Pass on LastPass; KeepassXC or Bitwarden is better.
Вставка
- Опубліковано 8 вер 2024
- Websites Mentioned:
+ KeePassXC - keepassxc.org/
+ Bitwarden - bitwarden.com/
LastPass will be updating its free version soon to be less good, it restricts your password synchronization to one TYPE of device. Wendell talks about two alternatives, KeePassXC & Bitwarden. Don't get grifted!
Hope you enjoy!
~ Editor Amber
**********************************
Thanks for watching our videos! If you want more, check us out online at the following places:
+ Website: level1techs.com/
+ Forums: forum.level1tec...
+ Store: store.level1tec...
+ Patreon: / level1
+ KoFi: ko-fi.com/leve...
+ L1 Twitter: / level1techs
+ L1 Facebook: / level1techs
+ L1/PGP Streaming: / teampgp
+ Wendell Twitter: / tekwendell
+ Ryan Twitter: / pgpryan
+ Krista Twitter: / kreestuh
+ Business Inquiries/Brand Integrations: Queries@level1techs.com
IMPORTANT Any email lacking “level1techs.com” should be ignored and immediately reported to Queries@level1techs.com.
-------------------------------------------------------------------------------------------------------------
Intro and Outro Music By: Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
creativecommons...
"It's like running water inside your hosue getting more expensive, or electricity getting more expensive" - Texans staring from the corner.
*house
First thing I thought of.
@@minespeed2009 Any idea what causes prices to be so high at least compared to the US? I would hazard a guess of politics but I'm sure there's more to it because you pay literally 4-5x as much. That's not a ~30% tax.
@@minespeed2009 It's not 80%. According to Verivox it's 6.5 cents/kWh (www.verivox.de/strom/themen/eeg-umlage/) which is around 25%.
@@minespeed2009 In Sweden a few years ago when the environmental party came into power in a coalition government, a tax was introduced on solar power production that you use yourself (if you sold it you did not have to pay the fee, but instead some other fees, at least then you did a small profit).
They had to back down and remove the tax for small scale production (home size, but a few larger apartment buildings would still have to pay) after public “outrage”.
Anybody else remember when Wendell was just a torso sat behind four computer monitors?
I still have some t-shirts of him from teksyndicate
Don't forget the viking horns and beard
Speaking of _The Syndicate_ is, and shall remain *forbidden on this Channel...*
The days when you weren't sure if Wendell was just camera shy, or if he had done something crazy illegal and didn't want to be in the public eye.
He was like Wilson from Home Improvement
Bitwarden recommended. Migrated from LP. Works on my mac and android just fine.
Hi..
Are you using the extension on safari?
My safari extension stops working after quitting safari and I need to re-enable it manually from safari preferences :(
Same here, been using LP for almost 6 years now. But with their upcoming policy changes I’ve just migrated to bitwarden.
how is the autofill on mobile?
@@garycoleman8906 I would say it’s pretty good.
@Robert Maclean I hope it doesn't and that they collapse and fail. Short-sighted profiteering. I'll gladly pay for a good service, but not when that service degrades so badly it's embarrassing.
I figured $40 a year for a family plan supporting 4 people, with the option to have a family folder to share, was a pretty good deal, but we spend so much time now nursing logins on Android that they should pay us.
Oh, for the Halcyon days of 2014 LastPass.
Who else is here after the LastPass database leak?
Here we go again.
oddly enough, i just saw another youtuber talking about LastPass as though it was still a viable password manager
Ha, yup.
step1 - entice users
step2 - trap users
step3 - exploit users until collapse
silicon valley, and a lot of industries, are on step 2.5
@@mritunjaymusale Making their video cards shitty (banning vm usage for consumer cards and the mining bs for example) is not step 3, that's just believing they are at step 3. And it only works temporarily during massive shortages. Or are you talking about a service i am currently not aware of?
I mean that's still a dick move but still 2.5 at best.
@@fgregerfeaxcwfeffece Maybe true for Nvidia but I believe Apple is already at step 3.
And by the time you get to step 3 you have already become unsustainable. So in step 3 you continuously exploit with no room for respite.
@@adblockturnedoff4515 Well, that's why i never opposed it on apple. They absolutely are doing it. Thankfully they have no real monopoly (Well, i am biased i can barely see use for their "product"). Just one of the heaviest vendor lock-ins imaginable.
@@fgregerfeaxcwfeffece They have very real monopoly on their platform, but I see what you mean. They do create good products that work well with each other and are intuitive to use. But their business practices and the way they treat their customers is horrible. They blindly chase after profits and clout. Not a single shred of human emotion. The whole phrase that even the biggest of companies are run by humans doesn't apply to them. Sad.
@@adblockturnedoff4515 It's easier to have everything work when only whitelisted test cases work to begin with. And that's why i see apple as barely having a product. With this high price and this low functionality that's simply not a good ratio.
I actually had this conversation with a co worker just about 2 years ago:
A: Oh Linux is so hard!
B: Why did you use it?
A: Because what i tried was impossible with everything else.
B: See why this comparison is a bit unfair then because you basically equated impossible with "easy" or at least not as hard for the other side?
A: Okay, valid point..
Or in other words it's easy to never fail if you never do anything hard. Just avoid everything hard and never fail.
