Everyone agrees: passwords are terrible. They're either too easy for a hacker to crack or impossible for you to remember. I can go on at length about why they're so bad and create such an awful situation—I wrote a thesis on it—but the real takeaway is that password managers are really important if you want to stay secure online. They automate the process of generating long, complex, unique passwords, storing them securely, and, best of all, filling in login forms, so you don't have to remember or type any of those complicated characters.
When it comes to the best password managers, for a long time, two apps were the most regularly recommended: LastPass and 1Password.
A while back, though, things changed. LastPass suffered a major data breach at the end of 2022 and has been criticized by security researchers for how it handled the fallout. Years later, there's still fallout from the situation—the resulting class action lawsuit has just reached a $24.5 million dollar settlement.
Still, LastPass is a very popular password manager. So in addition to my previous experience with both apps, I dove back into each one to see how they stack up.
Table of contents:
1Password vs. LastPass at a glance
While there are small differences in how 1Password and LastPass operate, the reality is that they're pretty similar when it comes to features. Unlike all-in-one tools that try to be everything to everyone, these apps are really meant to store and manage your passwords, so it makes sense that they do it similarly.
Here's a quick breakdown of how they compare, but keep reading to learn more about my experiences with the apps—and what other security experts think.
1Password | LastPass | |
|---|---|---|
Security | ⭐⭐⭐⭐⭐ Best in class security and has never had a breach | ⭐⭐ Recent data breach and less than ideal security in general |
Ease of use | ⭐⭐⭐⭐⭐ Easy to import passwords, generate new passwords, and log in to existing accounts | ⭐⭐⭐⭐⭐ Easy to import passwords, generate new passwords, and log in to existing accounts |
App availability | ⭐⭐⭐⭐⭐ Native apps on every device | ⭐⭐⭐⭐ It's available on nearly every platform, but you don't always get native apps |
1Password offers much better security
A password manager has two main jobs: to keep your passwords safe, and to make filling them in easy. Everything else is kind of secondary. To make things as convenient as possible, both LastPass and 1Password store all your login information on their servers. It's meant to be encrypted and well-protected, so with that in mind, it's worth taking a step back and looking at the ongoing fallout of the LastPass hack.
In August 2022, LastPass disclosed that a hacker had compromised a developer account and gained access to its development environment. It claimed that it had contained the breach and had taken mitigation measures. In September, it declared that its investigation was complete and all was well, and that there was no evidence any customer data or encrypted vaults had been compromised. Embarrassing for a security company, but it wasn't the first time the company had been hacked—and this was a less compromising breach.
Then, at the end of November, LastPass announced that one of its third-party cloud storage services had been hacked "using information obtained in the August 2022 incident" and that the hackers had gained access to some customer information. What information? Well, it took until December 22, but LastPass came clean: the hackers had a backup of customer vault data.
Some fields in the vault databases—like passwords, thankfully—were encrypted, but others, like email addresses, telephone numbers, the IP addresses customers used when accessing LastPass, and billing addresses, weren't. Regardless of whether the hackers could crack the passwords, they still had a lot of personal and identifying data about every affected LastPass user.
And even the encrypted passwords aren't necessarily safe. LastPass has been criticized for years for its inadequate security precautions and failure to update legacy accounts. If someone with a recent LastPass account followed best practices and used a strong, unique master password, their data is probably still private (other than all the unencrypted identifying stuff). But if you had an older LastPass account, reused or used an insecure master password, or were a particularly tempting target? The hackers have direct access to your encrypted vault and can try to crack your master password for as long as they like.
And crack master passwords they did. Over the last few years, there has been a string of crypto heists targeting LastPass users. More than $35 million was stolen in 2023 from dozens of victims, many of whom were using otherwise solid security protocols. The one commonality was that they all stored an important crypto account identifier called a "seed phrase" in LastPass.
There was another hack in December 2024, when the attackers stole $5.36 million from more than 40 crypto wallets. And TRM Labs tracked another $35 million from 2024 to 2025 to Russian hackers and concluded it was "only a fraction of the full picture."
And in the largest single example I could find, Chris Larsen, co-founder of the cryptocurrency token Ripple, was targeted: he lost $150 million. Things bring the estimated crypto stolen to well north of $250 million; some figures say it's closer to $500 million, though I couldn't find any reputable sources to confirm that.
There's also no reason to believe that these hacks have stopped, and crypto is just the tip of the iceberg. It's impossible to tell just how many people were the victims of other kinds of scams because of their LastPass data being compromised. It's only because of the public and very online nature of crypto that security researchers have been able to keep track of the hacks and attribute them to the LastPass breach.
As a result of all this, LastPass has been widely condemned by the security community for allowing hackers to gain access to customer data, failing to contain the initial breach, having inadequate security measures in the first place, downplaying the severity of the breach, trying to blame customers for not having strong enough master passwords, and generally just mishandling the whole situation.
