Why I Left LastPass for 1Password

There are very simple reasons why password security is so important:

1) We can now access most of our private, confidential information online (bank accounts, email, and social networks), and

2) We’re lazy.

I’m not trying to make anyone feel bad with that last point. I’m really lazy, too. For years, I used only a few passwords and rarely changed them. It doesn’t take a long explanation to illustrate how dangerous that can be. If someone figures out your Facebook password and you use the same password for your email, the intruder can now log into your email and reset passwords for things like your online banking. And if you’ve ever wondered how embarrassing emails from politicians and celebrities end up getting exposed online, this is how it’s usually done.

A few years ago, I started using LastPass to manage my passwords, and it dramatically improved my online security. Password management software like LastPass lets you generate complicated, random passwords for each website you visit, and all you need to do is remember a single main password to access all of them.

While I love the idea behind LastPass, I haven’t been entirely comfortable with its execution. I made the switch to 1Password when it became available for Windows last year, and I’ll explain why it is a great idea, if you haven’t already done so.

1Password vs. LastPass

Although it wasn’t available for Windows until 2010, Mac users have been familiar with 1Password for quite a while. This award-winning password management lets you create strong, unique passwords, and locks them with a master password so you only need to remember a single password. Unlike LastPass, 1Password doesn’t have a free version, so why would I want to switch?

1Password lets me store my passwords locally

One of LastPass’s best features is that it stores your passwords online, so you can access them from anywhere by logging into your LastPass account. But even with amazing security, I could never feel completely secure leaving all my passwords in someone else’s hands, which is one of the biggest reasons why I switched to 1Password.

I’m braver than most technically inclined people I know, partly because I spend so much time using new technology that I have built up some sort of mental callus to its inherent risk, and party because I want to believe that most of these companies aren’t looking to screw over their users. But my paranoid tech-savvy friends aren’t wrong – we’ve seen countless examples of how companies have sold their customer’s private data for personal gain. And even if the company is 100% ethical, all it takes is for an unethical giant to buy them out and make dramatic changes to their privacy policies.

With 1Password, I can store my passwords locally on my computer so I never have to worry about a hacker breaking into a massive storage server somewhere in the world and potentially getting my information. This means I also need to be careful with how I store this information, but since 1Password encrypts everything it makes it pretty easy to keep your passwords safe. I love having total control over my data.

What if you need to access your passwords on multiple computers? This is a very realistic problem for almost all of us, and there are a few easy solutions with 1Password. You can use Dropbox, a super-easy file sharing program, to keep your passwords synced across multiple computers. And if you don’t feel comfortable doing that, you can simply save your 1Password files to a USB flash drive or portable hard drive to always have them handy.

Passwords stored with 1Password are already securely encrypted, but you can use a free application like TrueCrypt to ensure your passwords are inaccessible. The 1Password team wrote a great article about password security in cloud-based storage systems.

Great browser integration with hotkeys

This might seem a bit fickle, but I don’t think I could really get in the habit of using password management software that didn’t have an easy way to access my passwords and automatically insert them into my browser. 1Password has great browser plugins for Firefox, Chrome, and Internet Explorer, so I can log into my accounts effortlessly.

The best way to access your 1Password passwords in a browser is to use the hotkey CTRL + \.  When you press this key combination, a window will automatically appear prompting you to unlock your 1Password data, and after doing that you’ll see a list of any accounts available for the website you’re viewing.

1Password’s Chrome Plugin

When creating an account on any website, you should always use a unique, complex password. 1Password makes this very easy with their Generator option, where you can pick the password’s length and complexity. Since you don’t have to memorize it, why not make it as complicated as possible?

1Password’s Password Generator

One of my favorite features of 1Password’s password generator is its Pronounceable option. This lets you create a password that is easily pronounced phonetically (and thus easier to remember), which is great for using services like Twitter when you need to log into mobile apps.

If you accidentally reveal this to anybody, you can just convince them it’s the language you speak to your spirit animal in.

I’d rather pay for important software I’ll use every day

First off, LastPass does have a premium version that gives you access to mobile apps and better features. But it’s a subscription-based service, so this means you’ll have to keep paying for it as long as you want access to these features. If you ask me, I’m subscribed to way more services than I already want to be (Netflix, Audible, my mobile phone plan), and I really don’t feel like adding another monthly subscription.

1Password costs $49.99 (for Windows) which you pay once to completely own the software and receive all updates. And you know what? It’s completely worth it.

I use the same logic when explaining why it makes sense to pay for your operating system – this is software you’ll use every day, it will improve your life (I’m guessing you would be negatively affected if someone hacked your bank account because you were using insecure passwords), and its price is validated by 1Password’s high quality. I pride myself on supporting things I enjoy and improve my life, and I’d rather use the buy-it-once 1Password than a free version of LastPass.

1Password also has apps for Android, iPhone/iPod touch, and iPad, so you can always access your passwords on-the-go. The 1Password mobile apps also support Dropbox, making it easy to keep your passwords synchronized on your mobile device.

Image courtesy: mbrand


Posted

in

, ,

by

Comments

153 responses to “Why I Left LastPass for 1Password”

  1.  Avatar
    Anonymous

    I like the ideal a local storage of my passwords as well. I wouldn’t feel secure letting someone else manage the keys to my domain!

  2. NeonCollie Avatar
    NeonCollie

    I’ve been using LastPass for quite a while now. I feel very comfortable using it, although I would feel much more comfortable knowing my information was stored locally on my own computer. I’d really like to see how 1Password compares. I really enjoy your tech articles. Thanks!

