This is my experience on moving a relative from LastPass to Bitwarden. Keep in mind that many of the items would be very specific to the relative’s situation and may be different than your situation.
A bit about the user
-
User is very non-technical, they actually do not know how to type in a URL. A home page is setup for the user with a list of sites they want to visit like Social Security, etc.
-
User needs lots of help and need their adult children to be able to access all of their accounts to help with email and social security. Giving your children access is not always a good idea, but in this case the children only want access to help and not to snoop on their parents.
-
User cannot figure out how to use autofill, even if it mean pressing on the autofill button.
-
User is unable to type in long passwords even if it’s written down on a piece of paper.
-
User is unable to use most form of 2FA. If the user receive a text, they don’t know how to use it.
-
A decision was made to limit the number of device to a computer, a phone, and a tablet. This limit what the kids have to support.
Because the user wants their children to access their account, it would make sense to use a cloud based password manager instead of something like Myki which would copy the vault to each device and store nothing in the cloud. The password manager must be able to autofill. The vault will need to open automatically or use biometric login.
Because the user can’t actually type the master password, they switch to leaving the vault unlock with the devices protected by biometric or pin.
Because the user can’t really use 2FA, we manually enable to 3 device before handing back to the user. Accounts that require 2FA on every login made sure that 2fa is not enable. The only difference was social security, which require either SMS or email code. The email apparently was the easiest of the two for the user to stomach.
Note that some of these decision probably weaken security, but frankly I had to ensure that the user could use the system. This was still an improvement than before where the user had crappy 5 character password that were reused over all of the sites.
At the time, we evaluated 2 product and decided LastPass was the one easier for the user to use. The interface seems cleaner and more intuitive. LastPass Authenticator was setup for 2FA because it worked well with LastPass
A few years down the row, the windows machine the user was using started to crash severely after windows update. Maintaining the machine had become a chore because the user can’t figure out how to backup or each attached external drive. The decision was made to switch the user from Windows to Chrome OS. Many of the application that the user previously used had migrated from the web, making this a no-brainer.
The biggest problem is that chrome os devices usually do not have biometric login. Last pass would also occasionally ask for the master password. This resulted in the user’s children having to drive over to their house to re-enter it. Eventually, a yubikey 4 was purchase and loaded with the partial master password. The user type in part of the password and the yubikey static password typed in the rest. Because the user did not appear to many of the lastpass premium feature and the prices have gone up a lot, the premium was cancelled since why pay for unused feature.
Recently, LastPass decided to get rid of multiple device for the free tier, which prompted a search for a replacement. Bitwarden was chosen for several reasons:
-
There are a very limited number of password manager that support device syncing and unlimited password on the free tier. In fact, other than lastpass, I can only see ZohoVault or something like KeePass. Bitwarden was different but much closer functionally than the other products.
-
Even if we need to pay $10, is a lot better than $36.
Migration
Migration was a piece of cake. Since the user use very few feature of LastPass, any password manager will do if it will do syncing between devices and autofill. The migration consist of
-
Install Bitwarden extension on Chromebox. Install Bitwarden App on Android device.
-
Export LastPass vault.
-
Import exported vault into BitWarden.
The user only really used login, so the concern was that the notes within the login would be lost. They were still there. I then enable autofill so that the fields are autofilled in. As a result, the user don’t even realized that LastPass had gone as long as the fields are automatically filled. It turns out that android app had to be re-established.
I also decided to replace the LastPass authenticator with AndOTP, but it turns out the children were iphone users and were not technical enough to import JSON files. I then tried to replace it with Microsoft Authenticator, but notice that you can get all of the 2FA key if you can hack the recovery email. I decided to go with Authy, which despite using SMS to install can be secure by turning off add new devices. The 2FA app is use by the kids to re-enable a device, since the user isn’t able to use the 2fa. Since the user had only a handful of 2fa sites, it was easy enough to log into each account and redo the 2fa using Authy.
All in all, it was a success. The system works the same way as before. It’s more secure because the 2FA can’t be SMS hijacked. Bitwarden appears to autofill better on Android than Last Pass. It works the same for Chrome OS due to autofill.