A password manager used to be something that was just kind of “nice to have” — an ancillary player in your cast of online security tools. Now, using a password manager is an absolute necessity if you want to make sure that you’re properly protecting yourself online from threats like data theft and phishing.
But it can be tough to find a password manager that’s right for you because of how many options are available. Some may be easier to use than others while some may be more geared toward the techie crowd. And while password managers usually have pretty similar core functionality, the availability of specific features may vary at different price levels. If you’re unsure what’s right for you, CNET’s breakdown of the best password managers is a great place to start.
The top two password managers on that list are Bitwarden and LastPass, two big-name leaders in the industry that offer internet users excellent, polished password manager options.
LastPass — perhaps the most well-known and widely used password manager — held CNET’s top password manager crown for a long time. But the company’s decisions in 2021 to begin limiting its free offering to just one device type and yank email support from free users, along with a series of security missteps, have relegated it to the second position behind Bitwarden.
That said, the quality of LastPass’s paid tier is top-of-the-line. It’s intuitive, easy to use and packed with tons of useful features like automatic syncing across devices, dark web monitoring, password generator and secure notes. However, though LastPass patched a vulnerability that could have leaked user credentials, the company’s use of web trackers in its Android app is still concerning.
More recently, LastPass notified customers of a security incident where cybercriminals were able to breach its systems and steal part of its source code along with other proprietary technical information. The company said that the service continues to operate normally and that it saw no evidence that customer passwords were compromised in the breach.
By comparison, Bitwarden allows you to use its service for free across an unlimited number of devices and device types. Bitwarden’s free tier also includes core functionality like two-factor authentication, unlimited vault items, username and password generator and automatic syncing across devices. If you pay for the premium plan, you get all that, plus features like advanced two-factor authentication, encrypted sharing of text and files, emergency access and priority support. Like LastPass, Bitwarden operates on a zero-knowledge model of encryption (meaning that the companies themselves don’t have access to your master password or anything stored in your vault) but scores bonus points for being fully open source.
In the end, both are great options — but Bitwarden is generally the better option, particularly for its transparency. Let’s take a deeper dive into how password manager heavyweights Bitwarden and LastPass stack up against one another in terms of price, platform availability and security.
Sarah Tew/CNET
You can use Bitwarden’s free tier on an unlimited number of devices across device types, which helps give it a considerable leg up on LastPass in terms of overall cost effectiveness — even if its free option doesn’t include all the features as LastPass’s free tier does. Bitwarden is fully open source and a highly secure option with zero-knowledge encryption and multifactor authentication. This password manager’s simple user interface is easy to use across all major platforms, as well as browser extensions including Brave and Tor.
Sarah Tew/CNET
LastPass offers an incredibly polished and feature-rich password manager that is easy to use and just about as secure as Bitwarden, though it is not fully open source. However, the fact that LastPass no longer permits unlimited devices and device types on its free tier is a major drawback and a big part of the reason the provider slipped to the No. 2 position behind Bitwarden in CNET’s assessment of the best password managers.
Cost-effectiveness: Bitwarden by a mile, especially when factoring in its unlimited free tier
Bitwarden is decidedly the more cost-effective of the two. Bitwarden’s paid tier is $10 a year for a personal account and $40 a year for a family account that covers up to six individuals. The premium individual account allows you to share vault items with one other user, while with the family plan six people can share vault items with each other.
LastPass, on the other hand, charges $36 a year for its individual account and $48 a year for its family plan that also includes six accounts.
The differences between each password manager’s free tier is where things diverge much more dramatically. Like LastPass used to do until a little over a year ago, Bitwarden allows you to use its service across an unlimited number of devices regardless of what platform you’re using it on. LastPass has taken that flexibility away from its free users, seemingly in an attempt to more aggressively push users to its paid plans. You’ll only be able to access your LastPass vault on either mobile devices or desktop computers, but not both, if you’re a free user.
A lack of access across all devices is a major hitch because password managers need to be everywhere you are online to be most effective as a security tool.
