Quick Links

I've been using LastPass as my primary password manager for many years---if I had to guess, I'd say it has to be close to 10 years now. And over those years, it has let me down, disappointed me, and frustrated me on multiple occasions. A few weeks ago, I finally made the switch to 1Password. I should've done it ages ago.

UPDATE: 12/22/22

Given that LastPass announced a breach (again) wherein hackers stole user passwords (again), we're resurfacing this article.

To be clear, there's nothing glaringly wrong with LastPass---or at least that's what I told myself for multiple years. Sure, the Android app doesn't always auto-fill options and the Chrome extension stays logged in literally all the time. The app has suffered multiple data breaches over the years, too. But that's all par for the course, right?

Not even close.

I honestly didn't realize how poor of a password manager LastPass is until I used 1Password. The Android autofill issues are one thing---a minor annoyance at best---but the poor security implementation for an app that's supposed to store some of your most private information is downright inexcusable.

LastPass' Security Protocols Are Pathetic

If you have a LastPass account, you already know how this works: you install the app or go to the website and log in. Maybe you also have two-factor authentication enabled on your account---good for you. But that's optional, and if you don't already know that LastPass offers 2FA, then it's pretty much guaranteed that you don't have it enabled. (How could you enable something you weren't aware of, after all?)

And if you install the Chrome extension, you only have to log in once. After that, as long as the computer stays online, you'll never be asked to log in again. At that point, anyone who has access to your computer also has access to your passwords. That's a disaster just waiting to happen. You can change this behavior in LastPass' extension settings, but it's just baffling that auto-lock isn't enabled by default. You should not have to opt in to better security, especially in a password manager.

But 1Password does things differently. First of all, it doesn't just force 2FA out of the box, but it sets a "secret key" when you create your account. This is a highly complex key that is required every time you log in on a new device (note: only on the first log in---after the device is confirmed, you can log in with just your username and password). The key is automatically generated and shared with you in a document when you sign up for 1Password. This key is also stored on your trusted devices, so it's easy to keep secure but hard to lose.

That's a big level up on security for all your passwords. You know what else 1Password does that LastPass doesn't? Auto-lock the vault in the Chrome extension by default. Both 1Password and LastPass lock the vault after a period of inactivity on mobile, but the same doesn't apply to browser extensions. It's baffling. (If you use LastPass and don't want to switch, please enable this feature Account Options > Extensions Preferences > Log Out after this many minutes of inactivity.)

A screenshot of the LastPass browser extension options showing the "log out after minutes of inactivity" option highlighted

Now, LastPass could fix both of these issues pretty easily by forcing 2FA and auto-locking the vault by default. But it's been years now and neither of those things have been done. Hard to say if or when they ever will. So, it's time to switch.

1Password Has Never Seen a Data Breach

Since 2011, LastPass has been involved in five data breaches or other security incidents---2011, 2015, 2016, 2017, and 2019. To be fair, some of these weren't major; just exploits that were discovered. And in all of those cases, LastPass did a notable job of disabling or patching these vulnerabilities. It's fair to give credit where it's due.

But if you Google "1password data breach" the first option isn't some high-profile leak that 1Password was a part of. It's a link to the 1Password blog about what would happen if the company is ever part of a breach, which starts with the words "1Password has never been hacked." If you're considering a switch, this is worth a read. Even if you're not considering a switch right now, it's worth a read. It might change your mind.

The Android App Is Far More Reliable

A picture of the 1Password search option from the autofill dialog
Cameron Summerson / Review Geek

One of my biggest peeves with LastPass is how utterly unreliable the Android app's autofill option has been---even after Google implemented the autofill API, which I hoped would solve these issues. But nope.

I'm not sure what the determining factor is here, but sometimes the autofill feature works fine on LastPass. Other times it never prompts at all. And others, it prompts but says there are no saved passwords for that app/site. And there isn't a way to search directly from the autofill prompt.

Again, 1Password fixes all of those issues. For starters, there hasn't been a single time that it hasn't offered a prompt on a password box. And in the case when it doesn't associate a password from a site with its corresponding app, you can search directly from the prompt and assign the password to the site right there---it takes just a few taps. After that, the association is stored, so logging in the next time will be even easier. LastPass doesn't have anything like that.

Now, to be fair, if you're an iOS user, you probably haven't experienced any of these issues. iOS password autofill options seem to work much more reliably than Android's, as I haven't experienced any problems with LastPass on iOS. That said, 1Password works just as well, so you're not losing anything if you make the leap.

Switching Was More Painless Than I Ever Expected

I have an embarrassing confession: the main reason I didn't switch sooner is that I didn't want to spend the time to do it. In my head, this was going to take hours. That's actually so incorrect I feel stupid just saying it. The switch literally took like five minutes. No joke---five.

In fact, 1Password has an excellent guide on doing just that on its support site. Ultimately, it boils down to two steps: export your LastPass vault, then import it to 1Password. In my experience, everything synced across beautifully.

All told, I had 1Password up and running on three phones and four computers in about 20 minutes, which includes removing LastPass from those devices. I feel ridiculous for waiting so long.

There is one minor catch though. For some reason, there are two versions of the 1Password browser extension---one requires the desktop app to be installed and the other doesn't. I recommend using the 1PasswordX extension, which works on its own. Otherwise, you'll also need to install the desktop app, which is honestly just kind of redundant. As an added bonus, the 1Password extension has a much lower impact on system resources than the LastPass extension (at least in Chrome).

But there's also the question of pricing. For most people, LastPass is free---you can use it on multiple devices without paying a dime. If you want to add encrypted file storage to the mix, you can do so for $3 a month.

A screenshot of 1Password's plan options.

But 1Password is $3 a month out of the gate or $5 a month for your entire family. You know the saying "you get what you pay for?" Well, I don't think it's more true than it is right here---1Password is more secure and more convenient than LastPass, which more than makes it worth $3 a month.

If you've been considering switching from LastPass to 1Password, I highly recommend it. I wish would've done it years ago.

Disclosure: 1Password offers free accounts for journalists, which I switched to before writing. This in no way shaped the findings or outcome of the article.

Sign up for 1Password