banner
Previous Page
PCLinuxOS Magazine
PCLinuxOS
Article List
Disclaimer
Next Page

Goodbye LastPass, Hello BitWarden!


by Paul Arnote (parnote)



Well ... that didn't take long! To explain what I mean, we'll have to dive head first into some fairly recent history.

Back in 2003, a company was created. It called itself LogMeIn. Over the years, it created such familiar cloud-based programs such as GoToMeeting, GoToConnect, GoToMyPC, Rescue, and of course, the namesake LogMeIn.

In 2006, Xmarks (formerly Foxmarks) was created as a bookmark synchronizer for Firefox users. It later expanded to help manage the many unique passwords users were supposed to be creating when logging into websites.

In 2010, LastPass purchased Xmarks. LastPass and Xmarks ran concurrently, until Xmarks was shut down on May 1, 2018. Then, in 2015, LogMeIn, Inc. purchased LastPass for $110 million (U.S.), and added it to their software offerings.

Fast forward to December 2019, when two private investment capital firms teamed up to purchase LogMeIn for a reported $4.3 billion (U.S.). The sale was finalized in August 2020. The latest figures put LogMeIn's annual revenues around $1.3 billion (U.S.) per year, has around 3,500 employees, and approximately 200 million users across the globe.

Below is an excerpt from the press release from Globe Newswire about the sale.

LogMeIn, Inc., a leading provider of cloud services for the work-from-anywhere economy, today announced the completion of its sale to affiliates of Francisco Partners and Evergreen Coast Capital ("Evergreen"), the private equity affiliate of Elliott Management Corporation ("Elliott"), in a transaction valued at an aggregate equity valuation of approximately $4.3 billion.

Founded in 2003, LogMeIn is a pioneer in remote work technologies and the maker of market-defining products like LastPass, GoToConnect, GoToMeeting, GoToMyPC, Rescue and its namesake LogMeIn remote access and remote management products. Today, the company's comprehensive work-from-anywhere portfolio makes LogMeIn a preferred and trusted partner for helping millions of customers connect and collaborate from anywhere; support employees and customers from anywhere; manage assets from anywhere; and secure their digital identities in an increasingly virtual world.

The go-private transaction was previously announced on December 17, 2019 and received approval from LogMeIn stockholders on March 12, 2020. As a result of the completion of the transaction, LogMeIn stockholders received $86.05 per share in cash, and LogMeIn's common stock will cease to trade on the Nasdaq exchange.



Obviously, these investment firms see bookoo mounds of money by acquiring LogMeIn for just under four times its annual revenues.

One of the HUGE draws to LastPass was that it could be used by a user on all of their platforms – PCs and mobile devices – for free, and passwords could be synced to all their devices simply by logging into their LastPass account.

That is, until March 16, 2021. On February 16, 2021, the new owners of LastPass announced the imminent end to the "free dinner" of using LastPass for free across platforms. Users who choose to continue using LastPass for free, must choose EITHER the PC platform, or their mobile platform, but not both. To continue to be able to sync passwords across both platforms, users will have to subscribe to an annual plan that costs $36 per year (or $3 per month).

As you can imagine, user outrage was swift and loud. Users started looking for alternatives to manage their massive password libraries, and in the process, leaving LastPass in the rearview mirror. So much for those 2 million global users. They are undertaking a mass exodus from LastPass, and they have found a worthy new home. To say that LastPass users feel betrayed would be a HUGE understatement.


Enter The LastPass Replacement: BitWarden


So how inviting is the new password manager home known as BitWarden? Well, since the LastPass announcement in February, BitWarden's users have increased by five times and are still increasing.

There are multiple wins for LastPass refugees. First, BitWarden is open source, and is hosted on GitHub. Like with all open source projects, anyone can audit, view or contribute to the source code. Second, BitWarden features a nearly identical feature set as LastPass, and works as seamlessly as LastPass. Third, BitWarden is FREE (as in beer), and can be used across multiple platforms (PC and/or mobile devices) ... for FREE! Fourth, BitWarden is available both as a browser plugin AND a standalone desktop program (and the desktop version is available in the PCLinuxOS repository).

BitWarden first appeared in August 2016 on the Android and iOS platforms, and as a browser plugin for the Google Chrome and Opera web browsers. The Firefox plugin followed in February 2017. Since then, BitWarden has expanded to include the following browsers: Brave, Vivaldi, Safari, and Microsoft Edge.

