Bitwarden is less secure than Lastpass
Posted by robotman2009@reddit | sysadmin | View on Reddit | 35 comments
Not a sysadmin but do work in the cybersecurity space. This post is sort of a rant and b!tch session but I wanted to illuminate a huge reason why bitwarden is less secure than lastpass. It FUCKING sucks to use! Its such a miserable user experience to use that writing down passwords on post-its is a superior technology to the user. Blah-blah... bUt wHat abOuT pOlicy?... wHaT aBoUt tHe SeCuriTy tRainIng?... yeah I get it, but what is the CISO going to do? come to employees desks in their homes (remote) and scold them for their passwords written everywhere?
The company I worked for switched over from lastpass, which was a joy to use, to bitwarden about a year ago after the 'incident' and its sucked ever since.
bitwarden isn't nearly as seemless as lastpass
bitwarden doesn't update passwords well so the passwords that are in there are outdated or need to manually be updated
managing password collections for service accounts sucks compared to lastpass
sending secure files, notes, etc... all better with lastpass. I can't think of a single aspect that bitwarden does as good, or better, than lastpass.
If I had to guess 20% of employees are using something else like a text file on their desktop or just hand writing it down. Lots of plaintext password sharing going around.
BlackV@reddit
man, at least tag your post with
RANTRequirementMammoth21@reddit
I have zero of those issues.
I don't say that because I love BitWarden, it's...fine. I say that because you should take a step back and realize these are all you problems.
msi2000@reddit
I have had this conversation a number of times with colleagues,peers and on the internet. Lastpass is not as good a solution technically as some of its competitors and it has had some embarrassing breaches.
It is however very user friendly and for general users it should be compared to options such as post it notes, single passwords and spreadsheets because these are the solutions users will use not a more secure password manager.
A breach or vulnerability in LassPass is likely to be published and passwords can be changed whereas the solutions it replaces rely on the user realising there was a breach.
Obviously a risk assessment must be made and some users/teams may have to use a more secure & less user-friendly solution but hopefully this will be a more technical or at least a smaller group.
TLDR LassPass isn't the best tool but users will generally use it, which makes it a good tool
bageloid@reddit
Lastpass was persistently breached from Aug. 8, 2022 to Nov. 30, 2022 before they announced that customer data was involved, and then told it's users that they didn't have to change passwords. That's a pretty bad response and response timeline.
msi2000@reddit
You are
You are correct LastPass has had a poor response to security breaches in the past. A risk assessment needs to be undertaken factoring this and the sensitivity of the account being protected the security onion also needs to have layers. Will MFA provide enough additional protection, does this account need to be open to the internet, does the advice to not change passwords need to be ignored etc.
However, I believe that a lot of people asking these questions are not asking the following, how many users only use one password, are users using post it notes, are they sharing credentials? Users do this because they find the security oppressive and it needs to be taken into account.
In my opinion, in my organisation LastPass is superior to no password manager for the majority of users. This does not mean that all the accounts are only secured by passwords in LastPass and that all the credentials are held in LastPass.
robotman2009@reddit (OP)
Yes! I think you're the first to accurately interpret my post. Its not LastPass > Bitwarden
Its Bitwarden == Post-It note and LastPass > Post-it
msi2000@reddit
I think we are the only two people in IT who think this, I have had this discussion so many times.
robotman2009@reddit (OP)
Judging by the other comments I would hazard a guess, you are correct. I think the realistic scenario at my organization is a little less extreme as writing everything down on post-its but definitely re-using passwords across all platforms whereas with lastpass folks were comfortable generating the random passwords or using complex and different passwords because they had faith lastpass would work when they needed it.
Naclox@reddit
Post it notes don't get leaked to the entire world though.
Hotshot55@reddit
So we're just ignoring all the LastPass breaches now?
robotman2009@reddit (OP)
No, organization wide we changed every single password we had in lastpass. It wasn't fun but it was much preferable to what we deal with now.
gihutgishuiruv@reddit
Skill issue tbh
Discipulus96@reddit
Agreed. Just need to learn the product. It does everything OP describes very well with little effort so I really don't know what the problem is.
robotman2009@reddit (OP)
I don't either but I know I'm not alone at my organization.
robotman2009@reddit (OP)
correct. most users don't have the patience or skills to be bothered.
quickproquo@reddit
Sounds like your experiencing a pebkac error. Those are tough. Best of luck.
FactorJ@reddit
Layer 8 issue for sure.
robotman2009@reddit (OP)
unlikely. same set of users, different technologies. The only thing that changed is the technology so I guess its pretty easy to rule out pebkac.
bitslammer@reddit
Bitwarden works fine. I'm using it seamlessly across several Android, iOS, MacOS, Windows and Linux devices as well as the browser plugins. No issues at all and most importantly I trust Bitwarden because they've done well when it comes to providing a secure product and have been timely, honest and transparent with any issues they have had.
Lastpass did a horrible job security wise and then took the route of denying, understating and outright lying.
No comparison.
robotman2009@reddit (OP)
To my knowledge we only use the browser plugin. It fails to recognize when passwords are changed and seems to dump the important bits of info that forces IT support to reconfigure the bits other than the master password.
apathyzeal@reddit
Work in the cybersecurity space but literally recommending a product that has had multiple breaches from a company who (seemingly) refuses to learn adequate lessons from those breaches.
Seems on the level to me.
marklein@reddit
He does HR in the cybersecurity space. /s
Ad-1316@reddit
Do you work for lastpass? I have no problems with BitWarden.
robotman2009@reddit (OP)
I do not.
JoshfromNazareth@reddit
Sounds like an ID-10T problem.
robotman2009@reddit (OP)
unlikely. same set of users, different technologies. The only thing that changed is the technology so I guess its pretty easy to rule out the user.
robotman2009@reddit (OP)
Judging by the responses this is probably indicative of the issue we face at my organization. Those forcing the migration to bitwarden have their heads so far up their own asses they want to blame the user than look holistically at the situation.
raffi30@reddit
We switched from LastPass to our own instance of Bitwarden (vaultwarden) running on docker on our NAS with internal access only. It has been working perfectly for us
Healthy-Poetry6415@reddit
I store my passwords in my sock drawer.
Sushi-And-The-Beast@reddit
First of all… you sound like a real nugget.
2nd… go back to putting your passwords into Chrome.
3rd… go back to Last Pass if you miss it so much.
robotman2009@reddit (OP)
I do enjoy me some nuggets...thanks I guess? I wish I could use chrome or lastpass. I'm not the CISO, he makes that call. Organizationally we can't use the browser and obviously don't have enterprise lastpass available.
Wh0IsY0u@reddit
Works on my machine
robotman2009@reddit (OP)
I'm jealous
Standard_Sky_9314@reddit
Having zero problems using bitwarden from day 1.
Lastpass didnt understand i had two accounts on same url and accidentally overwrote one.
22MilesPorch@reddit
privately its fine!
did not tested enterprise wide...