Sounds good until you look at all the missed opportunities. But i get it. Loss aversion psychology just leads you down that fallacy. That's just a known and well documented flaw in human psychology. We value loss harder then missed opportunity but in reality they are exactly equal. Money shows this very clearly. It doesn't matter if you lose 500 currency units or not gain 500 currency units. The result is you being short 500 as opposed to the alternative.
That also leads to the next common apple fallacy: They retain value!
Not really, if "A" buys a 1200$ iPhone and resells it after 2 years for 800$ "A" lost 400$.
Meanwhile "B bought a 200$ used One+ use it 2 years and drops it in the old phones drawer. (Of course it lasts longer, but i don't see the point in further beating a dead horse. Besides, the point was the 2 years period, so anything after that doesn't count no matter how much it goes in my favor. )
"B" saved 200$ compared to the great value retainer if if "B" just threw the phone into a river.
Or in other words after 2 years "B" is already 200$ ahead (even if the phone lost ALL value) if we are talking monetary gain. Not a good start i would say.
Now the common point would be: it's unfair to compare bought new to used etc. But the value retaining argument is usually used in against exactly buying cheaper.
I simply see impossible as a straight fail. So Apple products have to many fails to be considered. Biggest one: it's either locked or unsafe.
And on a business evaluation of a product you compare everything to other options at the same price and i don't see apple winning on single metric by that standard. But i am open to change my mind. So go on, tell me what's great. Only concrete use cases no marketing bullshit like "intuitive". Nothing is intuitive. there is no such thing as common sense. You only know what you learned.
The only thing that comes to my mind is a very narrow by its nature and my main contra argument:
Limited software lowers administration cost. They are glorified v-techs or gaming consoles, not computers.
I define computer as a general purpose device. Apple products are distinctly not that.
So i frankly can't see how the treatment is not part of the service. Sounds like plain old fin dom to me. And i don't kink shame.
This has aged amazingly well. Thank you, Wendell!
I just spent the last six hours changing passwords, tying up some loose strings as far as 2FA is concerned, as well as migrating everything off Lastpass to something hosted on my home server. Should have done this years ago, but the recent data breach scared me enough to get the ball rolling.
Wendell: "I don't want this to get technical or take too long" Me: "Sounds good. I guess I'm going to need my calculator, some paper, Visual Studio Code Editor and plenty of water to stay hydrated."
😆
1 year after, a pair of breaches shows that LOTS of things are stored UN-encrypted by LastPass.
I'm so glad I have used synced KeePass for years, even long before this video was published.
Jumping from Lastpass to Keepass has been on my backlog for... probably a decade now, but this recent move forced me to make the jump.
I've started on Dashlane, migrated to Lastpass, and considered Bitwarden... but ultimately the objective was to go Keepass synching stuff on my own.
I have to say, there are reasons not to do it... go for something like Bitwarden instead for instance.
But I'm insisting... because ultimately, I don't wanna rely on someone else's server/service, so as good a time as ever I guess.
The general problem with Keepass is the general problem with several other FOSS software, which I also have highly adopted in recent years - it's fine for me, but if I'm gonna put it for someone else to use, like say, my mom who is in a permanent tech illiterate state, it starts getting harder.
But even for me, the decisions are taking longer than I'd like. Problem is, there are too many options, not that much material for research, and videos like this one are not that numerous, so it ends up not covering specific cases like mine.
For desktop it was kinda easy. Original Keepass is kind outdated but fine, KeepassXC is more modern with newer features, so there you go.
I still ran into some weird problem though. Not sure why, but Keepass XC was refusing to import a Lastpass CSV file inside an already created database... it keeps trying to create a new database instead.
So I had to do it via standard Keepass, and then open the database via KeepassXC. Perhaps because I'm trying to create a new database with a keyfile, not sure what's the issue.
On Android, things got worse. I tested KeePassDX, AuthPass, TinyKeepass and am currently using Keepass2Android... all of them have something that doesn't work, works weirdly, or is kinda messed up somehow. I think TinyKeepass doesn't support key files, KeePassDX I couldn't find a way of using biometrics alone do unlock the thing (requirement for my mom), AuthPass wouldn't accept my master password no matter how many times I tried for some reason. Keepass2Android is older and has a bit less friendly UI, but seems to be working... I just didn't fully test it yet to tell.
But the general problem is the same - compared to Lastpass, all these versions of Keepass seems to be generally more difficult for someone like my mom to use. You have bugs here and there, the interface is kinda convoluted and complicated, and you end up having to go through this familiar path of trying and testing things out...
I'm also trying to sync the database through my Synology NAS, future plans to build a server running NextCloud for it. I'm not sure what's the ideal way to do it.
I'm using a mix of DS Drive for Android and PC, or an older app called DS cloud for Android, and trying to sync things up that way. For me personally anything should work fine, but for my mom it has to be seamless and under the hood. No weird glitches, need for constant confirmation, reliant on configuration, and whatnot.
Just not sure if this will work out ok because I'm not sure how these apps deal with file conflicts and simultaneous usage.
Of course, the best thing about it is that when I manage to make it work for us, no more fears of a service cutting off features and ramping up prices out of nowhere.
Going the same route for Google Photos... for now, it's Synology Moments, and when I can get back home and build my own servers, it'll be NextCloud. Depending on how it goes, how easy to use the interfaces are, I might just keep the Synology for family usage, and reserve NextCloud for my personal stuff...
