Pass on LastPass; KeepassXC or Bitwarden is better.

Anybody else remember when Wendell was just a torso sat behind four computer monitors?

Who else is here after the LastPass database leak?

Bitwarden recommended. Migrated from LP. Works on my mac and android just fine.

"It's like running water inside your hosue getting more expensive, or electricity getting more expensive" - Texans staring from the corner.

This has aged amazingly well. Thank you, Wendell!
I just spent the last six hours changing passwords, tying up some loose strings as far as 2FA is concerned, as well as migrating everything off Lastpass to something hosted on my home server. Should have done this years ago, but the recent data breach scared me enough to get the ball rolling.

step1 - entice users
step2 - trap users
step3 - exploit users until collapse
silicon valley, and a lot of industries, are on step 2.5

Wendell: "I don't want this to get technical or take too long" Me: "Sounds good. I guess I'm going to need my calculator, some paper, Visual Studio Code Editor and plenty of water to stay hydrated."

Jumping from Lastpass to Keepass has been on my backlog for... probably a decade now, but this recent move forced me to make the jump.
I've started on Dashlane, migrated to Lastpass, and considered Bitwarden... but ultimately the objective was to go Keepass synching stuff on my own.
I have to say, there are reasons not to do it... go for something like Bitwarden instead for instance.
But I'm insisting... because ultimately, I don't wanna rely on someone else's server/service, so as good a time as ever I guess.
The general problem with Keepass is the general problem with several other FOSS software, which I also have highly adopted in recent years - it's fine for me, but if I'm gonna put it for someone else to use, like say, my mom who is in a permanent tech illiterate state, it starts getting harder.
But even for me, the decisions are taking longer than I'd like. Problem is, there are too many options, not that much material for research, and videos like this one are not that numerous, so it ends up not covering specific cases like mine.
For desktop it was kinda easy. Original Keepass is kind outdated but fine, KeepassXC is more modern with newer features, so there you go.
I still ran into some weird problem though. Not sure why, but Keepass XC was refusing to import a Lastpass CSV file inside an already created database... it keeps trying to create a new database instead.
So I had to do it via standard Keepass, and then open the database via KeepassXC. Perhaps because I'm trying to create a new database with a keyfile, not sure what's the issue.
On Android, things got worse. I tested KeePassDX, AuthPass, TinyKeepass and am currently using Keepass2Android... all of them have something that doesn't work, works weirdly, or is kinda messed up somehow. I think TinyKeepass doesn't support key files, KeePassDX I couldn't find a way of using biometrics alone do unlock the thing (requirement for my mom), AuthPass wouldn't accept my master password no matter how many times I tried for some reason. Keepass2Android is older and has a bit less friendly UI, but seems to be working... I just didn't fully test it yet to tell.
But the general problem is the same - compared to Lastpass, all these versions of Keepass seems to be generally more difficult for someone like my mom to use. You have bugs here and there, the interface is kinda convoluted and complicated, and you end up having to go through this familiar path of trying and testing things out...
I'm also trying to sync the database through my Synology NAS, future plans to build a server running NextCloud for it. I'm not sure what's the ideal way to do it.
I'm using a mix of DS Drive for Android and PC, or an older app called DS cloud for Android, and trying to sync things up that way. For me personally anything should work fine, but for my mom it has to be seamless and under the hood. No weird glitches, need for constant confirmation, reliant on configuration, and whatnot.
Just not sure if this will work out ok because I'm not sure how these apps deal with file conflicts and simultaneous usage.
Of course, the best thing about it is that when I manage to make it work for us, no more fears of a service cutting off features and ramping up prices out of nowhere.
Going the same route for Google Photos... for now, it's Synology Moments, and when I can get back home and build my own servers, it'll be NextCloud. Depending on how it goes, how easy to use the interfaces are, I might just keep the Synology for family usage, and reserve NextCloud for my personal stuff...

"Electricity getting more expensive... It doesn't make sense"
Laughs in Brazilian

been using KeepassXC for couple years now because has win and Linux versions, and supports using keys with password.
thanks for the video.

I've been a paying Lastpass customer for about a year now. I pay $48 a year for a Family Plan for four of us. Bitwarden is $40 per year. So while that's cheaper, the cost of switching (in time) makes me stay put for now. I realize that's a slippery slope that could have us get locked in for longer due to increasing amount of time required to switch as the password lists grow. I need the family plan because I've got grade-school kids that I'd like to have learn good password management habits. I'll see how things shake out for a bit - but this is good info to consider.

