LastPass and Bitwarden have been compared for the better part of a decade, but the conversation has changed. LastPass disclosed a major breach in late 2022 that exfiltrated encrypted customer vault backups. The encryption held — but the incident permanently reframed how teams evaluate them.
This isn't a witch-hunt; LastPass is still a working product with paying customers and improved security posture. But for a team choosing in 2026, the burden of proof has shifted. This comparison focuses on what teams actually need: per-seat cost, sharing model, recovery, and whether the security story stands up.
Quick verdict
For most new teams in 2026, Bitwarden is the easier recommendation. It's cheaper, open source, has a clean breach record, and offers a genuinely capable free tier.
LastPass is a reasonable choice if you're already on it, your admins know the product, and you've accepted the post-breach security model. The product is competent. The brand damage is real.
Team pricing at a glance
| Feature | LastPass | Bitwarden |
|---|---|---|
| Smallest team planAll prices USD, billed annually. Verify on vendor sites before buying. | Teams: from ~$4/user/mo | Teams: $4/user/mo |
| Business / Enterprise tier | Business: from ~$7/user/mo | Enterprise: from $6/user/mo |
| Free tier | Yes (single device type) | Yes (unlimited devices) |
| SSO on team plan | Add-on / Business | Enterprise only |
Collaboration model
| Feature | LastPass | Bitwarden |
|---|---|---|
| Shared folders / collections | ||
| Per-item permissions | ||
| One-time secure share | Limited | Yes — Bitwarden Send |
| Activity / audit log | Teams and above | |
| Directory sync (SCIM) |
Security & trust
| Feature | LastPass | Bitwarden |
|---|---|---|
| Zero-knowledge end-to-end encryption | ||
| Cipher | AES-256-CBC | AES-256-CBC + HMAC |
| Key derivation | PBKDF2-SHA256 (default iteration count raised post-breach) | Argon2id (default) or PBKDF2 |
| Open-source clients | ||
| Self-hosting option | ||
| Publicly disclosed breach affecting customer vault data | Yes — Aug & Nov 2022 | No public breach of customer vaults |
The 2022 breach: why it still matters
In August 2022, LastPass disclosed unauthorised access to its development environment. In November 2022, attackers used credentials from that intrusion to access a third-party cloud storage service and copy backup archives that contained customer vault data — including unencrypted URLs and encrypted credential fields.
The encrypted fields were protected by the user's master password via PBKDF2. At the time, many older accounts were still on lower iteration counts, meaning offline brute-force attacks against weak master passwords were realistic for well-resourced attackers. LastPass has since raised default iteration counts and forced upgrades.
The takeaway isn't that LastPass's crypto failed — it didn't. It's that a vendor's operational security matters as much as its cipher choice, and a vault backup leaving the vendor's environment is a category of risk worth weighing.
Pricing and what you get for it
Both sit in the same ballpark on team pricing — roughly $4/user on the smaller team plan, with Business/Enterprise tiers a few dollars higher and adding SSO, directory sync and reporting.
Bitwarden's free tier is significantly more useful for individual users on a team — unlimited devices, unlimited vault items — which matters if you want some team members on the paid plan and others just synced personally. LastPass's free tier was famously restricted in 2021 to a single device type (computer or mobile, not both), which still applies.
Recovery and account model
Both support admin-led account recovery for forgotten master passwords (with the usual caveat: this is a sensitive workflow that requires careful policy). Both offer Account Recovery via a one-time password mechanism stored on previously-trusted devices.
Bitwarden lets organisations enforce master-password policies (minimum length, complexity, KDF iteration count) and require two-step login. LastPass offers equivalent enterprise controls on Business tiers.
Day-to-day UX
LastPass has the more "fill-in-the-blanks polished" extension — years of consumer iteration show. Bitwarden's UI is plainer but fast, and the desktop app is genuinely good. Both have mobile apps that do what they need to do.