  3. Jason Priebe Avatar

    This was a great article. I have been thinking about switching to something like this for a while

  4. Nick Avatar

    I hope I win!
    I’m used to LastPass but for free, I’ll definitely try out 1Password!

  5. M Scott Drummond Avatar

    I would like to give it a try. Please enter me.

  6. ^DooM^ Avatar
    ^DooM^

    Awesome article as ever would love a copy of 1password as I like yourself do not trust online services.

    Cheers!

  7. Ioiosotwig Avatar
    Ioiosotwig

    Sounds good…

  8. Casual Observation Avatar
    Casual Observation

    I hear what you’re saying about online repositories. I tell my clients that if they can get into the gov’t they can get the data. And the more there is in one place, the bigger the target on the back.

  9. Rhbanagale Avatar
    Rhbanagale

    That is a great tool that most Internet users must have. Currently I am using Keepass but lacks browser integration. Nice to have one like this!

    1. anna Avatar
      anna

      keepass actually does do browser integration – on Linux at least (with keepassx), I press Super+s (a hotkey I chose) and forms are auto-filled with my username and password. You can even customize what gets typed by putting macros in the comments field.

      You can set this up in Settings -> Advanced.

      For my part, I would rather software I use every day be open source, whether I pay for it or not. keepass is open source, so we can audit just how secure it is. I don’t trust my passwords to code I can’t see.

      1. max Avatar
        max

        anna is correct; Keepass has had browser integration for years.

        Also strongly agree with the open source concept when it comes to encryption. There’s nothing in this article that would indicate 1Password is in any way superior to Keepass.

        I was amused by the author’s notion that Dropbox files exist in the cloud, but
        you think that you have complete control over them. And then I was more
        amused by the suggestion put your encrypted password file into a TrueCrypt container so that you can access it via Dropbox. Yeah, that’s convenient. If you need TrueCrypt, it sound like it’s not just Dropbox you don’t trust, but 1Password.

      2. Joshua Bardwell Avatar

        No disrespect to Keepass, but having been a KP user, my experience is that its browser integration doesn’t hold a candle to LastPass. For example, LP auto-detects when you’re changing a password or creating a new account and offers to auto-generate a new password for you.

        1. NIBB Avatar
          NIBB

          What anna said is correct. You can auto type with KeePass for years, and its very easy to setup. Since it’s interaction is executed by the user side, and not the browser (extensions) its safer by nature.

          What you said about LP detecting changing passwords, then you are doing it wrong !!!

          If you are changing the passwords in the website, and LP detects this changes and updates with the new information that means you are updating the passwords in the account website which means you probably updated it with a non secure password. Why? Because most accounts don’t have a random pass generator, and the ones that do are actually flawed to produce something strong enough. I rather trust the password generator on a software like KessPass or LastPass better. If you are updating the password on a website that are not random, then why even use a something like LastPass in the first place.

          So if you do it correctly, then you are actually generating the random password from the source database, this means LP or KeePass or what ever you use to store logins, then updating that in the website manually. This is the safe way to do it, because if for what ever reason your source does not detect the change, like LP does sometimes, you could be potentially locked out. Some sites will log you out, and if you don’t have an historic record you basically just locked yourself out as you cannot remember the random password used and its not saved in your original database either.

          So you are doing it wrong. You have to generate the random password from your Password Manager, then update it in the website manually. In that case what you mentioned as a benefit is nulled. Someone does not need KeePass to detect the password change at all and most probably don’t even want something like that.

          Actually that feature alone is something which means your browser is connected to your password database, this is insecure. LastPass is tightly connected with your browser and there are hacking concepts which can retrieve users password by exploiting something in the browser. All someone needs to do is hack some extension or create a malicious website or something else attacking your browser (they have vulnerabilities discovered every week) and LastPass will dump the logins.

          What is the point of using a password manager if you are connecting it to the vector of attack? Your browser is the potential gateway to your attacks, just like email. Browsing is the risk, so if you have your password manager connected with your browser, then you are doing it again, wrong.

          With KeePass assuming you don’t use plugins, this is not possible. Same with 1Password or other local password managers. They are not connected to the browser so they are by nature safer. You are giving up security for functionality with LastPass. The reason LP detects your password changes and can auto fill them should ring a bell on how secure it actually is. Most people are sold exactly by LastPass because of this, auto fill and this is are exactly the weakest points of the products, which where attacked before and are going to be attacked in the future.

          Also, having all accounts connected to central servers on a centralized company means its a honeypot for hackers. It’s a high value target, this is different from hackers attacking million of different systems (you or others), they only have to attack one cloud provider then concentrate on the users they want since now they have a list and LastPass has a list assuming you paid them, they do have your data linked to an account. You are actually putting yourself at more risk by having them shared with millions of other LP customers. Do you trust a company so much? Maybe, but what about their employees? LastPass will never be hacked because it encryption failed, but because a human failed.

      3. Joshua Bardwell Avatar

        No disrespect to Keepass, but having been a KP user, my experience is that its browser integration doesn’t hold a candle to LastPass. For example, LP auto-detects when you’re changing a password or creating a new account and offers to auto-generate a new password for you.

  10. Im_n0t_0v3r Avatar
    Im_n0t_0v3r

    One other thing of note, it has better IPAD support than Roboform or Lastpass IMHO. The 1Password is made for the full screen. not an Iphone app that is made compatible like Roboform.

  11. erase_me Avatar

    1Password is great, and the mobile apps are fantastic as well. I love the Dropbox sync.