This was super helpful. I'm looking to get off the LP family plan on to 'XC -- your comment probably saved me a few hours.
I started with Bitwarden 2 years ago as my first password manager and I have absolutely no regrets
"Electricity getting more expensive... It doesn't make sense"
Laughs in Brazilian
And Germany. (Where the price for electricity has gone up 100% in recent years) ...
2002 it was 16 €cent/kWh. 2021 it is 32 €cent/kWh (32 €cent are 0.39$)
I see alot of Brazilians post things about Brazil and expect world to know what it means.....
@@murphy7801 I think my comment was pretty straight forward. We had an increase in our electricity.
It was 4% form 2020 to 2021. Honestly, that doesn't sound too bad comparing with other countries in the comments.
I'm sorry that other Brazilians are venting in the internet, our government is very controversial.
@@pacifico4999 no more just commenting on interesting phenomenon, not saying you shouldn't be doing it.
*Texas has joined the chat*
been using KeepassXC for couple years now because has win and Linux versions, and supports using keys with password.
thanks for the video.
*because
@@alvallac2171 sorry ty for correction
I've been using KeepassXC along with NextCloud. Been working great. I also use key files to make it harder to crack the encrypted database. The only issue is the firefox plugin can be flaky at times but still works fine most of the time.
@@Darkk6969 Thats good, love keepassxc. I have not used plugins, I generally use the portable version from a usb thumbdrive. I have 300 random keyfile documents on the same drive and turn off so it won't remember it along with a password---great for Linux as well, same DB files. Another great thing about keepass is it works on many "locked down" corporate computers without admin having to authorize it (good luck with that)
I've been a paying Lastpass customer for about a year now. I pay $48 a year for a Family Plan for four of us. Bitwarden is $40 per year. So while that's cheaper, the cost of switching (in time) makes me stay put for now. I realize that's a slippery slope that could have us get locked in for longer due to increasing amount of time required to switch as the password lists grow. I need the family plan because I've got grade-school kids that I'd like to have learn good password management habits. I'll see how things shake out for a bit - but this is good info to consider.
Moving between them is pretty simple.
Lastpass - export to CSV
Bitwarden - import from CSV
Securely delete CSV.
Done.
Must be a sign when this video came up on my recommended. I stuck with Lastpass despite the service changes last year, thought i could still work with the limitations which was still livable. But with the recent big hack, pretty much lost faith in them.
I went from lastpass -> keepass 2 -> self hosted bitwarden on unraid with ssl and custom domain. Works very well across all devices.
Yeah, keepass is ok, but the browser/mobile integration is about on par or better than lastpass with bitwarden, also confused why Wendell said it was harder to setup? I mean if you can follow terminal instructions on how to setup docker then btiwarden_rs is really easy and thanks to ngnix proxy manager, forwarding that to a domain is also really easy these days.
@@vgamesx1 That was confusing. I assumed he meant that the official Bitwarden self-hosted install was too difficult, as opposed to bitwarden_rs which is fairly easy but is an unofficial 3rd party effort.
I have been considering doing the same, if it's as simple as just running a docker container and proxying traffic to it, I just might do that. I've been lazy with my password management stuff, so I probably should do better than I am rn.
You should have heeded Wendell's warning. LastPass has been fully compromised. I'm going to self host to keep my stuff secure. (Although my current manager is physical and the only plane of attack is breaking into my house, bypassing the dogs, and finding my password book.)
thanks for the information, see you soon lmao
@@GabrielM01 Are you threatening me with hacking? Or, are you threatening me with breaking into my house?
@@Hidyman people cant take a joke anymore?
@@GabrielM01 Oh, sorry, I take my privacy seriously, next time throw a winky face in there.
@@Hidyman sure, my bad
Bitwarden is great for the lazy/busy technical user.
Been using Bitwarden for a year-ish now ever since dashlane hiked their prices and haven't looked back. Highly recommended 👍
I’m switching to bitwarden as well. I was happy to pay for LastPass as a way of supporting them and maintaining for the free users, but not really into the idea of eventually losing access (if I can’t use it in both my phone and desktop it isn’t useful) to an important piece of software if times are though financially.
Same, i've used lastpass for years, back when they were 12 bucks a year i paid that without issue. but then they made the free tier and the pay tier essentially identical, so i went free, now theyre basically ripping me off. They also make it seem like you get that cheaper discounted rate as 'grandfathered deal', nah its not, its just for 1 year and then you're bumped up to 36 (or likely more i'd bet) after the first year. sorry logmein not worth it.
@@gigatigga Same here, used free LastPass for a couple of years, then payed the 12$/month until it became free. Moved to Bitwarden a few months ago since I would rather have a open source/source available product for this. I happily pay the 10$/year for Yubikey access.
@@gigatigga Lastpass was the first 'free' service that I ever paid for just because I wanted to make sure it stayed a functional company. Never used any of the premium features.
When it went to $36 I dropped the payments because while its a useful service its not $36 a year useful and I never used any premium features to begin with.
Switched to Bitwarden 2 or 3 years ago now.
I use my phone and Mac interchangeably, and since i'm on "Free" the only way to use password on my iOS device is type it in by hand... I wouldn't mind paying for Premium if only security was better handled (without breaches).. but to me, it doesn't justify paying for something hackers already know about.
