The password manager service LastPass has had a rough go of it lately. The breaches in the closing months of last year has shaken confidence in the organizations ability to function securely. The exposure of customers encrypted vaults, the crown jewel of any password manager organization, is a serious concern. So serious in fact it has shaken my faith in the organization. Without fail, there is no confidence. So as the new year ticks over, it is time to migrate to a different solution.
Like any good project knowing the basic needs before starting is important. The short list of requirements are as follows:
- Easy as possible to import vault from LastPass
- A web, browser extension, and mobile clients
- Possible to self-host
- Possible organization sharing
- Free / Low annual cost
After looking at and eval option I settled on BitWarden. It checked all the boxes and has some additional positives.
- Open Source
- Very good documentation
- Free account has good feature coverage
- 10 USD annually for personal Premium if you want to extras
- Did I mention Open Source?
Following the on-line documentation I was able to migrate my accounts (1000+ and not well organized) with a couple minutes of effort. Following the documentation provided by BitWarden the process was not difficult at all. Thought there are two items that caused minor issues.
- PGP keys saved as notes in LastPass overflow the max length for password items in BitWarden. These need to be imported manually.
- Group/Folder administration is very limited. It is not possible to move a group as is to be a sub-group of another.
A Note on Self-Hosting
BitWarden has some very nice documentation, in it are instructions to self-host the server side of BitWarden. As someone who works in computing let me state this: if you self-host, ensure can recover from a total failure. That means daily backups, cross-region replication, versioning, access auditing, access logging, test your failure cases. The instructions detail how to start the services, there is much more involved in running a production system.
With a couple a minutes to migrate the vault and an hour of auditing the accounts migrated everything looked good. Installing the browser and mobile clients was also painless. Finally, the moment came. Deleted all the accounts from LastPass and closed my account.
Goodbye LastPass, you were a good, but lost my confidence.