  12. Zackery Fretty Avatar

    I’ve already got a licence, but I’d love to win one for my Dad he really needs it!

    1Password has saved me far too many times

  13. z0mt3c Avatar

    1Password is awesome 🙂

  14. Tomasz Sobczak Avatar

    Great article about great piece of software. Hope to win 1Password license for Windows as iam already using version for Mac

  15. Guest Avatar
    Guest

    Brilliant Article. Would love to get my hands on 1 Password.

  16. Simon Avatar
    Simon

    awesome! I really like 1password.

  17. Lucasdelima Avatar
    Lucasdelima

    I have it for iPhone, now I just need it for mac! I wanna a copy! =D

  18. i0no Avatar

    I want on copy 😛 i already use it for iphone need it for win 🙂

  19. Roger Gose Avatar

    Nice that you are giving out a couple of licenses!

  20. Mattias Avatar
    Mattias

    1Password is a killer application I could never be without. Been using it now since a couple of years ago. Would love to have a Windows license though.

  21. Tomek Kuźma Avatar

    i will be awesome to have this app:D

  22. kexxcream Avatar
    kexxcream

    1Password is simply great, especially since you can sync it with Dropbox to your iPhone!

  23. Jamie Avatar
    Jamie

    Great article, listing the differences. Hope I win 😀

  24. Summelsam Avatar
    Summelsam

    heh already a user, but my dad/mom need this 😀

  25. Squirrel Avatar
    Squirrel

    1Password is cool!

  26. MetroMacs Avatar

    We could use a copy for client demos and such ; )

  27. brainstormerus Avatar
    brainstormerus

    1Password’s support for Dropbox (and vice versa) makes it really easy to access logins on-the-go. Sign me up!

  28. Fabio Avatar
    Fabio

    Love the mobile synchronization!

  29. surfdaddy Avatar

    I tried switching from 1Password to LastPass based on a couple of pundits high praise of LastPass.

    The bottom line is you can tell 1Password was conceived and created for the Mac and LastPass was originally a PC program. Nuff said. Oh, and DropBox integration is killer!

  30. ckaotik Avatar

    So noon on Tuesday it is? Just, which time zone is it? 😉

  31. Robert Altman Avatar

    I’ve been a long time 1Password user (and fan). I now have my passwords automatically sync and accessible on Windows, Mac, Android, iPhone, and iPad. I couldn’t be happier. Each password I use is random (12 – 16 characters) and never re-used; I love it when my security criteria outshines that of a bank or other financial website.. I actually have family licenses, so my family can benefit as well.

    Still, I have a friend who could use 1Pwd, so here’s hoping.

  32. Nick Volpe Avatar

    I’ve been using 1Password for about 6 months and I am extremely happy with it. My freelancer side loves the fact that I can manage not only my own logins but my client’s logins as well, without compromising their security. My UX designer side loves the sleek and elegant design. I would love to win a free copy so I can give it to my girlfriend. No luck trying to get her to buy it.

  33. Lbrand10 Avatar
    Lbrand10

    Good article can’t wait to get my hands on a copy.

  34.  Avatar
    Anonymous

    Good writeup for 1Password, thanks.

  35. Richard Avatar
    Richard

    I’m a long time user of KeePassX. I am interesting in seeing how 1Password compares

  36. Ryan Avatar
    Ryan

    I love 1Password on the Mac and would really enjoy having the Windows version as well.

  37. Amy Lew Avatar

    I love 1Password so much! I’m trying to convince my parents that it’s worth their while (which, of course, it is).

  38. TeoD Avatar
    TeoD

    I tried LastPass before, but I didn’t liked it. It would be great to use 1Password!

  39. Ryan Avatar
    Ryan

    Wow, this is awesome!

  40. Superfula Avatar
    Superfula

    cheers for the article. i’m in!

  41. Sinaitic Avatar

    I hope I win. I could really use 1Password since I am a daily internet user!

  42. Matte Avatar
    Matte

    I actually changed from LastPass to 1Password when I bought my first Mac and have been using it ever since. If course I could live without it but it’s so worth the prize I paid for the license. Hoping to lay my hands on a Windows license as well. 🙂

  43. Techwish Avatar
    Techwish

    Wooohooo…Sounds better than sliced bread

  44. Kshellborn Avatar
    Kshellborn

    Next to a browser, 1Password is my most used app. I just bought a second macbook and would love to have another version for that.

  45.  Avatar
    Anonymous

    1Password is the bomb! My buddy has it and it is definitely the way to keep secure online

  46. Stefan Straka Avatar

    1Password looks really awesome 😉
    I hope I’ll win 😛

  47. Michae Avatar
    Michae

    I’ve checked out 1password and it seems really cool! I really like the idéa of keeping my password extra secure.

  48. Thessron Avatar
    Thessron

    awesome

  49. Saynt Avatar
    Saynt

    Great article, 1Pass is a great app for sure. Been running on my iPhone for a long time now

  50. Stefan Straka Avatar

    I wanted to buy it, but get it for free is even better 😉

  51. Zvika Avatar
    Zvika

    The best tool out there, and I might add this: [the only]1password

  52. Lxegretester Avatar
    Lxegretester

    Id Loved to try it…

  53. Wojciech Tekiela Avatar
    Wojciech Tekiela

    1Password is truly great, I’ve seen it in action and it really changes the way you think about passwords. It would be nice to have this software on my windows machine 🙂

  54. Krister, Sweden Avatar
    Krister, Sweden

    I love 1Password and have been using it ever since I started using OSX. When the Windows version I made sure our company started using it.

