Password managers help you keep track of your passwords, which is vital if you want to use unique passwords on all sites that you visit. We’ve previously compared Lastpass, Keepass, and eWallet, and found that Lastpass came out on top. Those apps aren’t the only apps in the password manager field, though, and Lastpass just experienced a potential security issue. “Potential” is the key word here. There was no definitive indication that user data was compromised, but the LastPass team required all users to change their master passwords, out of an abundance of caution. Still, it seemed like a good time to compare Lastpass with another popular choice in the field, 1Password.
Note: For another look at password managers, check out our earlier comparison of LastPass, Keepass, and eWallet.
How 1Password and LastPass Store Your Data
Before we dive into a comparison of the apps, let’s take a look at how they store your data. Both 1Password and LastPass store your data in an encrypted format, so that the only data that ever leaves your system is an encrypted ball of data. (Actually, with 1Password, nothing ever leaves your system unless you enable Dropbox syncing. For most of us, though, a local-only option isn’t really an option). In any event, the 1Password, LastPass, and Dropbox folks don’t have access to your actual passwords, because of this encryption.
With that basic understanding, let’s dive into a comparison of the two apps. For sake of this comparison, I’ve used LastPass and 1Password in Chrome and Firefox, on both OS X and Windows. I’ve also used the standalone 1Password app on both operating systems (trial version on Windows).
Interface
One of the first things you’ll notice is that 1Password is visually more appealing than LastPass. Given 1Password’s Mac roots, this isn’t surprising. The image below gives you an idea of just how nice the 1Password app looks on the Mac.The Windows app (second image below) isn’t quite as visually appealing, but still nice. LastPass, on the other hand, is much more utilitarian.
LastPass does not have a standalone app, and runs only as a browser extension, although you can load LastPass and access your data even when offline. Through the extensions, you access your LastPass “Vault.” 1Password has browser extensions in addition to the standalone app.
Advantage: 1Password
Execution
The apps work slightly differently from each other in the browser. With LastPass, you can determine for each website whether you want to be automatically logged in when you visit that site (in which case merely visiting the site will log you in), or whether you want LastPass to only fill in the username and password fields, and not log you in. With the latter option, your info will be filled in for when you visit the site, and then it is up to you to click that site’s login button or hit the Enter key. For sites where you have multiple accounts, a button appears below the toolbar that lets you choose from different accounts. You can also use keyboard commands to cycle between accounts.
With 1Password, you can set the app so that you can click the 1Password toolbar icon, and then click on the site name that appears in a popup menu. That will log you in. Or, you can set the app so that clicking the site name in the popup menu will only fill in your username and password, requiring you to login by clicking the site’s login button. You also can set keyboard commands to speed the process along.
The bottom line is that LastPass requires less clicks if you’re not into keyboard commands: 0 or 1 depending on which option you choose. With 1Password, you need 2 clicks: one on the toolbar icon, and one on the site name in the popup menu.
Both apps work similarly when recording login info for the first time. With 1Password, a popup Window appears after you log in to a site, allowing you to confirm and remember the information. With LastPass, a button drops down below the toolbar, that you click to save the information and edit it.
Advantage: LastPass, due to less steps.
Syncing (aside from security issues)
I will cover online syncing more in the security section, below. For now, let’s take a look at how each app handles syncing your data between machines. LastPass synchronizes through the LastPass servers. Your information is stored locally, and only an encrypted ball of data ever leaves your machine for the LastPass servers. 1Password resides only on your local machine by default, but if you want to have your data synchronized between machines, it uses Dropbox to synchronize your data. That data is encrypted.
If you’re on someone else’s machine, you can access your LastPass passwords by logging into your LastPass account. Similarly, you can access your 1Password data by logging into Dropbox, going to the 1Password folder, and opening an HTML file. That HTML file opens 1Passwordanywhere, which looks and feels much like the standalone app, allowing you to access your passwords.
Advantage: Call this one a tie, as syncing works well with both apps.
