keys. Those keys are generated on your device using your master password (and secret key for 1Password), and those are never sent anywhere, even to LastPass or 1Password. This secures your vault against data breaches or social engineering attacks, but also makes account recovery more difficult.

If you're understandably wary of storing data on servers you don't control at all, then 1Password has an alternative. Older versions of the app allow you to store your password vault locally. You can even sync your data through services like Dropbox, so you control the space where your vault is stored. However, 1Password no longer updates or maintains the older versions of the app that you'd need to use this method. Generally speaking, it's not a good idea to use old, unsupported software for security, so we wouldn't recommend this method unless you have a very specific need for it.

Recovering Your Account

LastPass gives you more convenient options, while 1Password puts more control in your hands.

1Password's Emergency Kit, containing the information you need to recover your account
1Password's Emergency Kit, containing the information you need to recover your account

By using either of these services, you're taking security into your own hands. If you forget your master password or lose your secret key, you may be locked out completely. Neither LastPass nor 1Password can access your vault, so if you forget your master password, it can be an enormous hassle. Having said that, both services have ways to handle this.

In general, 1Password leans more toward the preventive style of handling disasters, but in doing so, it puts more of the responsibility in your hands. When you sign up, you'll get an Emergency Kit, which has your secret key, email address, and space for you to fill in your master password. They recommend printing and keeping a copy somewhere like a safety deposit box, though an encrypted copy kept offline—like on a USB stick you keep locked away—can also work.

If you're on a shared plan, someone on your team/business/family plan may be able to help you restore your account in the event you lose your Emergency Kit, or you can export your vault from a device that hasn't logged out. This page provides a list of options you can try if you get locked out of your vault. However, they all involve working around the access you already have. There's no method for the company to help you regain access to your vault.

LastPass, on the other hand, provides more convenient recovery methods. You can set up recovery through SMS codes or one-time passwords sent via email. The SMS codes are sent to your phone number and activate a locally-stored one-time password to unlock your vault, after which you will create a new master password. You can also get a one-time password sent to your email account, though these are specific to each combination of computer and web browser, so using one can be a little complicated.

This process can pose a mild security risk, since an attacker who has access to your phone or email could theoretically use the same process to get access to your vault. But SMS recovery codes are off by default, and emailed recovery passwords should be a little difficult to use since they have to correspond to the exact computer and browser. In other words, an attacker would have to also be using your computer for the recovery passwords to be useful. This page has more information about all of your recovery options.

Advanced Security Features

LastPass has more and slightly more robust features, while 1Password has some particularly compelling features.

Watchtower in 1Password, giving you an indication of how secure your passwords are
Watchtower in 1Password, giving you an indication of how secure your passwords are

There are a few extra features that aren't the main selling points, but may be useful for deciding which password manager you choose for your business.

Two-factor authentication

1Password and LastPass both offer two-factor authentication to protect your vault. Both work with many common authentication apps and hardware keys, with LastPass supporting slightly more. Unless you're using something obscure for security, it's unlikely this would be a deciding factor.

Emergency access

LastPass has an Emergency Access feature in personal and family plans, allowing someone to access your vault if something happens to you (such as illness, death, or disappearance). A trusted person can request access to your account at any time. If you don't refuse the request within a set amount of time, they get access to your vault, which you can revoke at any time.

Travel mode

1Password lets you set some vaults as safe for travel and others as not. When you turn on travel mode, the sites that are listed as not safe for travel are removed from your device. This is useful especially at border crossings where you may have to hand your phone or computer to the authorities, and also helps any time you're traveling with data that would be dangerous if lost or stolen.

Restrict access to particular countries

By default, LastPass only lets you access your account from the country you created it in. When traveling, you have to proactively allow it to let you access your vault from whatever country you're going to. This prevents malicious actors coming from another country from getting access to your vault.