Worst of all, LastPass's response was incredibly lackluster. In September 2023, more than a year after the initial breach, it finally started forcing old accounts to use 12-character master passwords and automatically updating every account to at least 600,000 rounds of an algorithm called PBKDF2 that slows down attempts to brute force master passwords. (Previously, the minimum for new accounts was 100,100 rounds, and older accounts were secured with just 5,000, 500, or even 1 iteration without being upgraded.)
Similarly, it took until May 2024 for LastPass to start encrypting the URL field in its vaults, at least for new URLs. Existing users received a prompt to encrypt any old unencrypted URLs a few months later.
There are rumblings that things might be changing. As I write this update, LastPass's CEO, Karim Toubba, has made some positive statements in an interview with ZDNet. He says that LastPass has learned from the security breach and invested in enhanced security practices, both in its organization and in its app. TechRadar, however, points out that Toubba said the same things three years ago, so it might be worth withholding judgment.
While LastPass may have improved, for many people, it's going to be too little too late. Like me, for example. As one of the affected users, I had to spend a few hours one afternoon over my winter break changing a load of passwords. It would take a lot for me to seriously consider using the app again. (I hadn't relied on LastPass for years, so my most important accounts were still safe.)
Also, recent safety assessments tend to show that LastPass is among the more vulnerable password managers to a range of theoretical attacks because of architecture decisions built into the app. Almost no password manager is completely immune from these kinds of targeted attacks, though they're hard to pull off in the real world and often take advantage of the ways password managers are convenient by autofilling your passwords. It's worth flagging that there is a security tradeoff to using a password manager—it's just that the alternative is remembering loads of unique passwords or using a physical security key.
In short, the hack and LastPass's response demonstrated that the company has a pretty cavalier attitude toward protecting the passwords you store with it. Architecture decisions made years ago have made it more vulnerable to certain kinds of attacks than some other password managers. While some of this is changing, I'm not sure it's enough.
So what about 1Password?
For starters, 1Password has never had a data breach, although it has been targeted. Even then, the company was upfront and honest with customers and published a full security report detailing what happened. When there is a vulnerability identified, they act fast to fix it. More importantly: 1Password uses a significantly more secure setup to encrypt your vault—and encrypts every field. While LastPass now uses 600,000 rounds of PBKDF2 as its default for all accounts, 1Password uses 650,000 iterations—and has always updated old accounts to the latest value.
And even with that, LastPass locks your vault with just your master password, whereas 1Password uses a master password and an additional secret key.
This comes with a downside: to sign in to 1Password on a new device, you need to enter both security factors. It can be pretty inconvenient if you need to set up a device when you're away from home, as you either need to scan a QR code on a device that's already logged into 1Password, or type a long string of characters that you probably don't have access to. So while you can log in to LastPass from anywhere, 1Password's improved security makes that harder. But it does mean that even if 1Password were to suffer a similar data breach, user data would be significantly less vulnerable to hackers.
It's also important to understand that 1Password also makes security tradeoffs. It's vulnerable to some of the same attacks as LastPass simply because of how it's designed. No solution is perfect, but some are better than others.
With all that said, despite the embarrassment of the recent breach, most of LastPass's security problems fall into the realm of "less than ideal," not "use LastPass and you'll get hacked yesterday." If you're a regular internet user—not someone prominent who could be specifically targeted, or with a few million in crypto sitting in a wallet—and sign up for a LastPass account today, as long as you use a decent master password, your data should be safe.
Personally, I wouldn't take the risk of using LastPass because I'm neurotic about these things (and I'm regularly a victim of impersonation and identity theft). If you massively prefer LastPass's interface or need its free plan, then feel free to give it a try—just understand the risks.
LastPass and 1Password are both available on almost every platform
LastPass and 1Password operate almost identically on mobile platforms, since Android and iOS both support password management and autofill.
Both services also have browser extensions for Chrome, Firefox, Safari, and Edge that work similarly. LastPass also supports Opera, while 1Password supports Brave.
On the desktop, there's a bigger difference. 1Password has local apps for Windows, Linux, and Mac that you can use offline to access your passwords or any other information you have stored in your vault. These apps also offer a universal keyboard shortcut for quickly searching your passwords. 1Password for Chrome OS is a browser-based app, which is common for apps on the platform, and there's also a command-line tool for Windows, Linux, and Mac devices. 1Password also offers browser extensions, which work with or without the desktop app installed. The exception is Safari—you'll need to install the macOS app, but that's just how Safari extensions work.
LastPass used to have desktop apps, then it got rid of them, but now it's bringing them back—at least for Windows and macOS. The good news is that means you can use keyboard shortcuts to autofill passwords and don't have to rely on the browser extensions; the bad news is they're essentially just reskinned versions of the web app.