Here is the description for BitWarden, from its Firefox plugin page:

Bitwarden is the easiest and safest way to store all of your logins and passwords while conveniently keeping them synced between all of your devices.

Password theft is a serious problem. The websites and apps that you use are under attack every day. Security breaches occur and your passwords are stolen. When you reuse the same passwords across apps and websites hackers can easily access your email, bank, and other important accounts.

Security experts recommend that you use a different, randomly generated password for every account that you create. But how do you manage all those passwords? Bitwarden makes it easy for you to create, store, and access your passwords.

Bitwarden stores all of your logins in an encrypted vault that syncs across all of your devices. Since it's fully encrypted before it ever leaves your device, only you have access to your data. Not even the team at Bitwarden can read your data, even if we wanted to. Your data is sealed with AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256.

Bitwarden is focused on open source software. The source code for Bitwarden is hosted on GitHub and everyone is free to review, audit, and contribute to the Bitwarden codebase.

Here is a list of the features that BitWarden sports:

  • Open-source codebase

  • Biometric Unlock

  • Cloud-synchronization

  • Items types such as Logins, Secure Notes, Credit Cards, and Identities

  • End-to-end encryption of the Stored Vault Data

  • Password history, so you can see your previous passwords on Logins

  • Secure sharing of vault items with other Bitwarden users

  • Autofill login information into websites and other applications

  • Password generator

  • Password Strength Testing Tool

  • Two-factor authentication via authenticator apps, email, Duo, YubiKey, and FIDO U2F

  • File attachments

  • TOTP key storage and code generator

  • Data breach reports and password exposure checks through Have I Been Pwned?

  • Cross-platform client applications

  • Self-host the Bitwarden server on-premises

  • Login with Single Sign-On

Just by looking at the list of features, it's easy to tell that BitWarden will easily fill LastPass's shoes, and is well thought out and implemented.


Making The Switch

Fortunately, you will NOT have to start all over from scratch if you change to BitWarden. All you have to do is export your LastPass database, and then import it to BitWarden. See! It's that easy! Ok. There is a little more to it, but that brief description is fairly accurate. The following description is based on the Firefox plugins, but the process should be very similar (if not identical) in other browsers.





First, you need to export LastPass's database. Click on your LastPass icon in your browser, and select "Account Options" from the first menu (image top left). Then, select "Advanced" from the next menu that opens up (image top right). On the third menu that opens, you will need to select the "Export" menu item (image bottom left). On the last and final menu, select the "LastPass CSV File" option (image bottom right).

Do keep in mind that the exported CSV file can be read by virtually anyone. It will not be encrypted or otherwise hidden from view from any prying eyes. A CSV file can be opened in most any spreadsheet program. For example, I was able to open my LastPass CSV file in LibreOffice Calc easily and effortlessly. Right in front of my eyes is every tiny little detail about every single one of my passwords stored by LastPass, there on my screen. As such, as soon as you are finished with its use, DESTROY IT. If you feel compelled to hang on to it for some strange reason, then at least store it in a tar.gz file protected by a strong password.

Now I just know that there is someone out there reading this at this very moment, saying or thinking "But I'm the only one with access to the files on my computer." While that may (or may not) be true, why let THAT kind of sensitive data just sit around, waiting to possibly be discovered? What if you were sending a file to a client or family member or acquaintance, and because you were tired or careless, you accidentally attached that file to an email? In one quick instant, all of your passwords and login information to all the sites you had LastPass manage for you would be exposed and compromised.

DON'T. DO. IT. Just delete the file, or make it incredibly difficult for anyone to gain any useful information from it by placing it into a password protected archive file.

Similarly, if you had LastPass manage and remember your auto form fill data, and you want BitWarden to do the same, repeat the procedure above by exporting LastPass's auto form fill data to a CSV file. The same caveats and warnings apply to that exported auto form fill CSV file as it does to your password CSV file.



Now, we need to get BitWarden fired up and ready to replace LastPass. This means you will need to set up a free account in BitWarden before you can do anything else. This will include setting up your master password for BitWarden. Once that is done, you are now able to proceed.