    Haven’t switched wife over from Keepass yet. Would be fun to win a copy.

  55. kickbutt Avatar

    Wanna win it please..

  56. Tiago Ferreira Avatar
    Tiago Ferreira

    I’ve tried 1password, but couldn’t afford to buy it. I’m waiting for a promotion to have the possibility to acquire this amazing password manager.
    I love the way it integrates between different OS’es and mobile platforms.
    It’s perfect. I hope I win the free copy, so I can finally start using it.

  57. Jonathan Paul Avatar

    I have been using Password Safe for years; the browser integration of 1Password is very intriguing however…

    jon

  58. Mschadejr Avatar
    Mschadejr

    I love the fact that this app can store all you passwords with no hassles! I would love to have this app for my iMac! Thanks!

  59. t87 Avatar

    Very nice article. Would love to own a copy of 1Password. Maybe then it will teach me not to use the same password for everything ! 🙂

  60. gasport Avatar
    gasport

    One great app…

  61. AppStore Tester Avatar
    AppStore Tester

    Hello! I älteste downloaded 1Password for iPad but Not for Mac!!! Please help me out 😉

    I Gould really Be happy to get 1Password for Mac!!!

  62. gasport Avatar
    gasport

    One great app….

  63. Joe B. Avatar

    1Password looks like the best one to get.

  64. Sjjordan Avatar
    Sjjordan

    I love 1password! Great article!
    (Hope I win a free copy! Want to share it with my brother)

  65. Gabe Avatar
    Gabe

    As far as I know the iPhone/iPad/iPod are not free.
    Love to winn a copy.

  66. Justin Turley Avatar
    Justin Turley

    Does it have an Android App?

  67. Nik Piepenbreier Avatar
    Nik Piepenbreier

    I love 1Password’s ability to sync with Dropbox, especially to my iPod Touch.

  68. Jerome Garrido Avatar

    FYI, the iPhone/iPod Touch and iPad version of 1Password isn’t free and its on top of the desktop application purchase. Consider you’ll probably use this daily then its all worth it. Hope I win the free copy so I can get the iOS version.

  69. jeremy Avatar
    jeremy

    I want one!

  70. sabrewulf Avatar
    sabrewulf

    I couldn’t agree more with this article as far as using different passwords and making sure they’re strong. I used to keep all my logins in a text file and saved in Dropbox. Primitive compared to 1Password and the ease of use and vast options. I would love to be able to get my wife her own copy.

  71. Evan Wondrasek Avatar

    Hey Justin,

    Yes it does.

  72. David M Mendez1 Avatar
    David M Mendez1

    I have 1password for iOS and it is great!

  73. ODP Avatar
    ODP

    I have heard good things about 1password … I suppose I should give it a try sometime.

  74. Sophronis Mantoles Avatar
    Sophronis Mantoles

    Great article Evan. I am a bit concern about any tool that automatically generates passwords though!! Will talk about this when I see you next!!

  75. macnow Avatar

    1Password seems to be awesome, i must try this app 🙂

  76. Larry Rae Avatar
    Larry Rae

    I use 1password on iphone and it’s great but… I really need it for the Mac and syncing with the iphone as after a hard disk failure resetting all my browser embedded is a giant pain!

  77. free64 Avatar
    free64

    free works for me. thanks in advance 🙂

  78. ThisIsTurgs Avatar
    ThisIsTurgs

    I’ve been concerned about using one of these services, but now I think I’ll give it a go.

  79. Hidas Avatar
    Hidas

    i hope to win it’s so fantastic this app

  80. Vivien Denis Avatar

    Argh, why does it appears twice ???

  81. Vivien Denis Avatar

    By using 1Password, should we give up the option to use a random computer without any special equipment ?
    May the luck be with me ! 😉

  82. Savelyev Andrey Avatar
    Savelyev Andrey

    1password it’s cool app =)

  83. Ray Avatar
    Ray

    I use 1Password on my mac (demo-version) and I absolutely love it. No more one simple passwords on all my accounts (gmail, twitter, facebook, …) but Real Passwords which I don’t know and can not remember. And no more forgetting accounts and passwords of sites I don’t visit very often. Even better: no more writing down passwords. Just because 1Password is so easy to use.

  84. Julio Avatar
    Julio

    Nice article, thinking to switch to 1password if i could try it.. lets see, hope i win! thanks

  85. Francesco Avatar
    Francesco

    Always wanted to try 1Password 🙂

  86. Shane Neuerburg Avatar

    Ironic timing. I was just researching the two options this morning and having a hard time deciding between the two.

  87. Kurt A Avatar

    I love LastPass but passwords are stored on a server, Somewhere… Is 1Password GUI simple & idiot-proof? I would like to try 1 password. is there a trial version available?

    1. Evan Wondrasek Avatar

      Yes, a full-featured 30 day trial is available at their website.

  88. David Olinsky Avatar

    Evan, I appreciate the article, and I’m curious how you see a difference between lastpass storing your passwords in the cloud and dropbox being used as a middleman for sharing your 1password file between computers?

    1. Evan Wondrasek Avatar

      That’s a great question, and is one of the criticisms I heard from colleagues who originally expressed concern over storing passwords in the cloud with LastPass.

      Simply put: there will always be inherent risk in storing data anywhere, and my Dropbox files are indeed on a server that I don’t own. I find Dropbox is an acceptable risk because I still retain control of my individually encrypted 1Password files, and I can easily create a hidden, encrypted TrueCrypt partition on my Dropbox to further harden its security.