Other features
1Password offers some additional features that can help you quickly fill out online data, such as a “Wallet” in which you can store credit card and bank information, reward program information, password and driver’s license data, and more. It also lets you store non-website information, such as email accounts, iTunes accounts, FTP accounts, computer network information, and more. These features help you fill forms. You can also store software information, such as license keys. Finally, you can enter secure notes, and keep track of identities (detailed contact information).
You can also add file attachments to any item in 1Password, such as adding a scan of your driver’s license to an entry with your driver’s license data. 1Password allows for tagging of items, and organizing items into folders.
LastPass core functionality is much more spartan, allowing you to store website login information, and secure notes. LastPass allows you to organize items into groups, which isn’t quite as flexible as a full scale tagging system. You can also organize your data by setting up “identities,” which is really just a way to filter your data. For example, you could create home and work identities, and have certain login data only be displayed in each identity.
With LastPass, you can also share the ability to log in to a site with someone, without exposing that site’s login data. This is done by sharing a link to an entry in your Vault. The recipient must have a Lastpass account. Be warned, though, that advanced techniques could allow the recipient to intercept your password from the site during login.
Finally, you can set up LastPass to fill in form data. For example, you can prefill the information that you input when commenting on WordPress blogs, and fill all of that in with just a couple of clicks.
Advantage: 1Password
Cost
LastPass is free, with a premium account costing $12 per year. A premium account brings added features, such as the ability to use multi-factor authentication and dedicated apps for several mobile devices.
1Password costs $39.99 for a single user license (Mac or Windows), with discounts for family licenses, and a Mac and Windows bundle. You can continue to use it for free after the free trial expires, but you’ll be limited to 20 items
Advantage: LastPass, because of the less restricted free option
Security
The security of your password manager arguably overrides all of the above considerations. The makers of both apps encrypt your data with salted passwords, and suggest that you use a strong password. Neither developer has access to your unencrypted data: LastPass because all that is sent to their servers is an encrypted ball of data, and 1Password because your encrypted information is stored either locally, or online via Dropbox. There are some other security differences between the two.
PBKDF2
LastPass and 1Password both offer enhanced security features. One such feature just implemented by 1Password, and coming soon to LastPass, is Password-Based Key Derivation Function 2 (PBKDF2). Without getting into the technical details, PBKDF2 slows down brute force password crackers, by in essence require a pause between attempts. That can render brute force attacks too expensive, in terms of computing power, to be practical.
Advantage: 1Password (until LastPass also implements PBKDF2)
Multi-favor authentication
One feature offered by LastPass on premium accounts that is missing with 1Password is multi-factor authentication. With mutli-factor authentication in place, you need one other method of validation in addition to your master password, in order to access your passwords. LastPass offers a few forms of multi-factor authentication.
One form of multi-factor authentication is a Yubikey, which is a small USB device that, upon the press of a button, sends a second form of authentication to log you into Lastpass. This is a one-time password, so, even if it is intercepted by a keylogger, it can’t be used later to gain access to your account. Without this second password, you can’t log in, although you can exempt select computers from requiring this second form of authentication. One drawback with using a Yubikey is that you can’t log in to your Lastpass account if offline, as the Yubikey’s default settings won’t allow it to work without Internet access. You can change this setting to allow the Yubikey to work without Internet access, but then it will use a static password, making it less secure. A Yubikey costs $25, with the price going down depending on how many you purchase. It also requires a premium LastPass acount.
You can do something similar to the Yubikey in LastPass with a USB thumbdrive and a protocol called “Sesame.” Finally, even non-premium users can use Lastpass’ grid multi-factor authentication, which gives you a bingo grid of sorts, and prompts you to enter characters from different sections of the grid.
I’ve tried LastPass’ Yubikey method, and it works well. I haven’t tried the other two LastPass methods. 1Password doesn’t offer mutli-factor authentication.
