LastPass vs. 1Password: Password Manager Shootout [Windows/Mac]
Password managers help you keep track of your passwords, which is vital if you want to use unique passwords on all sites that you visit. We’ve previously compared Lastpass, Keepass, and eWallet, and found that Lastpass came out on top. Those apps aren’t the only apps in the password manager field, though, and Lastpass just experienced a potential security issue. “Potential” is the key word here. There was no definitive indication that user data was compromised, but the LastPass team required all users to change their master passwords, out of an abundance of caution. Still, it seemed like a good time to compare Lastpass with another popular choice in the field, 1Password.
Note: For another look at password managers, check out our earlier comparison of LastPass, Keepass, and eWallet.
How 1Password and LastPass Store Your Data
Before we dive into a comparison of the apps, let’s take a look at how they store your data. Both 1Password and LastPass store your data in an encrypted format, so that the only data that ever leaves your system is an encrypted ball of data. (Actually, with 1Password, nothing ever leaves your system unless you enable Dropbox syncing. For most of us, though, a local-only option isn’t really an option). In any event, the 1Password, LastPass, and Dropbox folks don’t have access to your actual passwords, because of this encryption.
With that basic understanding, let’s dive into a comparison of the two apps. For sake of this comparison, I’ve used LastPass and 1Password in Chrome and Firefox, on both OS X and Windows. I’ve also used the standalone 1Password app on both operating systems (trial version on Windows).
One of the first things you’ll notice is that 1Password is visually more appealing than LastPass. Given 1Password’s Mac roots, this isn’t surprising. The image below gives you an idea of just how nice the 1Password app looks on the Mac.The Windows app (second image below) isn’t quite as visually appealing, but still nice. LastPass, on the other hand, is much more utilitarian.
LastPass does not have a standalone app, and runs only as a browser extension, although you can load LastPass and access your data even when offline. Through the extensions, you access your LastPass “Vault.” 1Password has browser extensions in addition to the standalone app.
The apps work slightly differently from each other in the browser. With LastPass, you can determine for each website whether you want to be automatically logged in when you visit that site (in which case merely visiting the site will log you in), or whether you want LastPass to only fill in the username and password fields, and not log you in. With the latter option, your info will be filled in for when you visit the site, and then it is up to you to click that site’s login button or hit the Enter key. For sites where you have multiple accounts, a button appears below the toolbar that lets you choose from different accounts. You can also use keyboard commands to cycle between accounts.
With 1Password, you can set the app so that you can click the 1Password toolbar icon, and then click on the site name that appears in a popup menu. That will log you in. Or, you can set the app so that clicking the site name in the popup menu will only fill in your username and password, requiring you to login by clicking the site’s login button. You also can set keyboard commands to speed the process along.
The bottom line is that LastPass requires less clicks if you’re not into keyboard commands: 0 or 1 depending on which option you choose. With 1Password, you need 2 clicks: one on the toolbar icon, and one on the site name in the popup menu.
Both apps work similarly when recording login info for the first time. With 1Password, a popup Window appears after you log in to a site, allowing you to confirm and remember the information. With LastPass, a button drops down below the toolbar, that you click to save the information and edit it.
Advantage: LastPass, due to less steps.
Syncing (aside from security issues)
I will cover online syncing more in the security section, below. For now, let’s take a look at how each app handles syncing your data between machines. LastPass synchronizes through the LastPass servers. Your information is stored locally, and only an encrypted ball of data ever leaves your machine for the LastPass servers. 1Password resides only on your local machine by default, but if you want to have your data synchronized between machines, it uses Dropbox to synchronize your data. That data is encrypted.
If you’re on someone else’s machine, you can access your LastPass passwords by logging into your LastPass account. Similarly, you can access your 1Password data by logging into Dropbox, going to the 1Password folder, and opening an HTML file. That HTML file opens 1Passwordanywhere, which looks and feels much like the standalone app, allowing you to access your passwords.