      1. Dustin Patterson Avatar

        Although very secure, encrypting the encrypted encryption may be a little unnecessary.

  89. AbbaDabba Avatar
    AbbaDabba

    I think you’re not entirely correct about LastPass…. I use the YubiKey as a validator for my LastPass valut which encrypts my passwords with an unbelievably long password. Nobody will happen upon it and nobody should be able to break it. Secondly, eveything is encrypted BEFORE it is sent to LastPass, so even if someone gets their database, its only my local client that does the decryption. Steve Gibson has given LastPass a complete review and he thinks it is a safe and reliable model. You get the benefit of having your password anywhere without having to fool with dropbox.

  90. Fred Avatar
    Fred

    Man this was really funny. You left lastpass for 1password because “you don’t feel secure leaving your password in somebody else’s hands” and then you leave all your passwords on dropbox?
    LOL
    For me lastpass is the winner hands down. I would like to see better safari integration though

    1. Evan Wondrasek Avatar

      I’ve used LastPass for 2 years prior to switching to 1Password, so I certainly understand why you like it.

      The nice thing about keeping my own encrypted password files on LastPass is twofold: I arguably have complete control over those files, and if I’m concerned about security (even though they’re already encrypted), I can simply use TrueCrypt to create an encrypted partition.

      A recent article about using TrueCrypt with DropBox: http://russell.ballestrini.net/dropbox-encryption-with-truecrypt/

      1. CoLLin LeGault Avatar

        Except that you already stored it in dropbox without truecrypt so someone could use the previous version or undelete features of dropbox to get the one not TrueCrypt’d. Also, you don’t get “All Updates” from 1Password. From the time that I initially bought it they have requested a full upgrade price twice. When I complained the first time I had to pay to upgrade I was basically told that I needed to get over it, this is the cost of doing business with AgileBits. With the current upgrade pricing hitting again I am going the other direction from 1Password to LastPass and I would suggest all users do the same. AgileBits is proving to be a money grubbing company.

        1. Dave Avatar
          Dave

          Yeah! How dare they ask you to pay a modest price for hours and hours of hard work, dedication & ingenuity. It’s almost sounds like they’re going to use that money and feed their families! Those greedy bastards!

          Get over yourself dude, paying to upgrade is the cost of doing business with ANY good company that wants to actually stay around for any longer than a year or so before “hoping” to be noticed and acquired by Google (or some other tech giant). When a couple years go by and LastPass has been “sunset”, or is just plain out of business, you’ll go running back to AgileBits.

          As for money grubbing, have you seen this company? http://www.nextgengeek.com

          Yeah, now THAT’s money grubbing.

        2. CoLLin LeGault Avatar

          After posting this a troll replied to my comment with a libelous message about my own business (hardly the subject matter at hand) while hiding behind the anonymity of the name “Dave.” He suggests that paying upgrades nearly every year at $10 off of the full price per device (mac, windows, iPad/iPhone) is the cost of doing business with any “good” company in order for them to feed their families. If that is the case, then there are a lot of companies doing a really bad job of making money out there.

          “Dave”, if thats really your name, I do hope you are not the Dave that works at AgileBits. That would be extremely tacky. And I would hardly call $10 off a “modest” price for upgrades.

  91. Afhavemann Avatar
    Afhavemann

    I’ve been playing with 1Password for a couple of weeks now, using it with the addition of my Yubikey security device http://www.yubico.com/yubikey. Yubikey is a hardware (USB) device that stores up to 2 passwords.

    The 1Password interface suites me better than LastPass (I have a premium account) and I especially like the ability to keep my file locally, this lets me use complex passwords offline.

    Now normally I wouldn’t want to keep the password file local but I’m too lazy and too old to remember highly complex passwords so if I didn’t have the Yubikey I’d use a passphrase of some sort that might become vulnerable to a rainbow attack if someone knows what their doing.

    1Password encryption is very solid if the password is complex enough and the 64 character randomly generated, total garbage-line password stored on the Yubikey takes care of that chore.
    I paid the $50.00 for a pair of Yubikeys and programmed both with the same 64 character randomly generated password.

    One of the Yubikeys is stored in my safe deposit box (with a printed copy of the password, just in case), the other I carry with me. As a bit of additional security I program the first Yubikey password as a dummy for some unimportant sites and use the second to access the 1Password file where the really important stuff resides.

    With a Yubikey, quickly pressing the button injects the first password, holding the button for 2+ seconds and releasing injects the second. A worm capturing keyboard input might capture either password, but using the second password requires access to the 1Password file, and since I store the file locally capturing the password is a waste of time.

    I could have even greater security by using challenge-response or even single use passwords, but I’m comfortable with the level I now have in place, it would take an unlikely event for the password, file and knowledge of use to all come together.

    1Password & LastPass are both pretty equal in that both provide essentially the same security, however LastPass is a subscription service that I have to pay every year while 1Password is a one-time purchase and gives me the advantage of storing the file locally.

    Having both a Yubikey and 1Password is not inexpensive, the pair cost $70.00 (includes Yubikey shipping) but, in my opinion, that’s a reasonable price to pay for high grade security.

    1. Evan Wondrasek Avatar

      Thanks for the great feedback!

    2.  Avatar
      Anonymous

      Their security isn’t essentially the same.  1Password uses 128bit encryption.  LastPass uses 256bit encryption.

      You might argue that this isn’t important to you, but they are not the same.

  92. Ch1ll1man Avatar
    Ch1ll1man

    Your article is a contradiction!