I'm gonna try Bitwarden,
Trying to create a value where there is none or trying to press water out of a stone is what is ruining many products and companies. A company that offers something like password manager shouldn't be expected to make YOY gains until the end of time.
There should be some free quality password managers just there are with antivirus. Security hacks affect everyone. We need public health for the internet.
My solution is iCloud Keychain. If the device I’m on isn’t from Apple, I can type the password out from my phone. I think this was a good choice long-term because I’m receiving it for free as a benefit of the Apple ecosystem, and I’ve had years already of just not worrying about it.
I have been using Keepass for almost a decade now. Fantastic software! My company uses LastPass Enterprise in our IT dept. It's terribad.
Damn. Sorry to hear that. My company recommends KeePass and lets us go for it.
Only reason I'm happy to use LastPass Enterprise for work is the auditability and it's perceived trust.
It makes me mad every other day (especially on Android) but if there is a breach and auditors scrutinize your secret-management, you don't want to explain and vouch for any self-hosted or DIY solution. Same reason I use Bitlocker over something like Veracrypt which is arguably a worse choice. When the auditor hears "my drive was Bitlocker encrypted" he moves on to the next question. If he hears "I used Veracrypt", I now need to convince him how it's as good or better, how I managed my key to that etc. For personal stuff I use the alternatives e.g. Linux, BitWarden etc. but my work involves handling very sensitive data so I have to play into the security theater of the standard choices. You don't want to be the interesting person in the post-breach audit interviews.
@@QuickQuips I'm surprised my company recommends KeePass (they tend to mess up alot), I've been using it for a couple of years now and couldn't be happier.
This should be part of the business of building computers. From smart phones to desktops should come secure otherwise these programs seem based of the old mafia style “protection” rackets
Just switched to Bitwarden yesterday after 8 years of LastPass lets see how it goes. Might be trying KeePassXC as well
Let us know how it goes! ~ Editor Amber
For a single user scenario I would agree, when you have 4 family members with shared folders and passwords, lastpass takes the cake for me. I can update a password and my wife doesn't even have to know, it will just sync to her account and work for her
Thank you, Wendell! I was actually thinking that I will have to start paying them, but here you are helping us to save money!
I meant to migrate away from Lastpass when I saw this video when you first released it. Sadly, work got in the way and procrastination. How did that bite me on the butt. Migrating now, changing all the passwords and notifying clients who may also have been affected. This video made a handy reference and giving it my clients saved me a lot of time.
I prefer keeping my passwords on a local level and not online. Yes I'm aware that things can be encrypted before they are sent and what not. Just keeping things offline that you don't want others to know is just a better way to be sure if you ask me. I don't have to worry about an encryption being broken or a databreach among other things. The only real downside is that I don't have the convenience of a quick one password login, and I'm more than OK with that.
I’ve been using DataVault for years and all data lies at the local level. You have to manually sync between devices. But it’s one password for the program across all devices. You can’t fix what isn’t broken.
I've been using LP for the last 8 years or so. Switched to Bitwarden instantly last week and did the same with my parents this weekend. Keypass looked great as well but ease of use is much more important b.c. I gotta set up the whole family. Very happy with Bitwarden so far, I like that that it's all a bit more rudimentary looking than LP while having better useability imo
Been using BitwardenRS on my home server for about a year now. It is great! I use the browser plugins, desktop application, and phone app with fingerprint access, super convenient.
I had exported all my passwords from Chrome password sync (yuck, I know), then I used bitwarden to help me set unique super secure passwords for all my websites.
My next step is to develop a high availability strategy in the event my home internet takes a nap while I'm on vacation or something..
Bitwarden clients cache password file, so you can use your passwords even without Internet connection. This should be enough to survive a brief nap, but high availability is a good thing nevertheless.
@@VaKU. it might be an issue if you changed the password and the cached password is out of date.
If you're running bitwardenrs you should be able to access your passwords even without internet since you can use the local IP to access the docker.
@@VaKU. I'm assuming running it on a local machine, not running on linode. You could run bitwardenrs on a raspberry pi if you wanted to. Really no reason pay for linode, when a you can get a raspberry pi for cheap and cost you very little to run. Should easily be under $1 of electricity every month unless power is very expensive in your area.
@@joemann7971 Thanks, I know that and have several RPis. I'm hosting BitwardenRS on my NAS. My earlier comment was an answer to @Chris Burnes on the point of "a high availability strategy in the event my home internet takes a nap while I'm on vacation".
I think that cached passwords may be a reasonably sufficient solution for a brief periods, when server at home is without connectivity.
Family pricing for LastPass and Bitwarden seems to be very similar though. Also, seriously, for most folks running Linode or NextCloud or their own containers is just LOL. Next step: Just spin up a Kubernetes cluster, configure a few Helm charts, run some NGINX on the front end, pull that Bitwarden container, and bam, as Todd Howard himself would say: "It just works".
If you can get by sharing the few passwords you need to share in the family manually, then you most likely can get by on the free version (if you use a yubikey you need a subscription and some statistics are only available to subscribers).
I like that self hosting is an option. I’m one of those who like the idea of self hosting. But I think that for the vast majority of people, it’s nothing they should bother to even consider.
(Currently testing self hosting Nextcloud, not sure if I’ll keep it yet. But I won’t self host Bitwarden, at least not now, since I trust them more with security, availability and backups than myself.)
