LastPass had one job, to keep peoples passwords secure, unfortunately since they have released more details about the latest breach it has become apparent they have failed at that one task. Yes, I am being a little over dramatic, I know that so far the hackers that obtained LastPass user vaults most likely have not been able to decrypt users passwords but it does not matter. LastPass has admitted that they were storing user vaults on an off-site server unencrypted. In what world did LastPass think that storing an off-site backup unencrypted was a good idea? As far as I concerned LastPass has broken my trust with poor security practices for storing my data. Hackers now have my email address and URL’s off all the websites I have saved passwords at, opening me and my accounts up to brute force attacks and me to constant phishing attempts. If you are in the same boat as me you will probably be looking at leaving LastPass as soon as possible. It is too late to fix what they have done but there is no reason to keep supporting a company they clearly cannot be trusted.
Here are the steps I took to leave LastPass behind.
- I used the Chrome extension on my computer and I started my move away from LastPass by clicking the extension and clicking the Open My Vault option.
- Once your vault is open you want to click the Advanced Options link at the bottom left. The Advanced Options menu will open and you will see the Export option.
- After you click the Export option, I was presented with a reprompt to enter my Master Password. This step might be optional. I was prompted to reenter my Master Password on my Mac, but when I performed this on my Windows computer I did not get reprompted. Enter your Master Password and click continue.
- On my Mac once I clicked continue after reentering my Master Password a download automatically started and my export was saved as lastpass_export.csv. On Windows an export file was not downloaded, but it instead loaded in my browser. I then had to select it all and copy it and save it as a csv file using a plain text editor (like Notepad or another plain text editor if you have a favorite).
- If you have not already done so, go sign up for Bitwarden
- Select the type of import file it is. There is an option for a LastPass (csv) file. Select the import file that you downloaded or saved, or if you want you can just copy and paste the entire contents of your csv file into the text area field. Then click Import data and before you know it all your LastPass data will be saved in Bitwarden.
- Don’t forget to delete your LastPass export file on your computer. It contains all your user names and passwords in plain text. You do not want someone to gain access to it.
- Since I mostly use Chrome I then installed the Bitwarden Chrome extension. If you use Chrome as well you can find that here: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb?hl=en. You can find all the Bitwarden downloads here. I also installed the Android version on my phone.
- Once I got Bitwarden running on my browser I went and started changing passwords on services that I use. Since LastPass has given us very little information about when the data they saved was actually compromised I changed all my banking and credit card logins. I will eventually change the majority of passwords, but I made those that hold money a priority.
- Last but not least once you are satisfied you got all your passwords and information transferred delete your LastPass account.
or another password manager other than LastPass. Since I signed up for Bitwarden after I logged in to my new Bitwarden account you can import your LastPass export file. You will find the import utility under Tools.
The silence from LastPass on this breach since December 22, 2022 is deafening. There appears to have been no communication from them to customers about when the backups were stolen, when those backups were created and no information on why it was stored unencrypted in their backup. Personally I am disgusted with LastPass. I by no means am a cyber security professional but even I know you don’t store unencrypted backups offsite. I am however very pleased to have found Bitwarden. If you want more information about Bitwarden would encourage you to listen to the Security Now podcast and why they also chose it. I have embedded it below.