Head-to-head evaluation of six password managers
[NOTE: This story originally evaluated five, not six, password managers, but I’ve added a sixth, Zoho Vault, to the evaluation grid, hence the difference between the URL and the title of the story.]
I’ve used the LastPass password manager at home and at work for eight and a half years, since only a couple years after they launched, so it makes sense that when I came to Quantopian as its VP of Operations (and later CISO), I brought LastPass with me and we adopted it as our corporate password manager. For several years, we were happy with LastPass as a product and with the quality of support provided by the company.
However, in 2015 LogMeIn acquired LastPass, and things started to change. We have been increasingly dissatisfied with the quality of the product and its support since the acquisition, until recently we finally decided to spend some time evaluating alternatives to LastPass.
We created a detailed evaluation checklist and ran five password managers through the gauntlet: LastPass, 1Password, Dashlane, Bitwarden, and Keeper. At the end of our evaluation, we decided that Bitwarden is the best choice for our company, and we’ve begun the process of migrating from LastPass to Bitwarden.
Obviously, our priorities and requirements might not be the same as yours, so what follows is a description of the functionality and features we focused on in our evaluation.
Even if our priorities are different from yours, you can still benefit from our evaluation! Included below is an interactive grid which you can tweak to focus on just the requirements you care about and then pit any two of the five products we looked at head-to-head and see how they fare against each other.
Quantopian’s password-management priorities
We use our password manager on Mac OS, Windows, Linux, Android, and iOS. Our password manager needs to support all of those platforms. Most importantly, full functionality can’t be dependent on an app which is only available on Mac OS and/or Windows. In other words, lack of full Linux support is a show-stopper for us. This ruled out 1Password and Dashlane.
We have recently begun the process of issuing YubiKeys to all of our employees and requiring the use of the YubiKey for two-factor authentication for all applications and services which support it. Therefore, although we didn’t consider YubiKey support to be a hard-and-fast requirement for our new password manager, it was a factor. Certainly, any password manager which lacked any support for 2fa would have been rejected out-of-hand. Fortunately, all five products we looked at support some form of 2fa.
We encourage our employees to use a password manager for their personal passwords in addition to their work passwords, and we want to make that easy. Despite the various problems we’ve had with LastPass, we have to acknowledge that their “linked personal account” functionality is the gold standard for solving this particular problem, so we evaluated the other products to see how their solution to this problem compared. Dashlane and Keeper have poor solutions to this problem; the others are adequate.
Obviously, since we were going to be migrating from LastPass to a new service, the ability to import our LastPass data into the new service was essential. Fortunately, all the products we evaluated had this capability.
A number of features we looked at are only relevant in an enterprise (i.e., business) environment. For example, for just personal use, you probably won’t care about linked personal accounts, fine-grained access control, or what abilities company administrators have, but all of these questions were important to us.
It’s important to us that our password manager is actively maintained, and that the people maintaining it are responsive to support inquiries, feature requests, and bug reports. We definitely found that to be the case with Bitwarden. For example, at one point during our evaluation we submitted a bug report about Bitwarden through its Github project; one of the product’s maintainers committed a bug fix seventeen minutes later, and just a few days after that the fix was released to the public.
Interactive head-to-head evaluation grid
To see the evaluation table, click on the “Result” tab in the embed below. Initially, all of the checklist items we considered in our evaluation are listed in the table. If you scroll to the bottom, you will see a list of feature tags. Uncheck the features you don’t care about, and they will be removed from the grid. Then, you can select any two products from the two drop-down menus at the bottom, and the grid will add a column doing a head-to-head comparison of those two products with an overall score at the bottom.
What do you think?
Did you find this article useful? Have you undertaken a similar evaluation for yourself or your company? If so, what was your final choice, and what were the deciding factors? We’d love to hear from you. Feel free to comment here, email our security team, or email me directly.
Let’s be careful out there!
— Jonathan Kamens, Quantopian’s CISO
[UPDATE 1: This story originally evaluated five, not six, password managers, but I’ve added a sixth, Zoho Vault, to the evaluation grid, hence the difference between the URL and the title of the story.]
[UPDATE 2: The following enhancements has been made to the interactive comparison grid: (1) 1Password supports storing TOTP two-factor authentication seeds in its vault on most platforms, so the grid has been corrected to reflect that. (2) Line items have been added for whether personal and organization accounts can be deleted by the user without needing to contact customer service. (3) Cross-platform items in the grid have been collapsed into a single item where possible to make the grid more compact.]
[UPDATE 3: The grid has been updated to indicate that: (1) the Keeper CLI can export attachments in bulk; (2) the LastPass and Bitwarden CLIs can export individual attachments; (3) Keeper has rudimentary support for linked personal accounts.]
[UPDATE 4: Keeper now has a useful status page, so the grid has been updated to reflect that. Also, the table header now repeats periodically in the grid so it is easier to see which columns correspond to which products as you scroll through the grid.]
[UPDATE 5: Auto-fill in work profile is working now with Bitwarden with a caveat, so the grid has been updated to reflect that.]
[UPDATE 6: Keeper’s Android app has been fixed to show the full username of each site in the pop-up auto-fill prompt, so the grid has been updated to reflect that.]
The above content is directed toward technology professionals to provide information and promote discussion about information security. The content is prepared by Quantopian, Inc., but does not represent an attempt by the company to offer its products and services to the general public or provide investment advice. Readers interested in more information and important disclosures about Quantopian, its advisory business, and its products and services should visit www.quantopian.com.