Leaving LastPass? Here’s where to go next

With the admission that the password vaults have been hacked, many LastPass customers may be looking for a new place to store their passwords.

While customers’ passwords are strongly encrypted and should still be protected, LastPass urging customers with weak master passwords to “consider minimizing risk by changing passwords to sites you’ve saved” doesn’t inspire much confidence. Nor does the amount of other data leaked about customers’ browsing habits, which can be used to launch phishing attacks.

So if you’ve decided it’s time to find a new password manager, where should you go now? And what should you avoid?

Don’t fall back on the browser

It can be tempting to take the path of least resistance and store your passwords in a browser. Google Chrome, Microsoft Edge, Firefox, and others happily volunteer to store your passwords, but it’s not the best place for them.

There are several reasons not to hand over passwords to the browser. First, you create a single point of failure, especially when it comes to large companies like Google and Microsoft. If someone manages to get into your Google account, for example, they can gain access not only to passwords, but to Gmail, which can be used to reset the passwords on such accounts.

Browser password managers also don’t have all the tools used by the best password managers. They may not populate automatically when using mobile apps. They may not let you use the preferred method of two-factor authentication, which adds an extra layer of security to your password vault. They do not have features that allow you to securely share certain passwords with family or colleagues.

In the end, they don’t play nice with each other. On my Mac, for example, I use several browsers for different tasks. If I stored my passwords in a single browser, instead of a dedicated password manager that has plugins for all the major browsers, I’d be constantly flipping between browsers every time I needed to log into a site. No thanks.

The best LastPass alternative? The Bitwarden

Having tried several password managers over the years, Bitwarden is the one I’ve grown to trust and rely on. It’s a little more geeky than LastPass, maybe not quite as user-friendly, but it’s worth trying to learn.

It has several advantages over LastPass, not least that it is free for personal use! There’s a premium plan that allows for extra features like advanced two-factor authentication and emergency access to your passwords for friends and family, but you don’t have to pay to store and sync your entire password vault across all your devices. The premium plan is only $10 a year if you want the extra features.

Bitwarden has apps or plugins for all major browsers, mobile platforms and computer operating systems, so it’s wise to find a device that it doesn’t support.

It has a number of great features, such as a flexible strong password generator, which can adapt to all the silly rules some websites impose (eg your password must contain special characters, uppercase letters and Barack Obama’s DNA sequence). It can also remove ambiguous characters from passwords, so you never have to worry about whether it’s a 1 or an l the rare time you have to enter a password.

The security settings are very flexible and you can use a wide range of two-factor authentication methods to ensure that no one else can access your passwords, including the ingenious Authy app and hardware keys.

I’ve been using Bitwarden for more than two years now and haven’t encountered a single problem with it, apart from the odd bug with autofilling passwords on some websites and apps – but that’s a common problem for all password managers, and the solutions are quite simple.

Transfer LastPass passwords to Bitwarden

If you decide to take the plunge with Bitwarden, follow the instructions on Bitwarden’s website to import your LastPass vault into your new password manager.

Please read the instructions completely and carefully before starting, as there are a couple of potential gotchas to be aware of, not the least of which is a bug where special characters in passwords can be changed to HTML-encoded values, meaning passwords won’t work unless you follow the workaround .

Moving to a new password manager is also a good time for clarification. Close any accounts you no longer need, and maybe consider changing passwords on your most important accounts—especially if you still have that nagging doubt that your LastPass master password wasn’t particularly strong.