Open your browser where the BitWarden plugin is installed, and go to the BitWarden website. Once there, either set up an account, or log in with your existing account information. Because you just created your BitWarden account, it should say that there is no data, or something to that effect. The default view, once you're logged in, should be the "My Vault" page. Select the "Tools" option at the top of the page. Once there, select "Import" from the sidebar that appears at the left edge of the browser window.



In the "Import Data" screen that appears, first choose the format of the Import file. In our case, we're going to select "LastPass CSV" as the format. Second, click on the "Browse" button and select the CSV file that you saved from LastPass. Third, and finally, select the "Import Data" button. The CSV file is relatively small, so in a matter of just a few seconds, all of your LastPass data should be imported into BitWarden.

See! It really is as easy as I said earlier!

Just to be sure, verify that BitWarden's My Vault page lists your accounts and logins. Choose a couple (or a few) accounts that you know the logins and passwords for by heart, and ensure that they were properly imported.

Once you're sure that BitWarden has successfully imported LastPass's database, then you can disable LastPass from your browser. I would mention how to do that, but the process varies, depending on which browser you are using. Plus, if you've gotten this far, you most likely already know how to manage your browser plugins. Never fear, because BitWarden has now taken over the password manager duties in your browser.

Repeat the above steps if you had LastPass manage your auto form fill data, and you want BitWarden to also manage your auto form fill data.



BitWarden does have a "premium" plan that unlocks additional capabilities. At $10 (U.S.) per year, it's a lot more affordable than the $36 per year for LastPass. At the free level, BitWarden allows you to do exactly what LastPass has taken away: the ability to sync your passwords across all of your devices on all platforms. Plus (and to me, it's a huge plus), your $10 goes to supporting an open source project, instead of lining the pockets of the greed-mongering investment firms that bought LogMeIn who are trying to wring every last drop of potential cash out of its new users.



Of course, if you're certain that you are finished with LastPass for good, your best option will be to delete your LastPass data entirely. This will help protect your password data, should LastPass ever experience a data breach, which are becoming increasingly common. In fact, LastPass has experienced some security issues in the past, with Wikipedia reporting four such incidents. Because LastPass holds your login and password information, don't think for a second that its data holdings aren't a highly desirable target for hackers.

Before disabling LastPass (or re-enabling it in your installed add-ons, if you've already disabled it), select "Open Vault" from your LastPass menu. A web page will open. On the sidebar on the left of your screen, select "Account Settings," and you should see something similar to the image above. Scroll about half way down through the settings, to the "Links" section. Select "My Account" from the options.



In the new tab that opens, select the "Delete Or Reset Account" option. This will take you to another page where you can delete your account. LastPass will ask you multiple times if you are sure you want to delete your account data. Respond affirmatively to these multiple prompts, and your data will be (should be?) successfully deleted from the LastPass servers.


Summary

Without a doubt, LastPass users are up in arms over the decision to extract money from them for something that they have enjoyed for free over the years, and rightfully so. But, in the process, they have found an alternative that is cheaper and does everything that LastPass does. That alternative, BitWarden, is also an open source solution. Around these parts, we like to support open source projects.

I wonder how many of those 200 million users that the two investment firms are salivating over remain with LastPass after everything is said and done. LastPass users are fleeing in droves to BitWarden. That $4.3 billion investment may not have been all that good of an investment, after all. If you have no users, it's a bit difficult to recoup your investment.

Sure, there will be those users who just refuse to give up on LastPass. They are reminiscent of the users who won't give up their ancient technology (dot matrix printers come to mind, right off the top of my head), and struggle to keep their ancient peripherals going long, long after they've been replaced by better technology and peripherals. These people absolutely ABHOR change, and resist it at every opportunity.

As I was finishing up the writing of this article, I installed BitWarden on my Android phone, something that I never really did with LastPass. Despite my intention to install LastPass on my mobile device, I never quite got around to it. Already, in the short time that I've had BitWarden installed on my phone, I already feel a positive impact from that decision.

There is no sure way to predict the eventual outcome of all of this. But, we can make some pretty well informed guesses. Without a doubt, the LastPass brand has been severely damaged. Even if the new owners reverse course on their greed-driven decision, they will never get all of their old customers back. The users' trust has been violated and destroyed. I suspect that in the end, LastPass may just gradually fade off into the sunset. Meanwhile, the new owners' actions will be an eventual windfall and win for a worthy open source project: BitWarden. And that is a win for open source overall.



Previous Page              Top              Next Page