Advantage: Call this one a tie, as syncing works well with both apps.
1Password offers some additional features that can help you quickly fill out online data, such as a “Wallet” in which you can store credit card and bank information, reward program information, password and driver’s license data, and more. It also lets you store non-website information, such as email accounts, iTunes accounts, FTP accounts, computer network information, and more. These features help you fill forms. You can also store software information, such as license keys. Finally, you can enter secure notes, and keep track of identities (detailed contact information).
You can also add file attachments to any item in 1Password, such as adding a scan of your driver’s license to an entry with your driver’s license data. 1Password allows for tagging of items, and organizing items into folders.
LastPass core functionality is much more spartan, allowing you to store website login information, and secure notes. LastPass allows you to organize items into groups, which isn’t quite as flexible as a full scale tagging system. You can also organize your data by setting up “identities,” which is really just a way to filter your data. For example, you could create home and work identities, and have certain login data only be displayed in each identity.
With LastPass, you can also share the ability to log in to a site with someone, without exposing that site’s login data. This is done by sharing a link to an entry in your Vault. The recipient must have a Lastpass account. Be warned, though, that advanced techniques could allow the recipient to intercept your password from the site during login.
Finally, you can set up LastPass to fill in form data. For example, you can prefill the information that you input when commenting on WordPress blogs, and fill all of that in with just a couple of clicks.
LastPass is free, with a premium account costing $12 per year. A premium account brings added features, such as the ability to use multi-factor authentication and dedicated apps for several mobile devices.
1Password costs $39.99 for a single user license (Mac or Windows), with discounts for family licenses, and a Mac and Windows bundle. You can continue to use it for free after the free trial expires, but you’ll be limited to 20 items
Advantage: LastPass, because of the less restricted free option
The security of your password manager arguably overrides all of the above considerations. The makers of both apps encrypt your data with salted passwords, and suggest that you use a strong password. Neither developer has access to your unencrypted data: LastPass because all that is sent to their servers is an encrypted ball of data, and 1Password because your encrypted information is stored either locally, or online via Dropbox. There are some other security differences between the two.
LastPass and 1Password both offer enhanced security features. One such feature just implemented by 1Password, and coming soon to LastPass, is Password-Based Key Derivation Function 2 (PBKDF2). Without getting into the technical details, PBKDF2 slows down brute force password crackers, by in essence require a pause between attempts. That can render brute force attacks too expensive, in terms of computing power, to be practical.
Advantage: 1Password (until LastPass also implements PBKDF2)
One feature offered by LastPass on premium accounts that is missing with 1Password is multi-factor authentication. With mutli-factor authentication in place, you need one other method of validation in addition to your master password, in order to access your passwords. LastPass offers a few forms of multi-factor authentication.
One form of multi-factor authentication is a Yubikey, which is a small USB device that, upon the press of a button, sends a second form of authentication to log you into Lastpass. This is a one-time password, so, even if it is intercepted by a keylogger, it can’t be used later to gain access to your account. Without this second password, you can’t log in, although you can exempt select computers from requiring this second form of authentication. One drawback with using a Yubikey is that you can’t log in to your Lastpass account if offline, as the Yubikey’s default settings won’t allow it to work without Internet access. You can change this setting to allow the Yubikey to work without Internet access, but then it will use a static password, making it less secure. A Yubikey costs $25, with the price going down depending on how many you purchase. It also requires a premium LastPass acount.
You can do something similar to the Yubikey in LastPass with a USB thumbdrive and a protocol called “Sesame.” Finally, even non-premium users can use Lastpass’ grid multi-factor authentication, which gives you a bingo grid of sorts, and prompts you to enter characters from different sections of the grid.
I’ve tried LastPass’ Yubikey method, and it works well. I haven’t tried the other two LastPass methods. 1Password doesn’t offer mutli-factor authentication.