+1 for bitwarden it's FOSS and it has a self host option if you don't like their cloud option. Even if they ever go closed, we can always use the service prior to it going closed and know it's functional. a fork can always exist.
I'm old school, I have a note book with really long passwords written in pencil. Some of the passwords characters are different than how they are written.
Totally fine. Providing your passwords are essentially diceware. It's all about identifying your threat model and a notepad and pen works great for some.
You've essentially created your own encrypted password file residing in your house. :)
You're surprised someone isn't as hysterical as you?
Vishur, what is your threat model?
My parents for example live in a nice community, crime is low, they've long since retired. Their password books are stored in a fire rated (and water rated) document lockbox situated next to their main PC along with other pieces of important information and their passwords are diceware.
Now, if they wanted synchronisation across devices I'd consider getting them up to speed with bitwarden, but they're happy with their current system, they understand it.
If I start talking about kdbx's and dropbox, etc their eyes will glaze over and I'll lose them, right now however with their little dice and crib sheet and their books my parents are considerably better off than when they used the name of our first pet for everything.
Now lets take a look at your tin foil hat approach - it all sounds splendid, until... "algorithms". You see, unless you're a mathematics whizz, or a computer, well the issue with it is that given enough public breaches, your algorithm becomes a recognisable pattern.
What once was "super secure" has now compromised every single password you ever generated using said algorithm.
@@iVGaur it's still terrible advice.
@@iVGaur crime impossible fire impossible? No they don't live in a make believe world but they've addressed those things.
It lives in a Fireproof safe.
Is physical violence impossible in your world? Pretty sure you'd succomb to a few sledgehammer blows to your knee caps and reveal your algorithm under duress. Yet you don't seem so concerned about that.
It depends, if you're a nobody like yourself then perhaps you're correct your threat model needn't be concerned with targeted attacks however if you're someone of at least moderate interest perhaps it should be.
Notice you're demonstrating my point exactly, you're agreeing that it all depends on your threat model.
Are my parents concerned about crime? Not really, but it's under lock and key anyway.
Are my parents concerned about fire? Not really but it's in a fire proof safe anyway.
Both of those risks are now mitigated.
Yours however is still unanswered.
I can second Bitwarden. Very satisfied 👍🏼
I autoskip anything commercially hosted, especially if servers are located in the five eyes states.
So KeePassXC and KeePassDX with Syncthing/DIY Nextcloud is my solution to handle synchronization.
Just got to pick up a Yubikey which I haven't done just yet.
U2F Zero keys are open source 😊
@@MestreDentistaGUC nice but U2F isn't all that common yet from what I can tell nor can I build those things myself 😕
I was using Keepass/Dropbox and found that combination worked quite well. I’ve moved to Bitwarden as the integration is better, especially across multi-device/multi-platform
Keepass + Dropbox.
Not the slickest UI, but works so well for me over 10 years of doing dev work.
It's kind of amazing that a decision to use KeePass around 2004 remains not only viable but a preferred solution over 15 years later. The biggest difference is that the software has kind of stagnated, even when considering the wealth of plugins, so that the XC variant is probably more generally recommended. You can even still use the original version if you've been resisting .NET all this time.
I am in EXACTLY the same boat, and hadn't really considered that. I started using KeePass back in about 2005 as a high school student, back when the original .NET version of KeePass was the only version, and I did it out of convenience more than anything - so many sites required weird password rules, and I kept forgetting my slight variations of my memorized password. I chose KeePass because it seemed like the only good option at the time. By now, I have switched to KeePassXC, I use it on multiple platforms, and it just generally works great and has nearly 2 decades worth of passwords in it. I never would have expected that now, 17 years later, not only are there lots of password manager options, but most of them are terrible and I backed the right horse initially. Feels good. I guess you can't go wrong with open source.
I’ve been a happy keepass user for a good year or so now. I pull the db onto my phone and tablet and use strongbox to access it mobile wise
I have a well established db file I just copy to new devices and add new passwords as I go. I only use 2 devices normally, so it works out fine. No sync needed.
Yeah, Keepass is just great. :D
@@larrygall5831 Sounds inconvenient to update database every time on both devices.
Bitwarden sounds like the thing for me since Ive been wanting to get my parents to use a password manager, and they aren't technically inclined.
I want to use the same service as them if only because then I would be familiar with the service and how it works if they ever have a problem.
To many times they have called me about something I have never used or heard of before and always takes time quickly learning how to actually use whatever they are trying to use to fix the problem.
I've been using KeePass + Kee browser plugin on desktop, works very good. Also KeePass supports ChaCha20 that is even better than AES256.
Isn't ChaCha20 only better than AES because it is faster? I can see that being good for some purposes but my AES password database decrypts so fast I don't notice it doing anything already.
keepassxc is amazing. i have no problem with their browser plug-ins either.
Whatever alternate you choose, remember to keep a backup of your passwords just in case, you probably have a few hundred or so passwords and really don't want to lose them, so even if you don't plan on using Keepass it isn't a bad idea to import them anyway or if nothing else at least get veracrypt and encrypt your password export.
I saw the news about LastPass when it first came out, and I kid you not I had 3 accounts migrated over to Bitwarden within 15 minutes. It was so easy and I'd been looking for an excuse to ditch LastPass and this was the final straw.
The biggest features that made LastPass so good are the browser extensions and the mobile application. If Bitwarden can match those (especially the iOS app making use of the system password auto fill) then I would definitely consider switching
I left LastPass after they were bought by LogMeIn. Bitwarden on iOS can autofill since you can specify the password manager in iOS now.