Overall, the differences between the services exist only on the edge cases. Both apps support most major browsers, which means you can run them both on any operating system. If you really care about desktop apps, 1Password's is much nicer.
Both apps are really nice to use
LastPass is really pleasant to use—there's a reason the breach affected 33 million registered users and 100,000 business customers. But there isn't a huge amount of difference between how it and 1Password operate in most cases.
Take logging in to your accounts. If LastPass recognizes a login field, you'll see a LastPass logo in it. Click that, and you can choose which account you want to sign in using.
1Password works the same way using the browser extension.
With both apps, you can pull up the desktop app with a keyboard shortcut even outside the browser. 1Password's implementation is more polished, but it's now a smaller point of difference than it was a few years ago.
Both apps also make it easy to generate secure passwords for new accounts.
With LastPass, whenever you're creating a new account, you'll see an icon in the password field that you can click to create a random password. Click it, and you'll see a password, which you can click right away to use.
You can choose Customize to change the parameters, like the length of the password or whether or not it includes numbers or special characters, and there's even an option to make the password easy to say if you create it through the full app. These last options are especially helpful for passwords you might still need to actually remember, like your Wi-Fi or Netflix password.
1Password works almost exactly the same. You can click the icon in the password field, and then use the slider if you want to customize it.
These options are handy if a site has special requirements for passwords. I try to aim for 40+ character passwords, but some sites still won't take more than 20.
Since long passwords can be hard to remember, we suggest using a passphrase, a collection of seemingly unrelated words that are easy to remember. Something like ZapierWinstonDoggosPlanetCheeseTreats. But…don't actually use that.
1Password and LastPass both have lots of extra features
Both apps have a lot of good secondary features.
Both can autofill two-factor authentication codes.
Both make it possible to share passwords with other people.
Both can store credit card numbers, secure notes, important documents, and other things you should keep safe.
Both have password breach monitoring and overall password health assessment (LastPass calls its Security Dashboard while 1Password calls it Watchtower).
Both apps support passkeys—a new system that uses public-key cryptography to secure your accounts instead of passwords. They're intended to solve a lot of the problems with passwords, and while it's taken far longer than I'd like, it looks like we might finally be reaching the point where they're widely available enough to be useful. Unfortunately, the competing implementations between different passkey providers can make things more complicated.
Right now, 1Password's passkey implementation feels a bit more polished since it's been available for a bit longer. You can use it to create passkeys for other services that support them, as well as use one to secure your 1Password account.
LastPass also allows you to secure both your LastPass vault and other services that support them.
Really, there aren't many differences here. For almost everyone, either service will offer an almost identical password management experience. Even with passkeys, a lot of the implementation is fixed by how passkeys work so there just can't be wild differences between the two services.
Neither app offers a good free plan
While there are great free password managers available (see: Bitwarden and Apple Passwords), neither LastPass nor 1Password falls into that category.
Let's start with 1Password. It's free for journalists and politicians; for everyone else, there's a 14-day free trial. After that, you're looking at $48/year for a Personal account or $72/year for a Families plan with up to five accounts. There are also business plans available from $19.95/month.
In addition to a 30-day trial, LastPass offers a free plan—it's just extremely limited.
While you can save as many passwords as you want, you can only access your free LastPass account on one device type: either computers or mobile devices. This means you can use LastPass to sync your passwords between your office computer and your personal laptop, but not between your laptop and your smartphone. It's a really awkward caveat, and it undermines the whole "all your passwords everywhere" thing that most people use a password manager for. On paid plans, this isn't an issue. A LastPass Premium plan costs $36/year, while a Families plan for six users is $48/year. For businesses, a Business plan starts at $7/user/month (billed annually).
So, if you're choosing between 1Password and LastPass, you're really choosing which app you want to spend a few dollars a month on. If you're genuinely considering LastPass's free plan, I'd suggest checking out Zapier's article, where we compare it with Bitwarden, which has a more robust free offering. You can also use Google Passwords or Apple Passwords; while not as feature-filled as dedicated password managers, they have both significantly improved over the last decade.
1Password vs. LastPass: Which should you choose?
For almost everyone, 1Password is a better password manager than LastPass. There's so little difference between the general user experience, availability, and price of the two apps, that the additional security and transparency of 1Password make it the easy choice.
If you already use LastPass, use a secure master password, and don't want to go through the minimal hassle of switching services, then sticking with LastPass is understandable. But for new users, you'd really have to want one or two of the niche, specific features that LastPass brings to the table (or have a serious discount code) for it to be a better choice.
Related reading:
Two-factor authentication: A security system for your digital life
Zero trust security: What it is and architecture best practices
This article was originally published in February 2019 and has had contributions from Zac Kandell and Justin Pot. The most recent update was in March 2026.