I started with Bitwarden 2 years ago as my first password manager and I have absolutely no regrets

I went from lastpass -> keepass 2 -> self hosted bitwarden on unraid with ssl and custom domain. Works very well across all devices.

You should have heeded Wendell's warning. LastPass has been fully compromised. I'm going to self host to keep my stuff secure. (Although my current manager is physical and the only plane of attack is breaking into my house, bypassing the dogs, and finding my password book.)

I meant to migrate away from Lastpass when I saw this video when you first released it. Sadly, work got in the way and procrastination. How did that bite me on the butt. Migrating now, changing all the passwords and notifying clients who may also have been affected. This video made a handy reference and giving it my clients saved me a lot of time.

Must be a sign when this video came up on my recommended. I stuck with Lastpass despite the service changes last year, thought i could still work with the limitations which was still livable. But with the recent big hack, pretty much lost faith in them.

Been using Bitwarden for a year-ish now ever since dashlane hiked their prices and haven't looked back. Highly recommended 👍

I have been using Keepass for almost a decade now. Fantastic software! My company uses LastPass Enterprise in our IT dept. It's terribad.

Bitwarden is great for the lazy/busy technical user.

For me, the main draw of lastpass is the auto-fill, and the fact I can easily use it on my phone as well. So many times I need to randomly sign in to something on my phone, I'd like to have it work there.
I'll check out Keepass, as it seems like the synchronization could already be easy enough, but a lot of these open source tools feel like patchwork to me; How do I have file synchronization that automatically works every time? Where does a browser extension come in to it? What if my phone updates and 'messes' with something? I'm the layman that Lastpass was meant for, and if there are any similar solutions, please inform me.

Just switched to Bitwarden yesterday after 8 years of LastPass lets see how it goes. Might be trying KeePassXC as well

I’m switching to bitwarden as well. I was happy to pay for LastPass as a way of supporting them and maintaining for the free users, but not really into the idea of eventually losing access (if I can’t use it in both my phone and desktop it isn’t useful) to an important piece of software if times are though financially.

I'm old school, I have a note book with really long passwords written in pencil. Some of the passwords characters are different than how they are written.

Thank you, Wendell! I was actually thinking that I will have to start paying them, but here you are helping us to save money!

Trying to create a value where there is none or trying to press water out of a stone is what is ruining many products and companies. A company that offers something like password manager shouldn't be expected to make YOY gains until the end of time.

This should be part of the business of building computers. From smart phones to desktops should come secure otherwise these programs seem based of the old mafia style “protection” rackets

Wendell, I have to disagree about using Keepass files on sync service - I tried it and wouldn't recommend it because there is no conflict resolution or direct access to the DB. That means if you work on multiple machines you have to be sure that the file has been fully synced before you edit on the second machine; and of course it's single user only. And whenever you need access to a password you need to download and unlock the entire file. So it's a possible solution, but not a great one.

1 year after, a pair of breaches shows that LOTS of things are stored UN-encrypted by LastPass.
I'm so glad I have used synced KeePass for years, even long before this video was published.

Thanks for this video Wendell. I always come back to you when I'm doing security spring cleaning. Been using Lastpass for a few years and with their recent change I wanted to double check what the options out there are. Just switched to Bitwarden!

Is it bad that I make all of my passwords by smashing my keyboard into a text document? Never saw the need for password managers beyond what the browser comes with tbh.

I've been using LP for the last 8 years or so. Switched to Bitwarden instantly last week and did the same with my parents this weekend. Keypass looked great as well but ease of use is much more important b.c. I gotta set up the whole family. Very happy with Bitwarden so far, I like that that it's all a bit more rudimentary looking than LP while having better useability imo

What about Firefox lockwise?

I dunno why but self hosting bitwarden makes me a bit nervous with regards to external access . Places a lot of the responsibility to hardness my server better than bitwarden can do but its something I'm interested in exploring perhaps a topic for a video?

Been using BitwardenRS on my home server for about a year now. It is great! I use the browser plugins, desktop application, and phone app with fingerprint access, super convenient.
I had exported all my passwords from Chrome password sync (yuck, I know), then I used bitwarden to help me set unique super secure passwords for all my websites.
My next step is to develop a high availability strategy in the event my home internet takes a nap while I'm on vacation or something..

