To evaluate all the different features offered by various password managers, we adopted five key areas of analysis to compare how Bitwarden and LastPass deliver on what’s really important. The best password manager for you will often depend on your situation and needs, be it for home or business use, so we did our best to ensure our evaluation of these features provides as much information as possible for working out which solution performs better in each context.
1. Security & Encryption
It’s critical for a password manager to store and transmit information securely, to provide multifactor authentication — or at the very least the option for two-factor authentication — to further impede hacking attempts and to encrypt data in ways that can’t be decrypted even with brute-force cryptanalytic attacks. Modern security practices should also, ideally, include third-party security audits.
2. App Compatibility
We looked for whether each app provides broad-based compatibility with multiple devices, browsers, and operating systems. The best password managers should run as seamlessly as possible on any device, should be able to synchronize data between unlimited numbers of devices and should work with the broadest possible range of mobile, desktop and laptop operating systems as well as the most popular web browsers.
3. Ease of Setup & Use
A high-quality password manager should be painless to set up and intuitive to use. The less time you have to spend working out how the software accomplishes certain tasks, the more time you can spend actively securing your passwords, and time is money for businesses and families alike. An up-to-date password manager should also offer the convenience of biometric logins for your smartphone.
4. Password Sharing
There are times when it’s necessary to share passwords between certain users. We looked at the tools each application provides for doing this as securely as possible, the features they provide for controlling this kind of access, the tiers of service at which each of them allows sharing with multiple or unlimited users and any particularly useful aspects of each solution’s approach to password sharing.
We looked carefully at what each password manager provides for password storage and other key resources at paid tiers of service, whether they provide a functional free version (and if so, how functional that free version is) and overall value-for-money.
We spent over 10 hours researching and comparing the features of Bitwarden and LastPass to see how they compare on the five most important features of a password manager noted above. Here is how it breaks down.
Bitwarden is one of the most highly secure password managers on the market and has been through third-party security audits by the Cure53 firm. Employing a “zero-knowledge” model that ensures only you have access to your password, it uses the AES-256 and SHA-256 ciphers in combination to provide extensive encryption through password hashing. It provides the option to host all your passwords on your own server if you prefer, and the open-source nature of the software means it has received considerably more scrutiny from security experts than closed-source password managers. It provides two-factor authentication — though only via the web app — and is an all-round solid choice from a security standpoint.
LastPass also enjoys a solid reputation for security. It stores secure vaults both on your devices and on the company server and provides robust multifactor authentication options, allowing users to define hardware keys or biometric options for secondary authentication, although it doesn’t support the most modern U2F FIDO 2 standard for authenticator key generation, instead using a TOTP method. This is a minor drawback, however, compared to the fact that LastPass’ last third-party security audit was in 2018 and, while it reported positively on LastPass’ ability to keep your vault data secure, was still not nearly as in-depth as the more recent audit of Bitwarden’s open-source software.
LastPass has also been the subject of four limited data breaches between 2015 and 2017; although this may simply reflect the fact that the extensive popularity of the software makes it a likelier target for hacking attempts, and although the problems were quickly fixed and no vault data was compromised, users will have to weigh for themselves the implications of these events for their overall feeling of safety. On the other side of the ledger, LastPass’ Security Challenge app is an excellent and easy-to-use actionable password strength reporting tool that helps educate users about what weak and strong passwords look like and that makes quick work of correcting vulnerabilities. Overall, though, we have to give the security and encryption edge to Bitwarden.
LastPass was clearly built with use-anywhere convenience in mind. It’s compatible with any browser or device you could conceivably need to run it on, no matter how “obscure” they might be. It also provides secure syncing between all your devices and browsers even at the free tier of service, making it simple to keep your passwords up to date whenever needed.
Bitwarden largely matches LastPass for compatibility, with the minor exception that it doesn’t yet offer Internet Explorer compatibility. This is still relevant to system and server admins with systems that may still be running Explorer, despite it being considered by some to be a browser of the past, but it’s not a dealbreaker for most people. It also supports command-line functionality for a wide variety of operating systems, which is a useful and powerful feature for the tech-savvy but that won’t be necessary for most everyday home applications. Ultimately, compatibility isn’t a big differentiator between the two.
|Other||Docker; CLI managers for Windows, Linux, macOS, Unix, Chocolatey, Homebrew and Snap||Dolphin browser for Android
Bitwarden is easy to set up and provides a remarkable range of options for importing passwords, supporting imports from over four dozen different password managers and browsers. While its apps are relatively basic, particularly in terms of providing limited options for customizing vault items, they’re easy and intuitive for users to interact with and will deliver on most of the basic needs that home or small team users in particular might have. Password generation is strong and simple to access and provides basic but very solid reporting functions. The only potential downside to Bitwarden’s version of the zero-knowledge security model is that if you lose your master password, it can’t be replaced — the company specifically avoids storing any copies of it on their servers — in which case you may find yourself rebuilding your vault from scratch, though this is probably a worthwhile trade off for added security.