Advantage: LastPass
Keylogger Protection
LastPass offers one time passwords to protect against keybloggers. This is handy if you ever need to login from somewhere unreliable, such as at an Internet cafe where a keylogger might be present. You need to have set up one-time passwords in advance from a trusted computer. You can then log in to your account using such a password, and it will only work that one time. That renders it worthless to someone who has intercepted it via a keylogger. As additional protection against keyloggers, LastPass also offers the multifactor authentication methods, mentioned above.
Lastpass and 1Password both offer a virtual keyboard, so that a keylogger couldn’t intercept a password via that method. However, 1Passsword’s virtual keyboard is only available in the Windows version, and isn’t available in Chrome.
Advantage: LastPass
Security of Your Synced Data
Let’s play devil’s advocate, and assume the highly unlikely: hackers have discovered a way to hack your data (your encrypted password blob) if they obtain it. Your only line of defense, in this imaginary scenario, is keeping them from getting that blob of data in the first place. Where is your data more secure?
If you’re not using 1Password’s Dropbox functionality, then 1Password wins here, by virtue of the fact that your data is only stored locally, instead of locally and online. Security always involves a trade off between convenience and true security, though. As someone who uses multiple computers, a password manager that doesn’t offer online syncing is pretty worthless. I’m willing to sacrifice a small amount of security, to gain a great deal of convenience. For that reason, we’ll compare LastPass with 1Password and its Dropbox functionality.
Really, an argument could be made that this comparison boils down to LastPass vs. Dropbox, instead of LastPass vs. 1Password. For that reason, I feel a bit more secure with LastPass handling my encrypted ball of data, than I do with 1Password/Dropbox. The primary reason for that conclusion is that the whole point of LastPass is security. That’s their business. Security is important for Dropbox, too, but not its primary focus. Again, though, it can’t be stressed enough that in either case, we’re dealing with the syncing of encrypted data, so the risk is low if you’re using a strong password, even if your data is stolen.
The 1Password folks are relying on a company (Dropbox) over whom they have no control. In the last month, many questions have been raised about how secure Dropbox really is. The Dropbox team has also admitted that, since the encryption occurs on their end, they will remove the encryption and will turn over your files if served with a valid subpoena by law enforcement. Someone has filed a complaint with the FCC as a result, claiming that Dropbox lied to its uses about security. At the risk of sounding like a broken record, It is important to note that this Dropbox encryption is different than the encryption on your 1Password data, which the Dropbox team presumably has no ability to decrypt. Still, this does highlight the fact that the 1Password team is forced to entrust control of your encrypted passwords to an outside company and its policies. If LastPass has a subpoena compliance policy similar to Dropbox’s policy, we can hold LastPass accountable. Not so with 1Password.
An argument could be made that LastPass is more of a target for hackers, because of the value of the data there. An argument could also be made that due to the abundance of data in Dropbox, an encrypted password file might get lost in the crowd. Those aren’t points upon which I’d make my security decisions, though. One point that you’ll constantly hear security professionals make is that “security through obscurity” is not a valid security practice.
Advantage: LastPass
Overall Security Advantage: LastPass, because of the multi-factor authentication options
Conclusions
Both Lastpass and 1Password are great solutions for managing and securing your passwords. This is especially true if you’re still using the same password on multiple sites. 1Password provides a graceful and aesthetically appealing solution, and also offers solid and probably uncrackable security. Lastpass isn’t as visually appealing, but works more seamlessly with your browser. Lastpass also offers a few more security options than 1Password, such as multifactor authentication.
Which of the two apps is “best” depends on how you’ll use it, and what is important to you. If you don’t intend to sync your data, then 1Password is the better choice, as it only resides on your local machine unless you set it up to sync via Dropbox. 1Password is also the top choice if a nice interface and added features (as described above) are the most important considerations to you.
If you want a password manager primarily for storing just passwords, and if security is your primary concern, then LastPass takes the password manager crown. Lastpass offers multifactor authentication, as well as a few other security features that 1Password doesn’t offer. That doesn’t mean that 1Password’s security is substandard or risky, just that Lastpass has gone the extra mile.