    You say that you like the fact 1Password stores the data locally right?  Good I like that too.  Then you go on to say that to sync you should go ahead and use Dropbox – errmm that means it’s no longer local! 

    Dropbox and Lastpass both use encryption techniques to store your data in the cloud, so by bringing in Dropbox you’re right back where you started – but with a cost added…

    Me myself – I use Keepassx and an IronKey

    1. Sajan Shetty Avatar
      Sajan Shetty

      dropbox is free

  93. Jan Avatar
    Jan

    As can be seen in the link below, 1Password upgrades are not free, so I’d rather stick to LastPass free. 1Password may have a better interface, but LastPass is free and does an excellent job. Using the LastPass bookmarklets in iPhone’s native Safari browser is a breeze, and doesn’t require a premium subscription. http://help.agilebits.com/1Password3/howto_upgrade_license.html

  94.  Avatar
    Anonymous

    1Password is more Mac-centric than Windows-centric.  And their Android app is in beta.  LastPass has a lot more options than 1Password and it uses 256bit encryption instead of 128bit like 1Password does.  In comparing the two, LastPass seems like the better app to me, but I do agree I’m not a big fan of the monthly fee (even though it is only a buck).

  95. Joshua Chia Avatar
    Joshua Chia

    Supposedly, LastPass doesn’t keep a copy of your master password. They only store your password data encrypted with your master password, so as far as extracting your paswords, the copy they store is useless to them or an attacker unless the master password is also available (or easily guessible).

    If you need password access only on one computer, and you can be sure of not losing data on that computer, I suppose 1Password is fine. If you do need to access your passwords from multiple computers, LastPass is no more dangerous than what you suggested, using Dropbox to sync your password data across computers, unless you somehow trust Dropbox more than LastPass.

    Using USB flash drives to move your password data around is maybe fine, too, but because they are small, it may be easy to lose them (together with your password data). If you end up putting multiple copies on multiple devices to guard against data loss, it seems risky as well.

    The biggest drawback I see with LastPass is that it’s not open-source, so it’s harder to verify that the software behaves the way they claim it does.

  96. Dom Avatar
    Dom

    I using LastPass and I’m very satisfied, I tried also 1Password, except slightly better look – work exactly in the same way, so imho I doesn’t see any reason to PAY for the same features, overpriced 1password is not a winner here, compare all features – and then you will see the differences (LastPass support all browsers and more devices etc..) ….

    Spending cash for software with THE SAME FEATURES or less – is very irrationally and childish, sorry. 
    I will be using LastPass with pleasure.

  97. Ronald McDade Avatar
    Ronald McDade

    I would be very pleased if i got to wn a free copy of 1Password!!! i have over 57 accounts that have built up over the years and it is becoming very frusturating having to write them all down, not to mention if that paper even stays in one place. It could get lost in the house somewhere for all i know. I hear using 1pass lets you organize all you passwords by 1 master password! That would be geat! No more hassle with pens and papers (or word documents)!! If there is still a copy out there, enter me for a win!

  98. Robert K Avatar
    Robert K

    Just out of curiosity, considering your computer is connected to the internet, wouldn’t it be easier for a hacker to get into your machine as opposed to getting into a purpose built server which lastpass would be using?

    I mean I understand the probably wouldn’t target you as much as they would target these companies but these companies have a vested interest to ensure your information is safe. It would make or break a company.

    I’d rather trust a large company to take responsibility for my passwords than rely on the weak security of my computer.

  99. donnatravelling Avatar
    donnatravelling

    Love this post!  I, too, would rather keep my passwords local.  thanks for taking the time to share. 

  100. Steve Noble Avatar
    Steve Noble

    1Password is the key to your security ! :o)

  101. Adnan K Avatar

    I disagree. As you mentioned yourself, the passwords in lastpass are encrypted. Only you can dycrypt them since only you have the master password.  So what if the lastpass server is hacked? The hacker would still need my master password (that he doesn’t have) to decrypt the file he hacked. As long as the encryption algorithm is sound (and it is in this case, AES, 
    approved by NSA to protect classified US govt information), there is no chance in hell the hacker can brute force my long /complicated master password in a few thousand years, even with a super computer.

    Secondly, you said you feel more secure with passwords on your local computer. Isn’t your “local” computer also connected to the internet? It’s not really that “local” if it has internet connection. It’s probably less secure and hackable than any server on the Internet. 

  102.  Avatar
    Anonymous

    I just installed lastpass today (after my msn password has been hacked:-) and i’m changing all my very old and weak passwords… Although it’s a great free app, i also feel this concern of having all my passwords stored somewhere out of my control.
    1Password + dropbox sync seems a nice solution.

    Thnks a lot for the article

  103. Frankie Claessens Avatar

    The great thing about lastpass is that I use it in Google Chrome, which we also have at work. We can’t install third party software at work (unless it’s a portable version), so having the LastPass extension in Chrome at work is pretty relax. I open it and log in with my YubiKey and I have all my passwords ready to go. Storing them locally, syncing with Dropbox or using a USB thumbdrive for it seems a bit of a hassle. Password security is important, but if someone really wants YOUR data, they will get it any way, so if having it stored online is easier & faster for me, that’s the winner.

  104. Joshua Bardwell Avatar

    How is storing in the cloud with LastPass and storing a local keyfile on DropBox any different? In both cases, only you have access to the raw data. You say, “you control what’s on DropBox,” but that’s just as true with LastPass as with DropBox. I control the contents of my keyfile. The fact that, with DropBox, I can physically delete the file, whereas with LastPass, I can only delete all the passwords in the file, seems moot.