“Internet users are bound to forget about their password manager altogether if it isn’t immediately and consistently visible as they browse the web across devices,” CNET’s Rae Hodge explains in her LastPass versus 1Password comparison. “As a result, they’re likely to store their ever-increasing number of passwords in a browser itself, which is a much less secure option.”
You could, theoretically, get around this limitation if you signed up for two separate free accounts using two different email addresses. However, that would mean you’d need to manage two separate vaults as well — one serving your mobile devices and one your desktop computers. Since autosyncing across devices is such a crucial functionality for a password manager to have, this solution isn’t very practical.
The one place where LastPass has Bitwarden beat in terms of cost-effectiveness is its 30-day free trial, as opposed to Bitwarden’s seven days.
Platform availability: Bitwarden, by virtue of its wider range of browser extensions
Both Bitwarden and LastPass offer dedicated desktop apps for Mac, Windows and Linux, along with mobile apps for iOS and Android devices. You can also download Bitwarden from the F-Droid repository.
Both password managers also offer various browser extensions, but while LastPass offers extensions for Chrome, Firefox, Edge, Opera and Safari, Bitwarden has all those plus Vivaldi, Brave and Tor. Bitwarden’s Web Vault will also allow you to access your vault from any browser in case you’re without the devices you normally use the service on.
You can use both providers’ command line interface to write and execute scripts on various platforms. Using a CLI requires less processing power and can be great for automating tasks and creating custom interfaces and for enterprise IT teams to integrate password managers into their organizations’ internal systems. However, it does involve a greater amount of technical know-how than using a password manager’s app or browser extension. If you’re an everyday user who prefers the ease-of-use of a standard graphical user interface, then the CLI probably isn’t for you anyway.
Ultimately, Bitwarden gives you more options than LastPass when it comes to what platforms you want to use its service on. Though Bitwarden is easy to use across all platforms for any user, its range of options — including Tor extension — will definitely appeal to techier and more privacy-focused customers. If you don’t need to access your vault on all those platforms, then LastPass more than gets the job done in terms of platform compatibility.
Security: Bitwarden, because it’s more transparent and fully open source
In a recent security incident, intruders were able to access LastPass’ company systems through a compromised developer account and steal parts of LastPass’ source code along with other technical data. However, LastPass said in response to the incident it “deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm.”
LastPass said the intrusion was limited to the development environment, with no evidence that customer passwords or other personal data were compromised. LastPass says its service is operating normally and that no action is required from users at this time.
Despite the recent incident, Bitwarden and LastPass are still essentially on equal footing in terms of the overall security of their products. However, Bitwarden gets an edge here due to being more transparent than LastPass. Bitwarden is open-source and more upfront about its compliance, audits and certifications. And as opposed to the five trackers residing on LastPass’s Android app, Bitwarden has two — which isn’t quite as good as the zero found with 1Password and KeePass, but we much prefer two rather than five. Trackers can be a major privacy issue because, even if your passwords and other vault entries themselves are securely encrypted and hidden from third parties, other websites can still track the sites you visit.
Bitwarden is also open-source, meaning its code is openly available online to anyone who wants to scrutinize it. LastPass, on the other hand, is a closed-source proprietary software, which conversely means it’s not openly available to public scrutiny. With LastPass, we don’t know if any vulnerabilities or backdoors exist in the software unless it is publicly disclosed by the company. That said, LastPass’s command line interface is open-source, which makes up for the proprietary nature of its software if you choose to make use of the provider’s CLI.
With both Bitwarden and LastPass, you get the benefit of zero-knowledge encryption along with encrypted file and password sharing, multifactor authentication and customizable password generation.
Bitwarden’s privacy policy says it collects personal information like your name, email address, IP address and information about the device you’re using. The company says it can use that information to provide you with its services and share that information with unnamed “subsidiaries, affiliates, and partners to facilitate our global operations and in accordance with applicable laws, and our agreements with customers or service providers.”
LastPass collects the same categories of information, according to its privacy policy, and can share the information with “third-party service providers under appropriate confidentiality and data privacy obligations.”
Ultimately, with either provider you can rest assured that your vault is amply secure, but Bitwarden takes the crown here head-to-head.