LastPass provides convenient automated password imports, and its Security Challenge app keeps you up-to-date on which passwords need changing, updating, or strengthening. It has powerful form filling and password generation features, and despite a somewhat dated user interface is still reasonably easy to use and learn. The Auto-Change Password feature makes it easy to update dozens of passwords at the click of a button, which is an enormous time-saver and the kind of feature that gives LastPass an edge in customer popularity. Although LastPass stores vault data on its servers, the company cannot access the data, so as with Bitwarden, the loss of your master password can lead to being locked out; however, LastPass provides some convenient options for emergency recovery through SMS recovery codes or emailed one-time passwords. These recovery options can present mild security risks, but you can only activate them voluntarily, and they’re only vulnerable to someone directly using the device involved.
Both Bitwarden and LastPass support convenient biometric logins, and their processes for managing vaults, password sharing and other basic tasks are very similar. Overall, they come out pretty even in the ease-of-use category.
Bitwarden supports highly secure password sharing for two users at its free tier of individual service, for five users at its Premium tier for Family and Teams service and 20 users or more at the Enterprise tier. Its password sharing model requires multiple “handshake” authentication and allows fine-grained control of user access to certain vaults through the creation of organizations. Its web app makes it simple to access vaults from any system with a compatible browser.
LastPass has similarly robust password sharing options. It manages this functionality through an easy-to-use Sharing Center and supports sharing for more users than Bitwarden at similar price points, providing for up to 50 users at a Teams tier, which is roughly comparable in many ways to the Enterprise tier supported by Bitwarden. On the whole, while the basic features are similar, the edge in ability to scale up for larger businesses and teams likely goes to LastPass, and Bitwarden makes the most sense for home and family users and smaller business teams.
Stacked up against most competitors, Bitwarden would have a significant edge as a free password manager, providing a high-functioning feature set that competes with what many managers provide at paid service tiers. Even at its paid tiers, Bitwarden is incredibly affordable, although admittedly its extremely robust free offering has the side effect of making its Premier service tiers a bit less differentiated than they would otherwise be. Still, with excellent security and sharing features, broad-based device and software compatibility and excellent ease of use, its free version is the true standout on its pricing list.
LastPass, as it so happens, is one of the few password managers that does offer a free service tier that’s directly competitive with Bitwarden. With secure sharing, the Security Challenge actionable password strength report and unlimited entries, LastPass Free is just as feature-rich as Bitwarden for those seeking a free option; although one of the manager’s bigger strengths, its emergency access functionality, is limited to paid tiers of service. LastPass’ paid service tiers offer services consistent with other top password managers and, provided users can reconcile themselves to possible concerns about the company’s data breach history, justify the overall expense trending higher than Bitwarden’s paid plans.
|Individual||Free (fully functional); Premium $10/year||Free basic; $2/month premium (billed annually)|
|Family||$1 / month (5 users)||$4/month, up to 6 users (billed annually)|
|Teams||$5 month (5 users, additional users at $2 per user / mo.)||$4/user/month (billed annually), 5-50 users|
|Business||N/A||“Enterprise” plan starts at $6/user/month (billed annually)|
|Enterprise||$3 per user / month||Custom pricing for specific needs, $4/user/month otherwise|
Both Bitwarden and LastPass have well-earned reputations as solid password management solutions. Just as with any suite of security tools, a great deal will depend on users’ specific needs and preferences in choosing one over the other. The comparison table below outlines how they compare for main password management functions and how they handle specific tasks.
|Setting up the vault||Add accounts during login, import from browsers and other password managers||Same as Bitwarden|
|Logging into accounts||Log into accounts from the mobile app, the Windows desktop app or through the web app from any system with a compatible web browser (Chrome, Firefox, Opera, Edge, Safari, Vivaldi, Brave, Tor)||Login information filled in on page load; select account from a list|
|Creating new passwords||Secure password generator in online and desktop versions||Password generator accessible when creating passwords|
|Changing passwords||Browser extension for password generation and changes||Use password generator when on change password screen; excellent “Auto Change Password” automation feature|
|Sharing logins||Family, Team, and Enterprise service tiers offer strong sharing features||All plans can share with individual users outside your team; family, team, and enterprise tiers have robust shared folder features|
|Recovering your account||Zero-knowledge model ensures only you can access your passwords. Lost master passwords cannot be recovered and mean having to delete your account and existing vault and restart from scratch.||Password hint; one-time passwords tied to machine and browser; SMS codes (can be disabled)|
|Advanced security features||AES-256 and SHA-256 ciphers provide powerful combined encryption through password hashing; secure multiple-handshake password sharing; option to self-host passwords; biometrics (face recognition and fingerprint) for mobile login; multifactor authentication||Two-factor authentication; restrict to countries; security check, convenient emergency access|