TL:DR - any objections to switching to 1Password? [if we can migrate from LastPass]
Hi everyone!
As you might be aware, our annual license with LastPass recently expired, and we’re looking to renew our password manager. Thank you to those that emailed me back to confirm whether you do/don’t still need one
For those that do - we’re considering using this opportunity to change from LastPass to 1Password.
I’m currently speaking with LastPass support to see how we can migrate our data (we’ve been locked out of it since our license expired, so I’m seeing what our options are), but in the meantime, I wanted to check if anyone had any objections with potentially switching to 1Password if that’s an option we can pursue?
More info below. Would love to hear your thoughts, cheers!
Effort involved
If we were to migrate, we’d try to do as much as possible of the work of migrating passwords centrally, but there may be folders I can’t help with, e.g. your own personal folders, so it’s possible I might have to ask people to take responsibility for migrating their own vaults/folders. It looks like there’s an export vault function which works pretty seamlessly between LP <> 1Password though, which should make migration easier: Move your data from LastPass to 1Password in the desktop app
In terms of the amount of data (passwords), we have 16 shared folders, with 27 passwords. This doesn’t include personal vaults created by each user in their own account (which I don’t have visibility on).
We currently have 35 licensed users, and a few more people using free accounts who have been added to shared folders. 8 people responded to let me know they no longer need access to a password manager. Those people accessing LastPass right now from a free account may need to be converted to paid users to use 1Password.
Cost
LP per license (user) per year is $64
1Password
The cheapest subscription level (Team) should be sufficient for us - we don’t need VIP support or a huge amount of storage. Team sub doesn’t include free family accounts, so there may be an issue there with people managing two accounts if already using 1Password privately (work + personal)
Cost is $48 p/p/p/a (or if we want Business with slightly more features, that’s $96).
1Password imo is the better choice - we would save money and get a better user experience, likely without a prohibitive transition cost - assuming there are no strong objections. Lmk what you think!
I’d be OK with 1Password, and would prefer it over Lastpass. I’ve used it as my main password manager for the last few years, until recently.
If we haven’t, I’d consider like us to consider using Bitwarden. It’s open source and I personally switched from 1Password to it once 1Password started to push for cloud/subscription/whatever only model. So far so good, and I know a bunch of other people use it at Status too (@arnetheduck IIRC?). It seems to align more philosophically with us as well. It has a reasonable iOS app and extensions you’d expect.
Yeah, I’m using bitwarden, works fine for me though I’m a light user - using it on ff, chrome through extensions and android app so far - they have a web ui too where the heavy lifting is done, the extensions don’t have all features which is fine (they’re more simple to use that way). Just about to upgrade to their personal pro version after having tried free for a bit.
I will look into this to make sure it handles what we need from an organizational standpoint. The sharing aspects of this is crucial, as well as member management (revocation). I’d imagine pricing is similar.
If an attacker obtains the vault file, but does not have the password, and depending on user password strength, a brute-force can be effective.
Both 1Password and LessPass are vulnerable to a spyware, in the same scenario, 1Password would leak more secrets, while with LessPass the attacker still need to know domain and usernames.
Also LessPass is safer against data corruption, as all you need to remember is the login details (domain + username) and master password.
Notice that LessPass is not safe for generating cryptocurrency private key seeds, as there is no login information to input, i.e. public key cannot be used to derive private key, because private key derives public key. Although something similar was built for Bitcoin ( WarpWallet - deterministic bitcoin wallet generator ) using user email as salt and password as seed, together with many rounds of slow hashing, to prevent mass email lists being attacked with password lists or other bruteforcing.
Thanks everyone for weighing in! A quick update that we took a look at Bitwarden and it’s looking good as a replacement password manager. It gives us all the team and organisation features we want, has all clients we need, is open source, and works out cheaper than the non-OS alternatives.
I’ve been speaking with LastPass about the process for extracting our password data now that our license expired (TL:DR - they don’t make it easy - we can only export passwords if an admin buys a bridging license and that admin can only see folders they were previously added to, there is no way to make one person a super admin to export all the vaults). We may not be able to migrate every password so we may need to reset passwords on some accounts (extra effort, but has security benefits).
I’ll be in touch with a plan, and also will be reaching out to people who may hold passwords to our company accounts (or are admins on folders in LP) to help me migrate this info across.
Please lmk if you have any questions or concerns. Thanks!
I’d like to move forward with self-hosting. The cost is minimal and we own everything, not relying on anything but ourselves, which is the way I’d prefer it. All functionality stays the same.
Porting over is as simple as an export/import (I’m hoping that’s the case for collections as well)
So here’s what we’ve discovered as we have implemented the self-hosting instance of BitWarden:
If we use the self-hosted instance of bitwarden:
we have a complete control (potentially not if an expired license file revokes access or not) of our data and control of secrets (and high resolution access) across the company.
users have premium access options and can use it for personal use as well
We will restrict sign-up to this to @status.im emails
If a user leaves the company, they will lose access to personal passwords (will need to export them and start a new personal instance), meaning they are better off using a separate password manager of their choice (especially if they plan to do family plans or other organizational sharing outside of status)
all clients work with self-hosted instance with some tweaking at login. This makes it quite annoying switching between personal use and work use if both are bitwarden.
It is now our responsibility to maintain the infrastructure security and uptime. This is covered quite well with how we set up infra and then our monitoring services.
If we use hosted instance:
we can share organizational secrets with a user’s personal account, having a single login with all secrets available
note there is no difference in security here, only convenience.
we are reliant upon bitwarden to not be breached and to have constant uptime
If we revoke access, the user keeps their personal secrets access, but loses premium features (if they don’t have them).
The cost is slightly more than hosted version, but minimal as the infrastructure isn’t that much in terms of demand.
It was my goal in this switch to lower the barrier of entry to individuals using password managers for personal use as well as work. While the self-hosted instance gives us more control of our data and narrows the attack surface, it drastically increases the friction of personal password manager use. It is my opinion that security practices that are obtuse to use simply won’t be used.
I’d love it if we had some conversation around this, as now is the time to make the choice between the two options.
Generally I would vote for self-hosted, always, but given that “self” in our case implies AWS anyway and Bitwarden is likely also hosting there, I’d say go with the one that has a lower barrier of entry and smoother UX.
We don’t use AWS for Status infra. Our BitWarden service is hosted on DigitalOcean.
And we have daily backups of the MSSQL database which are encrypted and uploaded to a private DO bucket. Not sure what “geolocation” means in this context though.
You might have seen the setup for https://dap.ps/. But that’s quite separate from Status. Separate GH org, separate repos, separate infra, separate costs, so on.