What password manager do you use?
Dan says:
I use KeePass 2.15 though I keep LastPass as a backup.
May 17, 2011 — 3:46 am
Evan Kline says:
I find that I’m now doing that with LastPass and 1Password. LastPass is my main solution, but I’m going to keep 1Password on one computer as a backup. Periodically, I’ll make sure that I’m logged in with that so I can update my most-used sites.
May 23, 2011 — 1:25 pm
IT Support says:
Anything that can I help me organize my passwords in welcome. I have close to 50 passwords right now and most of them are changed once a month.
June 8, 2011 — 6:49 pm
Evan Kline says:
That’s a lot of work to change them all every month! I couldn’t even imagine doing that without a password manager.
June 8, 2011 — 9:52 pm
Antonia says:
I’ve been using Lastpass for some time now and i doubt i’ll change it soon.
The visual aspect of 1Password may possess interest for some people, but i’m more of a minimalistic girl.
June 16, 2011 — 11:32 pm
Terry says:
This is a great comparison of the 2 password managers. Personally I use LastPass Premium for all my passwords and secure notes although I have sampled 1Password’s free trial also. I saw no advantage to changing from LastPass.
August 12, 2011 — 2:24 pm
Evan Kline says:
That was my experience, too, Terry, and I also have a 1Password license (part of a bundle I bought). I just found LastPass to be a bit more seamless.
August 14, 2011 — 10:56 am
Rajesh says:
I also use LastPass, but my problem is when i change my password in login it does not update and sync with online account. It still fills the old password and i need to go online and edit the old passwords… if you guys know any solution for this, pls update me…
August 15, 2011 — 1:14 am
Dan says:
When you change your password for a site, LastPass will pop-up a notification bar on your browser asking if you want to save the changes. If it does not pop-up, check to see if it’s enabled (Go to Preferences > Notifications > Show Change Password Notifications). Sometimes LP will not notice that you’ve changed a site password, and there won’t be a pop-up notification. If so, then you have to change it manually.
August 15, 2011 — 3:22 am
John says:
I find that LP frequently doesn’t notice I’ve changed a site password – I’ve used a couple of other password managers and never had this problem. I don’t see a lot of users complaining about it, so I wonder if there’s some specific setting or environment causing it. (My Notifications->Show Change Password Notifications is definitely enabled.) I love LP otherwise, but it not updating new passwords is a deal breaker, so I have moved away from it. (Typical environment for me is Mac/FF.)
November 21, 2011 — 1:33 pm
Evan Kline says:
That does sound a bit odd, John. I’m on a Mac most of the time, too, and use Chrome (on my iMac) and Firefox (on my Air) and can’t say I’ve really noticed that problem. The mysteries of computer glitches, I guess.
November 24, 2011 — 7:52 am
Evan Kline says:
Thanks for helping him out, Dan.
August 15, 2011 — 9:29 am
Dustin says:
I use lastpass premium. My main concerns were portability and security which lastpass really at so I think I made the right choice. If 1password didn’t need to use Dropbox it would definitely be an actrive option.
November 21, 2011 — 12:27 am
Evan Kline says:
I haven’t used 1Password much since shortly after writing this article, but I also liked how seamless the LastPass experience is. 1Password involved an extra click or two, which LastPass didn’t.
November 21, 2011 — 9:55 am
Dustin says:
…really excells at.
November 21, 2011 — 12:30 am
Betty says:
I use different browsers…mostly Chrome, but a fair amount of both firefox and safari. So if I’m on Chrome and lastpass stores the password for a particular site, if I go to that site late in firefox, will lastpass know the password that I used from Chrome?
Thanks!
December 2, 2011 — 10:07 am
Steve Gwyn says:
Yes Lastpass syncs across multiple browsers. Charleston SEO Firm
December 31, 2011 — 9:20 am
John S says:
I’m definitely a novice, so hopefully no too silly a question: for someone who just needs/wants their passwords saved in one place (like my home computer), what is the advantage of using a program like this vs. a password protected excel spreadsheet?