  105. Jfaywil Avatar
    Jfaywil

    I’ve only been using LastPass for a short time, and cannot find a solution to a problem that affects its ability to generate and save passwords.  Thanks for your detailed explanation of 1Password. I’m going to make the switch.

  106. Netbob Avatar
    Netbob

    Great article. I’ve been using the premium version of Lastpass for a couple months and I like it along with a Yubikey. Love this device. One thing that kinda bugs me is the online storage of passwords. I will definitely try 1password. I recently had to sign on to my online vons.com site from a store pc and could not access my account because, 1. I couldn’t load the lastpass plugins and (duh) 2. I didn’t have my yubikey. Doh. Does 1password have better capabilities to handle this situation?
    Thanks again for a great article.

  107. PercyAlpha Avatar

    But syncing 1password by dropbox is just as storing ur encrypted data on lastpass server, since dropbox doesn’t use CSE.

  108. wdr Avatar
    wdr

    Keepass is a great, free (beer and freedom) piece of software that I’d be using if I wanted only local storage. I used it for years before opting for the ease of use provided by a password manager with integrated cloud storage. Especially since dropbox actually uses server side encryption 🙂

  109. Boyd2742 Avatar
    Boyd2742

    I also like the idea of local storage only of my very important passwords.  If passwords are stored on a company’s servers, it takes only 1 dishonest employee to cause all kinds of trouble.

  110. Boyd2742 Avatar
    Boyd2742

    I also like the idea of local storage only of my very important passwords.  If passwords are stored on a company’s servers, it takes only 1 dishonest employee to cause all kinds of trouble.

  111. Shai Avatar

     Here a more neutral article doing a thorough comparison of Lastpass and 1password: http://www.40tech.com/2011/05/16/lastpass-vs-1password-whose-syncing-method-is-more-secure/

    This post is also misleading in suggesting that the people at LastPass could get access to your private passwords. They can’t; it’s a one way encryption.

  112. Boardwalk Avatar
    Boardwalk

    Timely article.  Recently assumed responsibilities for my 87 year-old mother’s accounts & the security issue has really been bugging me.  Researching options for password management has consumed quite a bit of my time lately & I still haven’t committed.  Your trepidation, free vs. pay, good vs. better(best), & who really has the goods under control, is very similar to my conundrum.

  113.  Avatar
    Anonymous

    Why not check out KeePass. It’s open source, free and appears to do everything 1Password does. 

  114.  Avatar
    Anonymous

    Why not check out KeePass. It’s open source, free and appears to do everything 1Password does. 

  115. sta303 Avatar

    Putting your password file up on dropbox really seems a lot less secure than using LastPass.  And using Truecrypt or some other encryption device means that you would need to be able to unencrypt the file when you are remote – which is kind of improbable.  Lastpass encrypts your data with YOUR password as the key – making it inaccessible to whomever gets hold of the data in the future.  And finally, I would suggest that your home computer is a lot less secure than Lastpass servers – generally speaking.  In fact, most end-users don’t even have AV software installed on their computers making them a wonderful place to be storing a list of passwords.  For me, it seems both solutions are equally secure if you are using a strong password for encrypting the data.  Then, Lastpass just seems easier to access when not at my own computer or on my mobile.  

  116. bayer Avatar
    bayer

    1password doesn’t support basic features like standard HTTP authentication, so it’s useless software for many people.

  117. Erikrichter Avatar
    Erikrichter

    LastPass work on Win, OSX, and Linux

  118. Randy S. Avatar
    Randy S.

    Security breach
    On Tuesday, May 3, 2011, LastPass discovered an anomaly in their incoming network traffic, and then another, similar anomaly in their outgoing traffic.[10] Administrators found none of the hallmarks of a classic security breach (for example, database logs showed no evidence of a non-administrator user being elevated to administrator privileges), but neither could they determine the root cause of the anomalies. Furthermore, given the size of the anomalies, it is theoretically possible that data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. To address the situation, LastPass decommissioned the “breached” servers so they could be rebuilt, and on May 4, 2011, they requested all users to change their master password. However, the resulting user traffic overwhelmed the login servers and, temporarily, administrators were asking users to refrain from changing their password until further notice, having judged that the possibility of the passwords themselves being compromised to be trivially small. LastPass also stated that while there was no direct evidence any customer information was directly compromised, they preferred to err on the side of caution.[11] There have been no verified reports of customer data loss or password leaks since these precautions were taken. In comment 6, Joe Siegrist committed to a third-party audit, saying one “is certainly prudent”, however no audit results have been published to date.
    [edit] XSS vulnerability
    In February of 2011, a Cross Site Scripting (XSS) security hole was discovered, responsibly reported by security researcher Mike Cardwell, and closed within hours.[12] It was mild enough to be considered low risk, and a log search showed no evidence of exploitation (other than by Cardwell) however in addition to closing the hole, LastPass took additional steps order to further improve security, including implementing HTTP Strict Transport Security (HSTS), as Cardwell had suggested, implementing X-Frame-Options, and a Content Security Policy-like system in order to provide defense in depth.[12] [13]

  119. javier Avatar
    javier

    save local passwords…. to access what? all is in internet this days.

  120. Bovus Avatar
    Bovus

    There are other differences, but LastPass’s two-factor authentication is a significant security advantage over 1Password.

    1. Clark Wallace Avatar

      But AgileBits doesn’t store your data on their servers like LastPass do so there is nothing to authenticate (the A in Multi-factor Authentication) in 1Password.