I am a user of 1Password for more than 15 years. Sometimes I am tempted to move and save a buck, but I am too lazy to maintain this solution for me and family. Up to now I have a very good experience, and pretty sure that it will be like this unless they are sold.
I would love to see Wendell do an additional video discussing password managers that ship with antivirus software. I've read that they are typically not even close to as good, but it might be worth commenting on these in light of changes to LP.
Considering the LastPass hacking discloser the other week, this video aged Hella Well
Personally use keepass + Kee + rsync mostly.
Kee is pretty good as a browser extension and allows for far better domain fine tuning than lastpass ever could.
At work, we do use Lastpass on a company level as at the time I chose it, it was a good option for sharing passwords between people (yes we are single account freeloading on software that charges per account).
I use KeePass non XC and would never use a paid password manager.
One detail that was not mentioned- you can log into Bitwarden on Android phones using biometrics so you do not have to enter in your long passphrase every time... Select Settings->Security/Unlock with Biometrics.
been using bitwarden for years and love it.
Switched to Bitwarden last week. Their premium is reasonably priced, too.
I did as well.
Same I even decided that I would get the premium
Been using Bitwarden for nearly 2 years now. Even self-hosted it for awhile to see how it ran, (it's not too hard, but the docker version is easier.)
I use KeepassXC for password and Syncthing for sync between computer and my smartphone.
I agree with the sentiment in general, and everyone needs to decide what is valuable for them. However, there are some things in life you should WANT to pay for. Email service and a password manager are in that category for me.
To be clear, the alternatives to LastPass are good, and i may switch at some point. But I expect LastPass to invest in defending against attackers. This is a highly attractive single point of failure and I want to pay money for someone to help the hackers away, as much as is possible. Don’t cheap out on security and privacy.
Both utilities that you mentioned as not getting more expensive over time are in fact getting more expensive over time; electricity and water.
SafeInCloud. It syncs via a cloud of your own choice. You only pay a one time fee (was 2.99 few years ago, but now 7.99) if you don't want adds in the phone app. Win10, Linux, iOS, Android, ... +browserintegration
3:37 the electric infrastructure in Texas collapsed due to own lack of foresight and maintenance. there's scarcity. let's drop some surprise $10,000+ charges to the user's electric bill.
It shouldn’t have come as a surprise. They signed up for wholesale rate plans. It’s a case of know what you’re signing up for. Not defending the electric companies. But people need to understand there’s a flip side to the ultra low bills they usually get.
Good presentation, I've used KeePass and Bitwarden, like them both. Even self hosted Bitwarden. For the price I let them host it and pay for the extra features. Like using my Yubi Keys as an extra layer of protection. Both KeePass and Bitwarden are great for managing thousands of pwds. Last Pass sucks and pulling your passwords off Last Pass is not for the faint of heart, they make it more difficult than needed.
Most people are not going to work out how to securely access a password db across multiple devices. Lastpass is offering a service that does this for them. I would not use it, I use keepass and syncthing and a vps, but Lastpass provides a useful service that normal people will pay for rather than working out their own solution.
I love the analogy for trying to decrypt AES 256, spot on.....it would take 100 years plus to get anywhere.....BUT.....with quantum compute with focus in cyber security, it may be possible to break AES 256 sooner.
It's been a while since this comment, but I wanted to reassure you and other readers that AES will still be secure, along with basically all symmetric ciphers, in the advent of quantum computing.
Now, RSA and other discrete logarithm or prime factorization techniques will be fundamentally compromised (like ElGamal), so we will need new ways to perform key exchanges, encrypt emails, and secure HTTPS connections, but the symmetric key primitive ciphers will be themselves only somewhat weakened, not broken or compromised.
For those debating whether they want to use KeePassXC or Bitwarden. I used KeePassXC synced between a few of my devices, I tried a few tools for sync, syncthing, a usb drive and others I don't remember. An issue I always encountered was that sometime I would modify the db on a few devices before they got a chance to sync with each other, this results in a synchronization conflict. Imo, these sync conflicts are the worst part of the experience, I managed for a few years, but Its part of the experience that @Level1Tachs did not mention and its the biggest difference between the two options.
When KeePass db file is modified in anyway it looks completely different from the file system perspective, only when you decrypt your KeePass db file, by opening it in KeePassXC, can you understand the changes. Because of this no file sync service can resolve any sync conflicts on its own. This is where Bitwarden provides a lot of usability IMO, on the server it can reconcile these sync issues because on the server it can see the file. But that's a big tradeoff, KeePassXC is more secure but on Bitwarden you don't have to deal with sync issues.
Tl;dr @Level1Techs forgot to mention that Bitwarden saves you from having to deal with sync issues, but it can only do this because you are trusting the Bitwarden server more than you trust a sync server with a KeePass file.
This video is just on time. I was using LP and now I'm looking for an alternative that I can trust.
Thank you : )
Glad we could help! ~ Editor Amber
Be warned. When self-hosted, Bitwarden's data directory stores a PLAINTEXT list of what sites you visit (as well as your email address, and your recovery question)
@My Name Is Donk And I Love To Honk I use Bitwarden. But I have disabled the cache in every app, including the core, secure erased the unavoidable detritus, and wrote a watchdog to auto-cleanup if I have to install a new client. It works for me, but it's non trivial... The whole mess lends itself to several very interesting side channel attacks ... But while it's only me using it, I will tolerate the inconvenience of having to plug this hole myself for the benefits of using Bitwarden.