I’ve been a happy keepass user for a good year or so now. I pull the db onto my phone and tablet and use strongbox to access it mobile wise

Bitwarden sounds like the thing for me since Ive been wanting to get my parents to use a password manager, and they aren't technically inclined.
I want to use the same service as them if only because then I would be familiar with the service and how it works if they ever have a problem.
To many times they have called me about something I have never used or heard of before and always takes time quickly learning how to actually use whatever they are trying to use to fix the problem.

Hi Wendell,
What is your take with the browser password managers, both Chrome and Firefox have pretty solid ones, but how are they encrypted?

My solution is iCloud Keychain. If the device I’m on isn’t from Apple, I can type the password out from my phone. I think this was a good choice long-term because I’m receiving it for free as a benefit of the Apple ecosystem, and I’ve had years already of just not worrying about it.

For a single user scenario I would agree, when you have 4 family members with shared folders and passwords, lastpass takes the cake for me. I can update a password and my wife doesn't even have to know, it will just sync to her account and work for her

I would love to see Wendell do an additional video discussing password managers that ship with antivirus software. I've read that they are typically not even close to as good, but it might be worth commenting on these in light of changes to LP.

I was using Keepass/Dropbox and found that combination worked quite well. I’ve moved to Bitwarden as the integration is better, especially across multi-device/multi-platform

I'm currently still using LP on Firefox but now FF offers its own password manager, how good or bad it is?

I prefer keeping my passwords on a local level and not online. Yes I'm aware that things can be encrypted before they are sent and what not. Just keeping things offline that you don't want others to know is just a better way to be sure if you ask me. I don't have to worry about an encryption being broken or a databreach among other things. The only real downside is that I don't have the convenience of a quick one password login, and I'm more than OK with that.

I use KeePass non XC and would never use a paid password manager.

Family pricing for LastPass and Bitwarden seems to be very similar though. Also, seriously, for most folks running Linode or NextCloud or their own containers is just LOL. Next step: Just spin up a Kubernetes cluster, configure a few Helm charts, run some NGINX on the front end, pull that Bitwarden container, and bam, as Todd Howard himself would say: "It just works".

I autoskip anything commercially hosted, especially if servers are located in the five eyes states.
So KeePassXC and KeePassDX with Syncthing/DIY Nextcloud is my solution to handle synchronization.
Just got to pick up a Yubikey which I haven't done just yet.

Man. This is timely and useful. Still can’t decide my next step, but this explains a couple options.
Thanks, my guy.

Whatever alternate you choose, remember to keep a backup of your passwords just in case, you probably have a few hundred or so passwords and really don't want to lose them, so even if you don't plan on using Keepass it isn't a bad idea to import them anyway or if nothing else at least get veracrypt and encrypt your password export.

Personally use keepass + Kee + rsync mostly.
Kee is pretty good as a browser extension and allows for far better domain fine tuning than lastpass ever could.
At work, we do use Lastpass on a company level as at the time I chose it, it was a good option for sharing passwords between people (yes we are single account freeloading on software that charges per account).

I've been using KeePass + Kee browser plugin on desktop, works very good. Also KeePass supports ChaCha20 that is even better than AES256.

+1 for bitwarden it's FOSS and it has a self host option if you don't like their cloud option. Even if they ever go closed, we can always use the service prior to it going closed and know it's functional. a fork can always exist.

This video is just on time. I was using LP and now I'm looking for an alternative that I can trust.
Thank you : )

Well same with Dashlane lately...it went down the dirty drain.

I use the Bitwarden docker image and haven't had any issues but I do dread the day when something goes wrong. It's a total blackbox. Maybe remind folks to enable backups on their Linode instance if they're going to host all their passwords on it..

Let's try again: Use KeePass + rclone, dont use any of the commercial products, they are all honeypot. You dont control the app, you dont control the remote rest data == you dont control your passwords.

been using bitwarden for years and love it.

I saw the news about LastPass when it first came out, and I kid you not I had 3 accounts migrated over to Bitwarden within 15 minutes. It was so easy and I'd been looking for an excuse to ditch LastPass and this was the final straw.

Be warned. When self-hosted, Bitwarden's data directory stores a PLAINTEXT list of what sites you visit (as well as your email address, and your recovery question)

One detail that was not mentioned- you can log into Bitwarden on Android phones using biometrics so you do not have to enter in your long passphrase every time... Select Settings->Security/Unlock with Biometrics.

