July 28, 2016

1Password vs. LastPass: Which is Better? Which is Safer?

Written by

Businesses face countless security threats, particularly online. From adware to ransomware and all points between, securing your business data becomes increasingly difficult as your company grows.

Not only do you create and use more data as your business scales up, but you also use more services, software solutions, and websites to conduct your business, each with its own (ideally) unique credentials.

Despite the best efforts of software and security professionals, many growing businesses share logins between users — usually as a cost-reduction effort. Of course, the cost of a data breach can make paying for additional Software-as-a-Service (SaaS) seats seem miniscule in comparison. According to the AICPA, the average cost of a data of a data breach is about $4 million — up 29 percent since 2013.  

Enter the password manager.

Originally created to solve the password conundrum many individuals face — creating unique, secure passwords, and then remembering them — businesses have begun adopting enterprise-wide password management tools to create and administer a corporate password policy, allow users to securely share passwords, and decrease the likelihood of a breach.

Choosing the best password manager for your business can be difficult, especially when you try to satisfy everyone — IT, executives, sales, etc. This article will focus on two enterprise password management leaders: 1Password and LastPass. First, we’ll explain the concept of a password manager. Then, we’ll provide an overview of each platform. Finally, we’ll compare 1Password vs. LastPass pricing, their differences and similarities in functionality, and each company’s approach to password security.

What’s a Password Manager?

Password managers are applications that make the creation and recall of strong, unique passwords much easier. While most of us realize that we should create different passwords for every website, service, or application we use, many people do not.

Using a single password across multiple sites poses a serious security risk, especially since many sites don’t encrypt their stored user login information. No matter how many numbers, special characters, or clever mis-spellings you may use in your password, if someone gains access to a server where it’s stored in plain text, it becomes a race to see how quickly you can remember and change all the places you’ve used that same password. Keep in mind, many companies don’t immediately disclose a breach when it is discovered. 

A good password management application solves this problem by automating password generation. Simply set the password length and types of characters you prefer, then click a button to create and store a password that meets your parameters. Instead of having to remember all of these strong passwords, you’ll only need a single, strong master password to unlock your password manager, which will then unlock the rest. This can be within a standalone application or web service, but most password management vendors also offer browser extensions.

If you have further questions about password managers and how they might fit into your IT environment, contact one of our unbiased Technology Advisors.

1Password Overview

1password_screenshot

1Password was developed and is sold and supported by AgileBits, a privately-held software development firm that was founded in 2005. Originally developed for Mac, 1Password 1.0 was released in 2006, and the firm has since released a steady stream of update downloads, culminating in the latest version, 1Password 6, for both Mac and Windows.  

That’s right, update downloads. 1Password is still primarily sold and supported as a traditional, one-user license, on-premise application — e.g. you install it on your computer — currently priced at $64.99 for a single user. This may seem like a steep price, but you’re allowed to install the application on as many devices as you own, whether at home or work. Furthermore, if you purchase 1Password directly from AgileBits, you’ll enjoy free updates until the next major release (i.e. buy 1Password 6 and you’ll get all 6.x releases without paying an upgrade fee). See more specifics on AgileBits’ licensing policy here.

1Password is still primarily sold and supported as a traditional, one-user license, on-premise application.

They have recently (this year) begun offering subscription-based alternatives targeted toward families or businesses: 1Password Families and 1Password Teams.

Both the subscription and on-premise installation support mobile applications for Android and iOS, which means you can access passwords stored on your computer via your mobile device.

Most businesses will prefer the more robust functionality and granular control offered by 1Password Teams or the traditional, installed version. 1Password Teams is offered in two versions, Standard and Pro, which are $3.99/month and $11.99/month, respectively. Both versions include desktop and mobile applications, unlimited sharing of passwords, automatic syncing, and access control. The Pro version increases data storage from 1GB per user to 5GB, provides an unlimited password history (as opposed to 30 days), and offers more options for groups, activity logging, and role-based access. Pro also provides priority customer support.

A 30-day free trial is available for both the on-premise and subscription-based versions, so you can try before you buy.

LastPass Overview

LastPass_screenshot

LastPass was founded in 2008 and released its first version in August of that year. LastPass was acquired by LogMeIn in 2015, which was in turn acquired by Citrix just a few days ago (July ‘16).

LastPass is a cloud-based password management tool — e.g. you don’t have to install anything to get started using LastPass. They offer extensions for major browsers that make using the service easier, but these are not required. LastPass also offers mobile applications for iOS, Android, and even Windows Phone and Blackberry, though the Blackberry app is no longer supported with new updates.

LastPass is a cloud-based password management tool.You don’t have to install anything to get started.

LastPass comes in three versions: Free, Premium, and Enterprise.

That’s right — you can use LastPass completely free of charge. You won’t be able to sync passwords across all your devices, share passwords with other users, or have access to any of the other features that make a password manager useful, but you’ll be able to generate, store, and automatically fill passwords, and that’s better than no password manager at all.

The Premium version is currently priced at $12/year per user and enables cross-device sync, additional multi-factor options, shared password folders, and fingerprint authentication for compatible devices.  

LastPass for Enterprise is offered with both per-user and site-based licensing. The per-user pricing scales down as the number of users increases:

  • 1-100 Users: $24/user/year
  • 101-1,000 Users: $20/user/year
  • 1,001+ Users: $18/user/year

Site-based licensing is highly variable and depends on the number of users and required services/support options. Both pricing models include unlimited sharing of folders/passwords, integration with LDAP or Active Directory, Single-Sign On (SSO) support, a centralized administration console, and customizable user permissions.