LastPass offers one time passwords to protect against keybloggers. This is handy if you ever need to login from somewhere unreliable, such as at an Internet cafe where a keylogger might be present. You need to have set up one-time passwords in advance from a trusted computer. You can then log in to your account using such a password, and it will only work that one time. That renders it worthless to someone who has intercepted it via a keylogger. As additional protection against keyloggers, LastPass also offers the multifactor authentication methods, mentioned above.
Lastpass and 1Password both offer a virtual keyboard, so that a keylogger couldn’t intercept a password via that method. However, 1Passsword’s virtual keyboard is only available in the Windows version, and isn’t available in Chrome.
Security of Your Synced Data
Let’s play devil’s advocate, and assume the highly unlikely: hackers have discovered a way to hack your data (your encrypted password blob) if they obtain it. Your only line of defense, in this imaginary scenario, is keeping them from getting that blob of data in the first place. Where is your data more secure?
If you’re not using 1Password’s Dropbox functionality, then 1Password wins here, by virtue of the fact that your data is only stored locally, instead of locally and online. Security always involves a trade off between convenience and true security, though. As someone who uses multiple computers, a password manager that doesn’t offer online syncing is pretty worthless. I’m willing to sacrifice a small amount of security, to gain a great deal of convenience. For that reason, we’ll compare LastPass with 1Password and its Dropbox functionality.
Really, an argument could be made that this comparison boils down to LastPass vs. Dropbox, instead of LastPass vs. 1Password. For that reason, I feel a bit more secure with LastPass handling my encrypted ball of data, than I do with 1Password/Dropbox. The primary reason for that conclusion is that the whole point of LastPass is security. That’s their business. Security is important for Dropbox, too, but not its primary focus. Again, though, it can’t be stressed enough that in either case, we’re dealing with the syncing of encrypted data, so the risk is low if you’re using a strong password, even if your data is stolen.
The 1Password folks are relying on a company (Dropbox) over whom they have no control. In the last month, many questions have been raised about how secure Dropbox really is. The Dropbox team has also admitted that, since the encryption occurs on their end, they will remove the encryption and will turn over your files if served with a valid subpoena by law enforcement. Someone has filed a complaint with the FCC as a result, claiming that Dropbox lied to its uses about security. At the risk of sounding like a broken record, It is important to note that this Dropbox encryption is different than the encryption on your 1Password data, which the Dropbox team presumably has no ability to decrypt. Still, this does highlight the fact that the 1Password team is forced to entrust control of your encrypted passwords to an outside company and its policies. If LastPass has a subpoena compliance policy similar to Dropbox’s policy, we can hold LastPass accountable. Not so with 1Password.
An argument could be made that LastPass is more of a target for hackers, because of the value of the data there. An argument could also be made that due to the abundance of data in Dropbox, an encrypted password file might get lost in the crowd. Those aren’t points upon which I’d make my security decisions, though. One point that you’ll constantly hear security professionals make is that “security through obscurity” is not a valid security practice.
Overall Security Advantage: LastPass, because of the multi-factor authentication options
Both Lastpass and 1Password are great solutions for managing and securing your passwords. This is especially true if you’re still using the same password on multiple sites. 1Password provides a graceful and aesthetically appealing solution, and also offers solid and probably uncrackable security. Lastpass isn’t as visually appealing, but works more seamlessly with your browser. Lastpass also offers a few more security options than 1Password, such as multifactor authentication.
Which of the two apps is “best” depends on how you’ll use it, and what is important to you. If you don’t intend to sync your data, then 1Password is the better choice, as it only resides on your local machine unless you set it up to sync via Dropbox. 1Password is also the top choice if a nice interface and added features (as described above) are the most important considerations to you.
If you want a password manager primarily for storing just passwords, and if security is your primary concern, then LastPass takes the password manager crown. Lastpass offers multifactor authentication, as well as a few other security features that 1Password doesn’t offer. That doesn’t mean that 1Password’s security is substandard or risky, just that Lastpass has gone the extra mile.
What password manager do you use?