Everyone agrees: passwords are terrible. They're either too easy for a hacker to crack or impossible for you to remember. I can go on at length about why they're so bad and create such an awful situation—I wrote a thesis on it—but the real takeaway is that password managers are really important if you want to stay secure online. They automate the process of generating long, complex, unique passwords, storing them securely, and, best of all, filling in login forms, so you don't have to remember or type any of those complicated characters.
Recently, though, things have changed—dramatically. LastPass suffered a major data breach at the end of 2022 and has been criticized by security researchers for how it handled the fallout. Over a year later, it still hasn't fully addressed the situation.
Still, LastPass is a very popular password manager. So in addition to my previous experience with both apps, I dove back into each one to see how they stack up.
1Password vs. LastPass at a glance
While there are small differences in how 1Password and LastPass operate, the reality is that they're pretty similar when it comes to features. Unlike all-in-one tools that try to be everything to everyone, these apps are really meant to store and manage your passwords, so it makes sense that they do it similarly.
Here's a quick breakdown of how they compare, but keep reading to learn more about my experiences with the apps—and what other security experts think.
⭐⭐⭐⭐⭐ Best in class security and has never had a breach
⭐⭐ Recent data breach and less than ideal security in general
Ease of use
⭐⭐⭐⭐⭐ Easy to import passwords, generate new passwords, and log in to existing accounts
⭐⭐⭐⭐⭐ Easy to import passwords, generate new passwords, and log in to existing accounts
⭐⭐⭐⭐⭐ Native apps on every device
⭐⭐⭐⭐ It's available on nearly every platform, but you don't always get native apps
1Password offers much better security
A password manager has two main jobs: to keep your passwords safe, and to make filling them in easy. Everything else is kind of secondary. To make things as convenient as possible, both LastPass and 1Password store all your login information on their servers. It's meant to be encrypted and well-protected, so with that in mind, it's worth taking a step back and looking at the ongoing fallout of the LastPass hack from just over a year ago.
In August 2022, LastPass disclosed that a hacker had compromised a developer account and gained access to its development environment. It claimed that it had contained the breach and had taken mitigation measures. In September, it declared that its investigation was complete and all was well, and that there was no evidence any customer data or encrypted vaults had been compromised. Embarrassing for a security company, but it wasn't the first time the company had been hacked—and this was a less compromising breach.
Then, at the end of November, LastPass announced that one of its third-party cloud storage services had been hacked "using information obtained in the August 2022 incident" and that the hackers had gained access to some customer information. What information? Well, it took until December 22, but LastPass came clean: the hackers had a backup of customer vault data.
Some fields in the vault databases—like passwords, thankfully—were encrypted, but others, like email addresses, telephone numbers, the IP addresses customers used when accessing LastPass, and billing addresses weren't. Regardless of whether the hackers could crack the passwords, they still had a lot of personal and identifying data about every affected LastPass user.
And even the encrypted passwords aren't necessarily safe. LastPass has been criticized for years for its inadequate security precautions and failure to update legacy accounts. If someone with a recent LastPass account followed best practices and used a strong, unique master password, their data is probably still private (other than all the unencrypted identifying stuff). But if you had an older LastPass account, reused or used an insecure master password, or were a particularly tempting target? The hackers have direct access to your encrypted vault and can try to crack your master password for as long as they like.
And crack master passwords they did. Throughout 2023, there were a string of crypto heists targeting LastPass users. More than $35 million has been stolen in total from dozens of victims, many of whom were using otherwise solid security protocols. The one commonality was that they all stored an important crypto account identifier called a "seed phrase" in LastPass.
And crypto is just the tip of the iceberg. There's no way to know just how many people were the victims of other kinds of scams because of their LastPass data being compromised. It's only because of the public and very online nature of crypto that security researchers have been able to keep track of the hacks and attribute them to the LastPass breach.
As a result of all this, LastPass has been widely condemned by the security community for allowing hackers to gain access to customer data, failing to contain the initial breach, having inadequate security measures in the first place, downplaying the severity of the breach, trying to blame customers for not having strong enough master passwords, and generally just mishandling the whole situation.