Pricing

LastPass wins on price

LastPass 1Password Defining features
Individual Free basic; $2/month premium (billed annually) $2.99/month (billed annually); $3.99/month (billed monthly) Single user, access to all apps
Family $4/month, up to 6 users (billed annually) $4.99/month (billed annually); $6.99/month (billed monthly); Up to 5 users Multiple users, unlimited sharing between them, management dashboard
Teams $4/user/month (billed annually), 5-50 users $3.99/user/month (billed annually) The above, plus admin dashboard and user management
Business "Enterprise" plan starts at $6/user/month (billed annually) $7.99/user/month (billed annually) The above, plus dedicated customer support, advanced reporting, and advanced security policies
Enterprise Custom pricing for specific needs, $4/user/month otherwise Custom pricing Can be customized to specific business needs

LastPass is the cheaper option for almost every plan you're looking at. It has a free individual plan (which 1Password lacks), and most comparable plans are cheaper with LastPass, except the Teams plan which has identical pricing as 1Password. The difference per user is even more pronounced in business plans, so if cost is one of your main concerns, LastPass has a very strong advantage.

If you're an individual trying to keep your passwords more secure, you can use LastPass's free account and have most of the features you'll need. There's no free version of 1Password—there is a 30-day free trial, but anything past that will cost. The company has an option to manage vault storage yourself without a paying membership, but it's not actively supported anymore.

For personal plans, the differences are quite small: $2/month for one user with LastPass, versus $3/month for the same from 1Password. Family plans are similar: LastPass is $4/month for six users, while 1Password is $5/month for five users. Over the course of a year, the difference between each company is only $12, which is close to negligible depending on which features you need.

Team and enterprise plans have more complicated cost differences. LastPass has a teams plan that costs $4/user/month, and an enterprise plan that starts at $6/user/month. 1Password similarly has a teams plan for $3.99/user/month, a business plan for $7.99/user/month, and an enterprise tier with a custom rate. At the team level, 1Password and LastPass are essentially on equal footing, though LastPass has a limit of 50 users at this level. Anything more than that and you'll need to upgrade. At the business level, LastPass has a pricing edge, with a savings of around $2/user/month. If you have 50 users, LastPass is about $100/month cheaper, or $1,200 a year. Those savings add up. On the other hand, since 1Password doesn't have a user limit on Teams, you might not need to upgrade to Business at all, which could save you even more.

LastPass vs. 1Password: Which App Should You Use?

Both LastPass and 1Password are solid password managers, covering the majority of use cases you're likely to run into.

LastPass is the cheaper option and it's the only one that offers a free version. For the extra money, 1Password offers local apps, a more polished UI, and a somewhat firmer security stance. If you'd rather store your vault locally or if you prefer the secret key approach that adds one extra step to getting into your account, then 1Password is probably for you. If not, then LastPass offers more features for less money.

Finally, here's a side-by-side comparison of the two:

LastPass 1Password
App and platform compatibility Windows, Mac, iOS, Android, Chrome, Firefox, Safari, Opera, Microsoft Edge, command line, Debian, Ubuntu, Windows RT, Dolphin Browser Windows, Mac, iOS, Android, Chrome, Firefox, Safari, Opera, Microsoft Edge, command line
Setting up your vault Import feature from browsers and other password managers; accounts added as you log in Same as LastPass
Logging in to your accounts Login information filled in on page load; select account from a list Login information filled in when you click browser extension
Creating new passwords Password generator accessible when creating passwords Passwords generated using browser extension
Changing your passwords Use password generator when on change password screen; experimental "Auto Change Password" automation feature Use password generator when on change password screen
Sharing logins with others All plans can share with individual users outside your team; family, team, and enterprise have robust shared folder features Family, team, business, and enterprise plans have robust shared folder features
Data storage and protection Encrypted vault stored on LastPass servers Encrypted vault stored on 1Password servers; option to store vault offline (not actively supported)
Recovering your account Password hint, SMS codes (can be disabled), one-time passwords (tied to machine and browser) Password hint, Emergency Kit
Advanced security features Two-factor authentication, security check, emergency access, restrict to countries Two-factor authentication, Watchtower, travel mode
Pricing Free basic individual plan, $2/month premium individual, $4/month family (up to 6 members), $4/user/month teams, $6/user/month enterprise $2.99/month individual, $4.99/month family (up to 5 members), $3.99/user/month teams plan, $7.99/user/month business plan, Custom quote for enterprise plan (all prices billed annually)


source https://zapier.com/blog/lastpass-vs-1password/

No comments:

Post a Comment