Comparing 1Password vs. LastPass

You’re probably reading this article because you’ve narrowed down your search for a password manager to these two options. While both applications are a strong choice, one may be a better fit for your unique situation.

For some businesses, particularly those who already use LDAP/Active Directory to support SSO, LastPass Enterprise’s pre-built integration might make it the easy choice. Yes, you can use 1Password for Teams with LDAP/Active Directory, but doing so currently requires manual addition or removal of team members and passwords from both systems, which can be a pain when having to make updates in bulk. Of course, 1Password is currently testing a new beta of their Windows app, so perhaps this is something that could be coming? Time will tell.

Another difference between LastPass vs 1Password is LastPass’s ability to change multiple passwords automatically, which can be a lifesaver in the event of a breach, or when employees are separated from the company. 1Password doesn’t currently support bulk password changing.

The more fundamental difference between the two platforms is this: LastPass’s security is authentication-based, while 1Password’s is both authentication and encryption-based.

What’s the difference between the two?

Well, in the simplest of terms, an authentication-based system checks your credentials — in this case, your Master Password — and then provides or denies access based upon whether or not your credentials match those stored by the authenticator. These credentials may or may not be stored in plain text, and there are typically backdoors that allow access in case your password is forgotten, or in a business application, allow administrators to reset passwords so you can regain access.  

In an encryption-based system, resetting a lost encryption key with a backdoor method simply isn’t possible, as the key is used to generate the “code” that encrypts your data. 

Both LastPass for Enterprise and 1Password Teams rely on authentication over a network for their cloud-based services, but 1Password’s installed option does not; all authentication takes place only on your machine, and your Master Password is used to create a cryptographic key, which means both the password and the encryption it creates will be required to access your passwords, which is inherently more secure than any service relying on pure authentication and authorization alone. This is why, according to 1Password, they don’t (and probably can’t) offer multi-factor authentication in the same manner as an authentication-based system like LastPass.

If security is your only concern, 1Password’s locally installed option is certainly the way to go, but usability is just as important. For that, the cloud-based options from either LastPass or 1Password might be more appropriate, since they offer business-friendly features that help less-savvy users recover and change passwords.

* * *

In conclusion, both tools should greatly increase the security of your business data, while also making it easier to create and store secure passwords. Just remember, each service is only as good as the passwords it stores — i.e. if you use “password,” “1234,” or other weak passwords, it becomes exponentially easier to guess them. They’re also of little help if you commit the other cardinal sin of password management — using the same password for multiple sites.

Ultimately, the decision between LastPass vs. 1Password will come down to your unique situation — your users, your OS environment, etc. If you’d like help with your research, custom recommendation based on your requirements, don’t hesitate to call one of our unbiased Technology Advisors. If you’re a security professional with an opinion on this debate, feel free to share your comments below.

Free Download

Cyber Security: How to Protect Your Business

Get My Free Guide
Join the discussion

Please login with your social ID above.

7 Comments

  1. Neil

    Hi Charles,

    Have you checked Enpass Password manager? I found it last week when I was looking for LastPass alternative due to recent vulnerability in LastPass.

    Obvious 1Password was my first choice but my pocket can’t afford it desktop version and it’s not availabe for Linux. So I searched some other alternatives and then I encountered Enpass. It’s a lesser known yet powerful password manager. I will highly recommend to have a look at Enpass as it’s one of the best cross platform password manager and I think everyone can afford this as it’s doesn’t have any subscription and has free desktop app.

  2. Mike

    LastPass feature to automatically change passwords does NOT work. This as of 10 minutes ago. LP has what they call a “security audit” which evaluates passwords in various terms … known breaches in certain sites, similar or identical passwords used on multiple sites, missing or blank passwords, and old passwords. So far so good. They even offer to fix those problems for you at the click of a button. (O.K. about 45 clicks, by the time you remove and replace LastPass with a version that has that feature.

    Once it goes to work you’ll notice that it is SLOWWWW. Maybe 2-3 minutes for each site. But the worst part is that it returns a message telling you that it failed. So now you have invested the better part of an hour messing with all of this to accomplish nothing at all.

    Should you be so foolish as to open a support ticket, they will run you through the typical non support tactic of having you untinstall, and reinstall. Once that also fails, and maybe two days later for this conversation go to on, they will tell you that they kown about the problem and they have it on a list somewhere and may do something about it someday but they won’t tell you when.

    So much for LastPass security, and LastPass support. I’m looking for an alternative to switch but I do not want to as I’ve a lot of time with LP. But seriously, another problem of LONG standing is that it won’t fill login credentials to one of those popup boxes that some sites present you when you attempt to log in. I don’t think they even PLAN to address that.

    I’m seriously considering printing out ID/PWD lists and carrying them in my wallet.

  3. Cyber

    Between LastPass and 1Password which one is better? Keeper is! I believe they have a better security model, easier synchronization between every device, browser, and platform, it’s easy to use and it’s not hard on the pocket book. Checkout Keeper Security.

    • Aleks Peterson

      Thanks for the feedback, Cyber. Cool name, too. What is that . . . Greek?

  4. Alexander

    The thing about 1Password that is a deal-breaker for me is that I paid the $64 for the Mac version and I have been unable to use it on Windows without it being a massive pain in the butt, and they want you to pay separate for the Windows version and then in order to use it on Windows to sync across both Windows and Mac they want you to subscribe to their service to sync the passwords online, which is bull. I feel like I got robbed because I’m not able to use the Windows version after paying a whopping $65 for it on Mac.