It's facing a class-action lawsuit, and over 18 months later, LastPass's response has been lackluster. In September 2023, more than a year after the initial breach, it finally started forcing old accounts to use 12-character master passwords and automatically updating every account to at least 600,000 rounds of an algorithm called PBKDF2 that slows down attempts to brute force master passwords. (Previously, the minimum for new accounts was 100,100 rounds, and older accounts were secured with just 5,000, 500, or even 1 iteration without being upgraded.)
As one of the affected users, I had to spend a few hours one afternoon over my winter break changing a load of passwords. (I hadn't relied on LastPass for years, so my most important accounts were still safe.)
In short, the last 18 months have demonstrated that LastPass has a pretty cavalier attitude toward protecting the passwords you store with it.
So what about 1Password?
For starters, 1Password has never had a data breach, although it has been targeted. Even then, the company was upfront and honest with customers and published a full security report detailing what happened. More importantly: 1Password uses a significantly more secure setup to encrypt your vault—and encrypts every field. While LastPass now uses 600,000 rounds of PBKDF2 as its default for all accounts, 1Password uses 650,000 iterations—and has always updated old accounts to the latest value.
And even with that, LastPass locks your vault with just your master password, whereas 1Password uses a master password and an additional secret key.
This comes with a downside: to sign in to 1Password on a new device, you need to enter both security factors. It can be pretty inconvenient—your secret key is a long string of numbers that's meant to be kept safe, not carried about on your phone. So while you can log in to LastPass from anywhere, 1Password's improved security makes that harder. But it does mean that even if 1Password were to suffer a similar data breach, user data would be significantly less vulnerable to hackers.
With all that said, despite the embarrassment of the recent breach, most of LastPass's security problems fall into the realm of "less than ideal," not "use LastPass and you'll get hacked yesterday." If you're a regular internet user—not someone prominent who could be specifically targeted, or with a few million in crypto sitting in a wallet—and sign up for a LastPass account today, as long as you use a decent master password, your data should be safe.
Personally, I wouldn't take the risk of using LastPass because I'm neurotic about these things (and I'm regularly a victim of impersonation and identity theft). If you massively prefer LastPass's interface or need its free plan, then feel free to give it a try—just understand the risks.
LastPass and 1Password are both available on almost every platform
LastPass and 1Password operate almost identically on mobile platforms, since Android and iOS both support password management and autofill.
Both services also have browser extensions for Chrome, Firefox, Safari, and Edge that work similarly. Opera is the only browser that LastPass supports that 1Password doesn't.
On the desktop, however, there's a bigger difference. 1Password offers native desktop apps for Windows, Linux, and Mac users; LastPass more or less relies on browser plugins.
1Password has local apps for Windows, Linux, and Mac that you can use offline to access your passwords or any other information you have stored in your vault. These apps also offer a universal keyboard shortcut for quickly searching your passwords, something LastPass no longer offers on the desktop. 1Password for Chrome OS is a browser-based app, which is common for apps on the platform, and there's also a command-line tool for Windows, Linux, and Mac devices. 1Password also offers browser extensions, which work with or without the desktop app installed. The exception is Safari—you'll need to install the macOS app, but that's just how Safari extensions work.
LastPass, on the other hand, doesn't really focus on desktop apps. The company offers a "universal installer" for both Windows and Linux that will download browser extensions for every browser, or you can download them all individually. There is a Mac app, but it's more or less just the web version of LastPass running in a dedicated window that comes with a Safari extension. LastPass's own documentation recommends that you use a combination of browser extensions and mobile apps.
Overall, the differences between the services exist only on the edge cases. Both apps support most major browsers, which means you can run them both on any operating system. But if you want to use a local desktop app for offline use, 1Password is your only choice.
Both apps are really nice to use
LastPass is really pleasant to use—there's a reason the recent breach affected 33 million registered users and 100,000 business customers. But there isn't a huge amount of difference between how it and 1Password operate in most cases.
Take logging in to your accounts. If LastPass recognizes a login field, you'll see a LastPass logo in it. Click that, and you can choose which account you want to sign in using.
1Password works the same way using the browser extension.
But with 1Password, you also have another option: the Quick Access bar in the desktop app. Use the keyboard shortcut
Ctrl/command + shift + space in any app to bring up this bar, which you can use to search all of your passwords and copy any shortcut. This works outside of the browser, meaning it's handy if you're logging in to a desktop app. It's much faster than what LastPass offers on desktop: you can find any password in just a couple of keystrokes, without touching the mouse. If you prefer clicking to keyboard shortcuts, though, you can right-click, select 1Password, and then select your account.