I’m thinking of rather than keeping a written list, the spreadsheet option is secure, easily modified & sorted, and I own and control all of the data.
TIA for comments – John
January 26, 2012 — 10:16 am
Will says:
You are missing the point of Lastpass. Excel can easily be hacked, not hard at all. Lastpass also fills in the user/password fields and has seamless integration.
January 30, 2012 — 12:04 pm
Evan Kline says:
Will hit the nail on the head, John. LastPass uses encryption. Also, once you see how seamless it is (auto-filling your passwords), you’ll never want to go back.
February 3, 2012 — 4:06 pm
Bill Keenan says:
Are any of the readers, who have LP Premium, using the iPhone support. Increasingly, I need my password manager to span iPhone and MBP + iMac environments.
February 6, 2012 — 2:34 pm
Blake Oliver says:
I have used LP Premium for a year now and just made the switch to 1Password specifically for the better iPhone/iPad apps. The browser in the 1Password iOS apps is much easier to use, while the LP broswer feels janky and crashes a lot. If you are a big Apple user and don’t have to often switch between Mac and PC, and are willing to pay the price, 1Password is superior.
February 8, 2012 — 1:07 pm
Evan Kline says:
I have a Premium account, but use it on Android, not the iPhone. I toyed with the idea of switching to 1Password, like Blake (I have a license that I got as part of a bundle). I’ve tried it now a couple of times, for a week at a time, and ended up back with LP each time. While I like the look of 1Password better, it just wasn’t as seamless an experience on the computer. I haven’t tried the mobile 1Password app yet.
February 8, 2012 — 7:09 pm
John says:
On 1Password security with Dropbox — I would assume that 1Password is storing already-encrypted files on Dropbox. Dropbox probably adds an additional layer of encryption on top of those files. So even if Dropbox had to give up your files to law enforcement (or to Anonymous!), I believe you would still have the Dropbox encryption protecting your files. So I don’t think the 1Password security is as bad as it sounds with using Dropbox.
March 3, 2012 — 11:26 pm
Evan Kline says:
Hi John. Thanks for the comment. Dropbox transmits the files using SSL and encryption, but they are decrypted at the destination. I’m not sure if they are decrypted when they reach Dropbox’s servers, too, but Dropbox holds your encryption key and can access your data. So they have access to your Dropbox files, and would probably have to comply with a subpoena to turn it over. There also was the Dropbox snafu a while back where they left every account exposed, password-free, for a few hours. There’s been a call for Dropbox to let us store our Dropbox encryption keys locally, but I don’t think they’ve done that yet.
As long as your 1Password file is encrypted with a strong password, it probably isn’t a big deal, but I’d sleep better with either service knowing that my password file wasn’t in someone’s hands, whether in encrypted form or not.
March 4, 2012 — 11:18 am
Nimsrules says:
I’ve bought 1password and am more than satisfied with its performance. Superb UI and great integration and sync.
March 9, 2012 — 1:23 pm
Alex says:
1Password.
It syncs easily across multiple macs, as well as to the iPad and iPhone. I use all of them frequently.
Also, with DropBox, I’ve been on friends computers, logged into DropBox and then into my vault to get all my data. Makes life very easy.
And, finally, I actually make a lot of use of the extra accounts and wallet features.
MacUpdate offers a download of all license keys when you purchase their bundles, which I generally do, and it’s nice to have that information kept secure.
I like that 1Passwords backups frequently and maintains the backups, and how well it integrates across all the browsers I use.
And I like the UI – I use the actual app pretty frequently, and the password generator.
I’m not afraid of DrobBox – the vault is stored encrypted, not much they can do to it.
April 17, 2012 — 4:02 pm
Evan Kline says:
Thanks for the thorough review, Alex. Those are some good bullet points for someone to consider.
