Why I migrated from LastPass to Bitwarden

I’ve got hundreds of accounts and passwords, and I need a good password manager with good integration with my web browsers. My brain would explode if I had to remember all the individual accounts and password details I need to login in to every week.

I’ve been using LastPass despite never having liked or fully trusted them. Then LastPass began stripping away platform support and I started looking for an alternate password manager.

I’ll go through a few points that I feel were important to me when deciding on a password manager, and compare how Bitwarden vs LastPass lives up to my expectations.

Platform availability

Bitwarden and LastPass both offer free hosted password management services with clients available for multiple popular platforms.

LastPass have been pretty good about being available in every web browser and on every platform. However, they left the LastPass extension for Firefox for Android to rot for over a year before abandoning it. They were slow to migrate their extension to WebExtensions, the new Chromium-inspired extension API used since Firefox Quantum. They’ve also got a long history of shipping outdated versions of their extensions to Firefox users over several years.

In my experience, the LastPass extension for Firefox has been only getting more and more buggy with time. My browser of choice, Firefox, clearly haven’t been a priority for LastPass.

Bitwarden have desktop apps for Linux, MacOS, and Windows; as well as mobile apps for Android and iOS and browser extensions for just about all web browsers — including the underdogs like Vivaldi and Brave with their tiny marketshares. Bitwarden is everywhere I am and everywhere I can foresee finding myself — whereas LastPass suggest you switch your browser to continue using their service.

LastPass’ toolbar icon in my browsers used a glaring red color; a color normally reserved to indicate that something is broken or requires your attention. Bitwarden’s calm blue icon is less alarming and I subjectively strongly prefer it over LastPass’ icon. I’ve also found that Bitwarden displays error messages in situations were LastPass would just silently fail to perform the requested operation.

Open-source and self-hosting

LastPass is a proprietary software and service. You’ve to rely on their infrastructure and will to continue operating the service without interference.

Bitwarden on the other hand is open-source from top to bottom. Their apps, extension, and online services are all open-source. If Bitwarden.com where to announce they were shutting down tomorrow, you could grab the source from their servers and host it yourself to ensure continued service.

Self-hosted instances of Bitwarden isn’t an after-thought either as the company behind it considered self-hosting a “first-class feature”. I’ve yet to dig into this in more detail, but I expect that I’ll look into hosting it for myself with time.

As a developer, I also value the ability to inspect their code and suggest changes when I encounter bugs. I haven’t ran into anything that have needed my attention in Bitwarden, but I like knowing that I’ve the option to fix it myself. I’ve submitted quite a few concrete bugs and even suggested patches to LastPass through their support form, but they’ve always preferred to leave the bug unresolved in their browser extensions for years instead.

Security

I don’t have the time nor ability to evaluate exactly how secure or insecure any password manager is compared to another. However, I’ve noted a few things of interest.

There hasn’t been a full independent security review of Bitwarden yet. The code is open and anyone can look at it, and hopefully it will be “the good guys” who’ll find any potential security vulnerabilities and report the issues to Bitwarden. The probability of that happening is much greater than with a proprietary product; seeing how everyone has access to Bitwarden’s source code.

I was positively surprised to learn that Bitwarden’s browser extension doesn’t auto-fill login information on pages as soon as they’ve loaded. The user has to interact with the extension to cause it to fill in stored usernames and passwords.

While this is a slight inconvenience, it also effectively stops auto-fill theft as some advertisement networks were caught doing in . This issue has been known to browser vendors for over a decade already, yet the built-in password manager in most web browsers and most third-party password managers have all ignored it.

I’ve also got some concerns regarding Bitwarden’s use of third-party script resources which I’ll go into greater detail in the next section.

Security concerns over third-party resources

In my opinion, no external resources should be loaded from any third-party domains inside a high-risk high-security environment like a password manager.

LastPass hosts everything under their own domains and thereby can ensure that as long as they’ve control over their servers, they maintain control over everything that loads inside the password manager.

Update (): The rest of the information in this section is outdated. Please see the 3-months with Bitwarden update for newer information.