Both apps also make it easy to generate secure passwords for new accounts.
With LastPass, whenever you're creating a new account, you'll see an icon in the password field that you can click to create a random password. Click it, and you will see a password, which you can click right away to use.
You can choose Customize to change the parameters, like the length of the password or whether or not it includes numbers or special characters, and there's even an option to make the password easy to say if you create it through the full app. These last options are especially helpful for passwords you might still need to actually remember, like your Wi-Fi or Netflix password.
1Password works a little differently. You can click the icon in the password field, but you won't be able to customize—only to accept the given password.
If you need to generate a password, click the 1Password extension icon in your browser's toolbar, create a new login, then generate the password there. You can customize the parameters to make a long nonsense password, a passphrase made up of random unrelated words, or a PIN. You can tweak things like whether it uses numbers or symbols or which symbol is used to separate words in a passphrase. Once you have a password you like, you can copy and paste it into the password field.
If a site has special requirements for passwords, the generator in LastPass is slightly more convenient to tweak, though 1Password can also get the job done.
Since long passwords can be hard to remember, we suggest using a passphrase, a collection of seemingly unrelated words that are easy to remember. Something like
ZapierWinstonDoggosPlanetCheeseTreats. But…don't actually use that.
1Password and LastPass both have lots of extra features
Both apps have a lot of good secondary features.
Both can autofill two-factor authentication codes.
Both make it possible to share passwords with other people, though LastPass makes it slightly easier.
Both can store credit card numbers, secure notes, important documents, and other things you should keep safe.
Both have password breach monitoring and password strength assessment (LastPass calls its Security Dashboard while 1Password calls it Watchtower).
Most importantly, both apps are working to support passkeys—a new system that uses public-key cryptography to secure your accounts instead of passwords. They solve a lot of the problems with passwords, though only a small number of services support them at the moment.
Right now, 1Password's passkey implementation is further along, since you can use it to create passkeys for other services that support them, as well as use one to secure your 1Password account.
LastPass currently only allows you to use one to secure your LastPass account instead of your master password. Still, passkeys aren't yet widespread enough that this really counts as a major ding against LastPass. Both services are beta testing and rolling out their implementations, and by the time passkeys are more widely available, they're both likely to be ready.
Really, there aren't many differences here. For almost everyone, either service will offer an almost identical password management experience.
Neither app offers a good free plan
While there are great free password managers available (see: Bitwarden), neither LastPass nor 1Password falls into that category.
Let's start with 1Password. It's free for journalists and politicians; for everyone else, there's a 14-day free trial. After that, you're looking at $36/year for a Personal account or $60/year for a Families plan with up to five accounts. There are also business plans available from $19.95/month.
In addition to a 30-day trial, LastPass offers a free plan—it's just extremely limited.
While you can save as many passwords as you want, you can only access your free LastPass account on one device type: either computers or mobile devices. This means you can use LastPass to sync your passwords between your office computer and your personal laptop, but not between your laptop and your smartphone. It's a really awkward caveat, and it undermines the whole "all your passwords everywhere" thing that most people use a password manager for. On paid plans, this isn't an issue. A LastPass Premium plan costs $36/year, while a Families plan for six users is $48/year. For businesses, a Teams plan starts at $4/user/month (billed annually).
So, if you're choosing between 1Password and LastPass, you're really choosing which app you want to spend a few dollars a month on. If you're genuinely considering LastPass's free plan, I'd suggest checking out Zapier's article, where we compare it with Bitwarden, which has a more robust free offering.
1Password vs. LastPass: Which should you choose?
For almost everyone, 1Password is a better password manager than LastPass. There's so little difference between the general user experience, availability, and price of the two apps, that the additional security and transparency of 1Password make it the easy choice.
If you already use LastPass, use a secure master password, and don't want to go through the minimal hassle of switching services, then sticking with LastPass is understandable. But for new users, you'd really have to want one or two of the niche, specific features that LastPass brings to the table (or have a serious discount code) for it to be a better choice.
This article was originally published in February 2019 and has had contributions from Zac Kandell and Justin Pot. The most recent update was in January 2024.