April 17, 2012 — 7:27 pm
Kevin says:
I used to use Lastpass until it was hacked and potentially got their user data stolen last year. That was the last news one likes to hear from a password management service. I ended up changing all my passwords in every site and switching to 1Password. I liked (and still like) the simple, quick, intelligent feature sets of Lastpass over 1Password, but at the end of the day, I cannot trust them any longer.
April 30, 2012 — 11:39 am
Evan Kline says:
Kevin,
Just curious if you use Dropbox to sync your 1Password passwords? I thought about switching, but Dropbox has had even worse security issues. LastPass still doesn’t know that it was hacked (although having an unexplained anomaly on a server isn’t exactly reassuring).
At the end of the day, the only thing that either company has on its servers is the encrypted blob of data. I decided that I felt more comfortable with LastPass safeguarding that encrypted blob than Dropbox, given Dropbox’s spotty track record.
A guy I work with doesn’t use either – he uses 1Password, synced to a USB key that he totes between home and office. I’d be worried I’d lose the USB key, though.
April 30, 2012 — 1:27 pm
Martin says:
You may want to post some sort of proviso that you wrote this a year ago (or do an updated comparison). Lastpass has added many of the features you dinged them for not having compared to 1Password.
July 8, 2012 — 12:47 pm
Evan Kline says:
Thanks for the suggestion, Martin. To be perfectly honest, we don’t currently have plans to go back and update the various reviews and comparisons that we’ve done on the site over the past few years. Unfortunately, with over 700 posts on the site, many (maybe most) of them probably have outdated information, and it would be a full time job to monitor the many apps and products we’ve covered, and update the posts for changes. Given the speed at which the tech world changes (including apps), it is pretty safe to assume that most stories become outdated sooner or later. Unlike the current trend with many sites, where the date of a post isn’t given, we do put the date on our posts (just below the story title), in the hopes that readers will see how new or old the info is.
Anyway, sorry I couldn’t give a better answer, but I didn’t want to say we were going to do something, just so I’d sound good, when I knew that it was beyond our current capabilities.
July 9, 2012 — 5:11 pm
dev says:
I highly recommend SplashId , because i have used it myself. Browser integration is fabulous. Also it is very easy to use. As soon as you create your account, you can actually set a pattern for splashid login, therefore you technically have to remember zero passwords. Extremely secure for USB usages as well. highly recommended.
October 4, 2012 — 9:55 pm
Tatiana says:
I’m less interested in the security aspect and more interested in storing all passwords in one spot and–this is crucial–being able to switch all passwords monthly as efficiently as possible (60+ passwords).
I would also need to share the program/data with several computers within our office (yet retain primary control if that’s possible–i.e. different user settings: some people can access, some people can change passwords etc).
Is this lastpass?
October 15, 2012 — 8:38 pm
Imogen Shepard says:
Hi. I just recently read an article about someone who uses 1password and as a LastPass user, I decided to just have a view of how they both compared.
To me, 1Password seems complicated. And LastPass appeals to me because of the browser extension and the ease with which it has such simple operation.
I have worried about the security level, but it seems that I was just being a tad paranoid! (Perhaps). Another fear that I have is any PW manager generating passwords and then something goes wrong and I have no idea what the PW’s are.
Regardless, I still favour LastPass for its ease of use and simplicity.
– Imogen
December 24, 2012 — 9:55 am
nomad says:
First off, it was never confirmed they were hacked, the CEO only spoke of an anomaly, this is not the same thing as being hacked so stop spreading the FUD. LastPass is 100 times more secure than 1password.
March 18, 2013 — 2:07 pm
Evan Kline says:
Unless you disable syncing, I’d be more worried about 1Password. Dropbox doesn’t exactly have the greatest history when it comes to security. Still, both services would just be revealing encrypted data.
March 19, 2013 — 8:30 am
Richard says:
Is it possible to install one password manager that two or more people can use separately? Person A can access his stuff and Person B can access his stuff and there are some sites, e.g., NY Times, that they share?
August 6, 2014 — 10:07 pm
MobileWill says:
WIth lastpass you can just log out\in
August 6, 2014 — 10:18 pm