Been using Sticky Password for quite some time. I think i got it originally from one of those "free app for a day" thingys and when they went with paid option like last pass, they gave me free lifetime license (what was a cool thing to do).

So you’re trusting Bitwarden’s hosted version a bit more than the docker’s self-hosted variant? Any reason for that? Just evaluating the options currently

Good presentation, I've used KeePass and Bitwarden, like them both. Even self hosted Bitwarden. For the price I let them host it and pay for the extra features. Like using my Yubi Keys as an extra layer of protection. Both KeePass and Bitwarden are great for managing thousands of pwds. Last Pass sucks and pulling your passwords off Last Pass is not for the faint of heart, they make it more difficult than needed.

I use KeepassXC for password and Syncthing for sync between computer and my smartphone.

3:37 the electric infrastructure in Texas collapsed due to own lack of foresight and maintenance. there's scarcity. let's drop some surprise $10,000+ charges to the user's electric bill.

It's kind of amazing that a decision to use KeePass around 2004 remains not only viable but a preferred solution over 15 years later. The biggest difference is that the software has kind of stagnated, even when considering the wealth of plugins, so that the XC variant is probably more generally recommended. You can even still use the original version if you've been resisting .NET all this time.

Keepass + Dropbox.
Not the slickest UI, but works so well for me over 10 years of doing dev work.

No mention of 'Pass' - the standard unix password manager ? I thought a combo with 'Dmenu' and 'Pass-Tomb' was the solution. Am I missing something that makes KeepassXC safer / better ?

Dude. This information made my month. Encryptr just end-of-lifed and I thought they shut down permanently leaving me without all my passwords or keys for crypto. They turned the servers back on this weekend for people to migrate their data off, and Bitwarden was super easy to setup and migrate to. Great video!

I am a user of 1Password for more than 15 years. Sometimes I am tempted to move and save a buck, but I am too lazy to maintain this solution for me and family. Up to now I have a very good experience, and pretty sure that it will be like this unless they are sold.

Downright prophetic lol I'm happy I took this advice

The biggest features that made LastPass so good are the browser extensions and the mobile application. If Bitwarden can match those (especially the iOS app making use of the system password auto fill) then I would definitely consider switching

Moved away from LastPass when they were making a mess of transitioning their Firefox browser extension to WebExtension. Their website offered an updated version, but the version in AMO was a whole full version number behind, missing a ton of features and being a buggy mess. Went to Bitwarden, haven't looked back since. That being said, Bitwarden does also limit the amount of devices on the free tier, but it's a much more generous 3 devices of any type. This will cover, for example, mobile, tablet/laptop, and desktop PC.

keepassxc is amazing. i have no problem with their browser plug-ins either.

I started out with KeePass, but had trouble with synchronization. I didn’t trust the free services with the encrypted file (I know), and Nextcloud/own cloud at times created conflicted files. I switched to Enpass, cross platform, mobile platforms and syncing. It was a $10 lifetime app purchase for unlimited syncing from unlimited devices, but they have changed their offerings as time goes on. I still like it because I can use WebDAV with Nextcloud to keep the password file “local” and easily in sync.

I already left from Lastpass and started using Bitwarden. I was using Lastpass for last five and a half years.. pffff
We use keepass at work also. Good, but not for everyday use (for me).
Anyway, it was nice listening to you, giving information to people and comparing solutions.

I agree with the sentiment in general, and everyone needs to decide what is valuable for them. However, there are some things in life you should WANT to pay for. Email service and a password manager are in that category for me.
To be clear, the alternatives to LastPass are good, and i may switch at some point. But I expect LastPass to invest in defending against attackers. This is a highly attractive single point of failure and I want to pay money for someone to help the hackers away, as much as is possible. Don’t cheap out on security and privacy.

Is bitwarden easy to use in mobile, like allowing you to sign into apps and services via app-overlays?
I am thinking of moving my entire family over, the problem is I am the only technical person, the rest are nearly technophobic and or elderly. It was hard enough getting them on lastpass (granted I already always used Family/Premium, but if they pulled this shit now, I can't trust them to not do it again soon, this time affecting my case)

Thanks soooo much.. was looking for something that wasn't last pass.. thanks good sir..