Man this may just make me switch back to 1Password.
@@csbluechip Stil the case, even with the new versions?
Bitwarden also lacks proper memory encryption, any app can just swallow the decrypted data from your cache, KeePass encrypts it
@@estebanod I wonder if there‘s anything these days, that just does it proper.
I use keepassXC as my password manager on my PC and keepassDX on my phone synced with syncthing which works really well
Thanks for this video Wendell. I always come back to you when I'm doing security spring cleaning. Been using Lastpass for a few years and with their recent change I wanted to double check what the options out there are. Just switched to Bitwarden!
Let's try again: Use KeePass + rclone, dont use any of the commercial products, they are all honeypot. You dont control the app, you dont control the remote rest data == you dont control your passwords.
not your keys not your stuff. is there dumb version than manages everything from the boot of the computer and no need to do much after copying the seed phrase?
Bitwarden.
Just self-host it.
All this keepass + cloud storage service + syncing between devices is bandaids around a crap solution. Host your own bitwarden setup and call it quits. Done.
I already left from Lastpass and started using Bitwarden. I was using Lastpass for last five and a half years.. pffff
We use keepass at work also. Good, but not for everyday use (for me).
Anyway, it was nice listening to you, giving information to people and comparing solutions.
Downright prophetic lol I'm happy I took this advice
I am one of those effected by this change on Lastpass. They had the by far best free password manager solution out there. Over time they limited here and this latest limitation means I have to switch/pay the premium. I was considering 1Password but Bitwarden also looks decent and I will check it out but it feels like I will probably go with 1Password.
If you are going to pay for a manager 1Password is the way to go. Bitwarden is only good if you really want to self host it.
Well same with Dashlane lately...it went down the dirty drain.
Been using Sticky Password for quite some time. I think i got it originally from one of those "free app for a day" thingys and when they went with paid option like last pass, they gave me free lifetime license (what was a cool thing to do).
Pocket Casts (podcast app) did the same thing, when they moved to a subscription, those who already purchased it got the subscription for free. (After some backlash after features paid for would otherwise be moved to a subscription)
With all these bad business practices, I'm not surprised they got hacked.
Wendell, I have to disagree about using Keepass files on sync service - I tried it and wouldn't recommend it because there is no conflict resolution or direct access to the DB. That means if you work on multiple machines you have to be sure that the file has been fully synced before you edit on the second machine; and of course it's single user only. And whenever you need access to a password you need to download and unlock the entire file. So it's a possible solution, but not a great one.
I've used KeePass (not KeePassXC) for what seems decades. Probably not. But for many years.
I don't intend to switch.
Seriously use a free resource people. And make sure it's your own.
Authpass allows you to connect to webdav or google drive. Works on android as well as linux. Uses keepass database v2. Plus a periodic backup from the google drive.
Not a techie so I like simplicity. I've used LastPass since 2009, and it's awesome. I've tried Bitwarden last year and it's way more technical & not as easy to use as LastPass. Sorry but LastPass is still the king of PW managers.
Running KeepassXC with Syncthing. Using my Yubi key for MFA. I love how keepass can store MFA codes too for different services too. Haven't had a single issue with the set-up yet.
I dunno why but self hosting bitwarden makes me a bit nervous with regards to external access . Places a lot of the responsibility to hardness my server better than bitwarden can do but its something I'm interested in exploring perhaps a topic for a video?
Nothing to be afraid of. Even if they get in everything is encrypted in browser.
A few points:
* It'd nice to find stats for this, but I wouldn't not be surprised if you're at bigger risk of your password database leaking when centrally hosted through Bitwarden, simply because they are a much more attractive target than you unless you're Jeff Bezos or something
* As mentioned in the video, the database on the server is meaningless unless you have the master password
* You can layer security here -- for example, you could make all your services (including Bitwarden) only accessible when connected via VPN
I have considered self hosting, but came to the same conclusion. I trust Bitwarden more to keep their servers protected than myself. I also trust Bitwarden more not to loose my database file than myself (in case of house fire, lightning frying computers and so on).
Lastpass had one job to secure our vault and couldn't even manage that. There is no reason to trust this securityless company. Take the advice from this guy and avoid lastpass at all cost (even if they give premium for free).
I can strongly recommend KeepassXC as well, additionally it can also automatically download the favicon if a URL is added to a password/secret entry and makes selecting the right entry easier (if not using the extension for browser integration already.
For me the biggest difficulty has always been synchronizing multiple databases since you wanna have it on every device you use obviously (and I didn't used to be always connected to the internet to just be able to synchronize when needed). Sadly the Android app version doesn't integrate that well and already makes it difficult synchronizing the internal cached version with the one on the "external" storage (aka /sdcard). At least for the version I'm using (which is one of the few offering fingerprint unlock if master key is entered once after boot). Especially when having a bigger database file (mine's already at 5MB because of some compressed sensitive data I've put in there) synchronization takes while, which it wants to do on every edit (can be disabled but then you are desynced).
Sadly my work for some reason doesn't allow that keepass version to be used for whatever reason (probably some licence they don't recognize), though I guess I could compile my own version which the AV woudn't like (flags as not "reputable" software as not many people use it).