  121. […] bit more technical, so if you’re interested I recommend you read this blog post covering some comparisons between 1Password and LastPass. The interface is very Mac-like so it feels like home for Apple […]

  122. John Blogs Avatar
    John Blogs

    I use TapIN on my iPad. It doesn’t store anything on the cloud & automatically login to my password protected sites.

    https://itunes.apple.com/us/app/tapin-fast-auto-login-browser/id554782625?mt=8

  123. Sophronis Mantoles Avatar
    Sophronis Mantoles

    Hi guys,
    I just thought of this article. I have been using msecure for a while and I switched to a differenent phone. Now all my passwords are on drop box and I have to reinstall msecure. The difference now I have to pay $9.99 for it. I am OK paying a couple of dollars for an app but 10 is a bit too much. msecure opened up for free. Once you get hooked using them and you switch to a different device you have to pay the fee. I feel this practice is unethical. I would rather pay up front for an app and know that they will not hit me with more fees down the road. What a scam.. I will try last pass or 1password next.

  124. Matthew Chan Avatar

    LastPass does store your files locally, technically. It only stores the salted hashes at its servers but it does all the encrypting and decrypting on your computer (very small process).. And even when the files are stored locally on your computer they are still encrypted as opposed to having to download another third party app like TrueCrypt as you mentioned in your article..also the passwords are synced to almost any device you can touch.. from Windows to HP WebOS!
    Plus you don’t have to manually sync them with Dropbox…
    You decide..1Password or LastPass?

  125. Jonathan Nelson Avatar
    Jonathan Nelson

    I feel like the author doesn’t understand how LastPass works. Not to say anything bad about 1Password, I think they do everything right. I know I am resurrecting an old thread, but nobody makes this point. LastPass only stores an encrypted blob on their servers. When you log in that blob is downloaded and decrypted with your password, a password that is never uploaded to LastPass. Anybody who hacks the servers gets a blob that is worthless unless you use a weak key. LastPass will let you download and store the blob locally (or in Dropbox if you want) as well, though this is just for security and data protection measures.

    I have also seen LastPass customer support raise the alarm when a server showed more data than they could account for, a possible sign of a break-in.

    All in all, I will continue to use LastPass. I trust them and think they know where their towel is.

  126. Ufupuw Avatar
    Ufupuw

    What a nonsensical article. He is not comfortable with online storage of lastpass, but then he recommends using Dropbox with 1password, contradicting himself.

    The other problem with his theory is that he says he is not comfortable with online storage, but he has his 1password on a computer with internet connection. That makes it by default online! You will need to keep it on the computer with no internet access if you are so paranoid person.

    In any case, Lastpass is superior than 1password

  127. Alicia Avatar
    Alicia

    Intuitive Password is a new and rock-solid online password manager, worth to try! Visit http://www.intuitivepassword.com

  128. robrecord Avatar
    robrecord

    Not to mention that Lastpass has a HORRIBLE and clunky interface,

  129. john27332 Avatar
    john27332

    Oops! So, if you have a Mac plus Windows running in VMFusion or Parallels, you need TWO licenses. You pay twice. Now if you have more PCs (windows or Macs or iPads, or Androids or iPhones, you’ll pay for each license on those, too! With Lastpass, you pay a subscription but ONE price pays for all using the premium version. Dropbox is nice but no more secure than Lastpass. I’ll stick with Lastpass.

  130. James Avatar
    James

    I think the writer and many of the commenters here are under a false impression with LastPass. Your data is not accessible to LastPass. Your passwords are encrypted locally – on your machine – prior to being sent to LastPass’ servers. What LastPass has is a bunch of heavily encrypted gobbledygook that is useless to anyone that does not have your decryption key (hence them telling you to make damned sure you don’t forget your master password as without they cannot help you, however much they want to).

    There is obviously a nominal security decrease in having these things stored by a third party, but it’s hard to see it as any meaningful concern when you understand how LastPass’ system works. A similar system, in broad strokes, is used for Bitcoin. Some people have lost millions of pounds because they lost their keys and nobody alive was able to recover the data those keys unlock however much they wanted to.

    1. NIBB Avatar
      NIBB

      But this is what most people misunderstand. Hackers don’t need your encryption passwords or hack them, all they need is access to LastPass servers. They have to maintain a user database, with your information related to your account, they have too in order to provide support, billing, etc. And if your passwords are offline in your system how exactly do you think it works on all devices? That is right, it transfers them from one device to the others again using their service.

      All someone needs to do is hack their side and trick your account, LastPass then retrieve the encryption from your local systems remotely using their service, and they already have your master password because you enter it on their service. The minute your account and data has to connect to them to work, that alone is its weakest point and vector of attack. Not to mention it runs in your browser, double vector of attack. LastPass was hacked before, do your research, even if they deny this, the concepts where able to pull data out of a user account and steal the passwords of that attacked system. Even if it was not a direct attack on LastPass the result was the same, they could access the data by attacking the browser.

      If they really where not storing anything on their side and your service could work without establishing connections to them, then it would mean you don’t need their service in the first place. It’s a service, so attackers are going to attack them, not you. Once they have control on them, they can do what ever they like with users, from sending malicious updates so tricking them to give them the master passwords to getting their data once connected.

  131. Carl Avatar
    Carl

    I think you are mistaken re how Lastpass works. They don’t store or know your master password. It never leaves your PC. Your master password is used to encrypt the password store, which is then uploaded to Lastpass. Without the master key the blob of encrypted data is totally useless to anyone including Lastpass themselves. You can also store your password database locally so you have offline access too. I have no preference. I just wanted to put the record straight.

Leave a Reply