Electricity and water ARE only getting more expensive in my country, what are you talking about :D

I use keepassXC as my password manager on my PC and keepassDX on my phone synced with syncthing which works really well

I can second Bitwarden. Very satisfied 👍🏼

Running KeepassXC with Syncthing. Using my Yubi key for MFA. I love how keepass can store MFA codes too for different services too. Haven't had a single issue with the set-up yet.

Considering the LastPass hacking discloser the other week, this video aged Hella Well

A few months ago I migrated from LastPass to Bitwarden self-hosted and I'm really happy with the change. The setup was a little bit involved but that didn't bother me. The web browser integration is excellent as you said, and that's a big deal to me.

Wendell: "I don't want this to get technical or take too long"
Me: Strong doubt on both of those :)

For those debating whether they want to use KeePassXC or Bitwarden. I used KeePassXC synced between a few of my devices, I tried a few tools for sync, syncthing, a usb drive and others I don't remember. An issue I always encountered was that sometime I would modify the db on a few devices before they got a chance to sync with each other, this results in a synchronization conflict. Imo, these sync conflicts are the worst part of the experience, I managed for a few years, but Its part of the experience that @Level1Tachs did not mention and its the biggest difference between the two options.
When KeePass db file is modified in anyway it looks completely different from the file system perspective, only when you decrypt your KeePass db file, by opening it in KeePassXC, can you understand the changes. Because of this no file sync service can resolve any sync conflicts on its own. This is where Bitwarden provides a lot of usability IMO, on the server it can reconcile these sync issues because on the server it can see the file. But that's a big tradeoff, KeePassXC is more secure but on Bitwarden you don't have to deal with sync issues.
Tl;dr @Level1Techs forgot to mention that Bitwarden saves you from having to deal with sync issues, but it can only do this because you are trusting the Bitwarden server more than you trust a sync server with a KeePass file.

I am one of those effected by this change on Lastpass. They had the by far best free password manager solution out there. Over time they limited here and this latest limitation means I have to switch/pay the premium. I was considering 1Password but Bitwarden also looks decent and I will check it out but it feels like I will probably go with 1Password.

KeePassXC on desktop. KeepassDX on android. Plus Syncthing.

I plan on making a Raspberry pi Home Assistant system at home, at some point, would that be able to run a Bit Warden sync service?

What do you mean by “the password is transmitted over the wire” for keepass?

Seriously use a free resource people. And make sure it's your own.

I know this is old but. I recently setup KeepassXC and KeepassDX. Password and yubikey locked, with free cloud sync over onedrive, wish I would have done it sooner. I even got my 74yo mom using it.

I was originally with FoxMarks Firefox bookmark sync, which then became the multibrowser, multiplatform XMarks, which then started syncing passwords as well. LastPass acquired XMarks, and things continued fine for a while, but then they got behind on updating the bookmark side, eventually discontinuing bookmark syncing altogether. That was REALLY disappointing. I've yet to find a service that managed to successfully integrate Firefox and Chrome bookmarks across both Windows and Linux....any recommendations? When LastpASS moved to a pay-only model, I bailed. That was the deal-breaker.

Both utilities that you mentioned as not getting more expensive over time are in fact getting more expensive over time; electricity and water.

Great video
is there a trusted keepass service for ios?
Also would love Level1techs to tackle the identity guard type services, lifelock etc
thanks

what about password managers built into browsers? ive used google chromes for its convenience and integration with android but have been wanting to switch to brave browser. i like the idea of a decentralized encrypted password manager. do you see any issues with it ?

Thanks and good advice. Curious tho on devices like smart tv, roku, etc which have a netflix app for example... is this able to be syncd and used on those type devices as well? Thats my biggest hurdle I think to get across to then start using better passwords across my whole ecosystem...

The main issue I had with KeepassXC was with the lock file created while editing the Keepass database (normal and expected for file editing). The lock file gets synced along with updates to the Keepass db file through a service such as SugarSync.
Sometimes, the lock file does not get deleted once editing is complete, and will remain in the cloud hosting service even though it was removed locally. When opening the kdbx db from another computer, KeepassXC will instead create a new DB file with a unique name instead of returning an error that a lock exists. Over time, this can create many versions the db file without realizing what is happening.

so if I have to pay I'll be paying for a better service. I just jumped to 1 password

SafeInCloud. It syncs via a cloud of your own choice. You only pay a one time fee (was 2.99 few years ago, but now 7.99) if you don't want adds in the phone app. Win10, Linux, iOS, Android, ... +browserintegration