If there were a hardware key with builtin keepass compatibility and keyboard emulation for auto-type would be ideal really as then you essentially have implicit 2FA (ownership+pw knowledge) but would need to be able to export the DB for backup. Nitrokey has something like it but requires their own software and only has like 10 pw slots (since I guess space is limited) though they also have encrypted usb drives (which again doesn't work at work since writing to external storage is forbidden by Windows).
All in All, I'd really like to follow the best practices and usability open-source has already achieved but sadly it hasn't reached too much public knowledge or enterprise acceptance yet. I'd really like to see it succeed. Same story with Linux though and we see how this is going though perhaps at some point everyone will kind of get to use it explicitly or implicitly (under-the-hood as a platform-as-a-service) through some means or another.
Really liked the video though, would like to see more of this type of PSA in video form that might be shareable for other people to follow, liked it twice (here and on floatplane ;) )
Somebody recommended syncthing to me. And although it's a damn hassle to setup it is fire and forget after that. It syncs perfectly fine now across my PC and my android phone.
but yeah, It is always a hassle. And although Wendell says "it's fine if you know tech" it really isn't. Some people just don't have the time to go through the bullshit of setting up an entire architecture just to host your online credentials.
Migrated to Bitwarden. Took literally a few clicks using my laptop and then setting it up on my phone took another few clicks. Getting face unlock gets a bit finicky but I managed. Works just as good as LP if not better. Really liking the simplicity of it.
Does it have the same auto fill functionality as LastPass?
Wendell: "I don't want this to get technical or take too long"
Me: Strong doubt on both of those :)
If you are in the Apple ecosystem you can combine KeyPassXC with StrongBox to have compatibility with your iPhone.
Switched to BitWarden and I’m hosting it on a Synology NAS. Completely worth it and the data isn’t in the cloud.
Thanks soooo much.. was looking for something that wasn't last pass.. thanks good sir..
I started out with KeePass, but had trouble with synchronization. I didn’t trust the free services with the encrypted file (I know), and Nextcloud/own cloud at times created conflicted files. I switched to Enpass, cross platform, mobile platforms and syncing. It was a $10 lifetime app purchase for unlimited syncing from unlimited devices, but they have changed their offerings as time goes on. I still like it because I can use WebDAV with Nextcloud to keep the password file “local” and easily in sync.
I have been using Keepass for over 10 years. And am fine with it. Glad I didn't stray to something else. Now I am using it on Linux.
I tried KeepassXC, and still like the original better. I may try it again, but KeePass gets it done.
I also use KeePass2Android.
Regardless, the data file, your passwords, is an encrypted file and you can move it around. I use a cloud service to hold the KeePass file that I replicate to from my devices.
KeePassXC on desktop. KeepassDX on android. Plus Syncthing.
BROTHER
YES!
this sounds like the best way forward, do you store any backups on any other devices? is it safe to store the file on google drive?
@@Liverblow1 If you use a secure method to create your database passphrase (realistically a diceware generated 6, 7, 8+ word long password that you remember in your head) you can store password databases on cloud storage like google drive or dropbox. If you want to be extra safe add a key file of 128-256 bits of ascii characters to keepass. Then you can print the keyfile out and save it as a hardcopy backup in your ammo and gold safe, just in case. (But I am pretty sure a decent passphrase would be sufficient.)
@@knightrider585 thank you I'll do that
I've been thinking of getting off LastPass for years because I'd rather have the actual database stored locally and be able to use it anywhere I can save it (syncing through MEGA between PCs and phone, works great), but for years been on the fence about it because I didn't feel like putting in the effort to reorganize all my accounts. That was until I saw the news, forget LastPass man. And KeePass has been working absolutely better, even just simply loading account details into forms is faster somehow.
Can't recommend enough.
I just switched from Lastpass to BitWarden. Glad I did. I was able to export all my passwords from lastpass to bitwarden really easily. So I was able to make the switch without a hitch.
What about Firefox lockwise?
A few months ago I migrated from LastPass to Bitwarden self-hosted and I'm really happy with the change. The setup was a little bit involved but that didn't bother me. The web browser integration is excellent as you said, and that's a big deal to me.
We use keepass at my place of work believe it or not, it's a small crew so luckily not as bad as you might imagine but it does get tedious having to make manual pw edits everytime someone needed to change a pw for one reason or another. It doesn't happen that often but it can waste a surprising amount of time and makes me pine for cloud based storage (until i saw this video that is, thanks)
i'm selfhosting BitWarden for over a year now, couldn't be more happier with the works.
Electricity and water ARE only getting more expensive in my country, what are you talking about :D
Yeah, he lost me there. Everything gets more expensive because people want to earn more money. Also, will you trust an online service that charges only $1 per user per year?
I've been running on KeepassXC + Keepass2Android + Syncthing for a pretty long time now. No complaints so far.
Protip: Run an always-on Raspi with Syncthing at home; this way, you basically get Dropbox minus the web UI.
I've been using Enpass for a few years now and it's great (although the pricing is a bit questionable now, but I got it back when it was a 10-20€ one time purchase).
While closed source, it synchronizes using many cloud services (Gdrive, WebDAV etc.) and supports custom fields with autofill and unlocking via biometrics (even on Windows).
KeePassXC is the way to go here. Excellent stuff.