For admins, both have a passable web console. Neither is delightful. Bitwarden Send (one-time secure share) is a small but real day-to-day win.
LastPass
Pros
- Mature browser extension and form-fill
- Established enterprise feature set (SSO, directory sync, policies)
- Familiar to many users already
- Improved security posture post-2022 (raised KDF iterations, infra changes)
Cons
- 2022 breach exfiltrated encrypted customer vault backups — trust cost is real
- Free tier limited to one device type
- Closed source — auditability depends on third-party reports
- No self-hosting option
Bitwarden
Pros
- Open-source clients and server — auditable and self-hostable
- Argon2id by default; stronger KDF than the industry norm
- Genuinely useful free tier with unlimited devices
- Clean public breach record
Cons
- Admin UI is functional but less polished than competitors
- SSO is gated behind Enterprise
- Self-hosting sounds great until you have to operate it
- Some power features hide behind organisation/collection concepts
A third option worth considering
If you're on this page because LastPass has lost your trust and Bitwarden's admin UI feels heavier than your team needs, Pwdly is a third option worth a look. We built it for teams that share credentials by project, not by "everything in one giant vault".
- Per-project vaults as the primary unit — naturally matches how agencies and product teams already think.
- $2/user/month, flat. No tier ladder. See pricing.
- XChaCha20-Poly1305 with Argon2id — a deliberately conservative modern stack. The cipher explainer walks through the choice.
- No forgotten-password backdoor. Like Bitwarden, we can't decrypt your data — including for you. This is the price of true zero-knowledge.
We won't oversell. If you need Bitwarden's self-hosting or LastPass's enterprise feature ladder, use them. If you want a simple team tool with a transparent security story, give Pwdly a go.
Frequently asked questions
Is LastPass safe to use after the 2022 breach?
Technically, yes — the encryption around vault contents held, and LastPass has since raised default KDF iteration counts and changed its infrastructure. The harder question is trust: if attackers ever exfiltrate encrypted backups again, users with weak master passwords remain exposed to offline brute-force. Many teams have decided that risk isn't one they want to repeat.
Is Bitwarden cheaper than LastPass for teams?
At similar tiers, the per-seat price is in the same ballpark — both around $4/user/month on the smaller team plan, climbing on Business/Enterprise. Bitwarden tends to be slightly cheaper at equivalent tiers, and has a noticeably more useful free plan for the personal accounts of team members.
Can I self-host Bitwarden but not LastPass?
Correct. Bitwarden offers a self-hosting path (official Docker images, or the lighter Vaultwarden community implementation). LastPass is SaaS-only.
What KDF does each use?
Bitwarden defaults to Argon2id, which is memory-hard and much harder to attack on GPUs. LastPass uses PBKDF2-SHA256, with default iteration counts raised after the 2022 incident. Both are secure when the master password is strong; Argon2id is the more conservative choice for resisting offline cracking.
Keep comparing
- 1Password vs BitwardenTeam-focused, vendor-neutral breakdown.
- 1Password vs DashlaneTeam-focused, vendor-neutral breakdown.
Also worth a read: The XChaCha20-Poly1305 explainer, our security model, and the free password generator.
Sources & further reading
- Bitwarden — Business pricing
- LastPass — Pricing
- Bitwarden Security white paper
- Bitwarden — Encryption details
- LastPass — Incident disclosures (Aug & Nov 2022)
- LastPass — Security update on iteration counts
- PasswordManager.com — Bitwarden vs LastPass
Worth fact-checking
- LastPass team pricing has moved more than once — confirm Teams and Business per-seat prices on lastpass.com/pricing.
- Bitwarden Enterprise pricing has recently moved to $6/user/month; verify at time of purchase.
- LastPass SSO is bundled or add-on depending on tier and time — confirm with sales for your exact configuration.
Last updated May 2026. Vendor pricing and features change frequently — always confirm on the official site before purchasing. Pwdly is not affiliated with 1Password, Bitwarden, LastPass, or Dashlane.