Bitwarden loads scripts and styles from Bootstrap CDN as well as Google Fonts and Google Hosted Libraries. These resources are loaded with Subresource Integrity enforcement, meaning that modern browsers will refuse to load them if the external resource don’t match a predetermined checksum. In other words, Bitwarden have a fairly good confidence that they don’t load anything malicious or unexpected by including these remotely hosted resources.

However, Bitwarden also loads JavaScript from the two payment service providers Braintree (PayPal) and Stripe, as well as Google Analytics and the two-factor login services provider Duo Security. All these third parties are included when you login to the web vault, and are loaded without Subresource Integrity enforcement. Subresource Integrity enforcement isn’t supported by these third-party vendors.

Including any third-party content is a potential avenue for malicious actors to get in to the password vault. I can’t see any strong reason why any of these companies should be able to execute code inside the password vault. They’re all well-established service providers and it’s not very likely that they’ll loose control over their domains. However, it’s an unnecessary risk factor and frankly their inclusion also seems entirely unnecessary.

Third-party analytics

The Bitwarden mobile apps, desktop apps, extensions, and web vault all integrate Google Analytis for tracking behavioral data from users. Users can opt-out by disabling the Analytics option by going to Settings: Other: Options.

Update (): Bitwarden no longer includes Google Analytics scripts directly. Please see the 3-months with Bitwarden update for newer information.

This is another example of an unconstrained third-party script that don’t belong in a secure environment such as a password manager. Users should opt-in to tracking in this instance rather than having to opt-out.

It’s not enough to opt-out once in the web vault or in one of the apps or extensions. Users have to opt-out again in every client they use as the opt-out preference isn’t being synchronized between clients.

I completely understand the need and desire for tracking some behavioral analytics. However, what is good enough for a normal website isn’t necessarily good enough for a security critical environment like a password manager. In my opinion, there’s no good reason for using Google Analytics — or any third-party analytics — in the way Bitwarden uncritically uses it.

Data portability

Bitwarden and LastPass can export and import password, secure notes, and other secure notes to a comma-separated value (CSV) format with headers denoting each value. Many password managers support importing from CSV files, but some manual shuffling of the data columns may be required (as with anything else that use CSV in lieu of a formally standardized interchange format.)

Bitwarden being the underdog, can import data from LastPass. However, if you want to go the other way around, you’ll need to reformat the CSV export file for LastPass to accept it. CSVs are easy enough to work with, and the important point to note is that all data appears to be present when exporting from both password managers.

LastPass incorrectly encoded a few (but not all) UTF-8 characters when I exported data to be imported in Bitwarden. I’d to manually correct these in the comma-separated export format before Bitwarden could import the file. (This is a bug in LastPass and not Bitwarden.) Having just run into an export issue, I also tested and made sure that Bitwarden didn’t do the same mistake when exporting.

Both Bitwarden and LastPass can store other types of information including secure notes and credit card information. These types of data are also part of the password database dump.

Conclusions

I choose to use Bitwarden over LastPass despite being more skeptical about their security practices when it comes to inclusion of third-party executable scripts inside the password manager. I hope we’ll see Bitwarden make changes to limit the number of possible attack vectors in the future.

Bitwarden doesn’t have a proven record of maintaining strict operational security for a decade like LastPass. However, my personal values, beliefs, and preferences lean heavily towards Bitwarden over LastPass as an optionally self-hosted open-source application with clients for every platform.

I’ve no strong reason to trust LastPass over Bitwarden. I find that I like using Bitwarden whereas I never liked using LastPass. Bitwarden seemed to me like the best LastPass alternative out there.

If you require absolute security, you should probably stick with LastPass as they’ve get a decade of experience in offering hosted password management services. You could opt to self-host Bitwarden in an environment that isn’t exposed to the internet as an alternative. However, for most folks — the current level of security offered by Bitwarden is probably good enough. Hopefully, we’ll see Bitwarden undergo a full security audit soon.

Update (): German security agency Cure53 have now completed an independent security audit of Bitwarden. All noted issues have been patched.