Ask HN: What do I do about LastPass and how do I switch?

50 points by yootis ↗ HN
After using LastPass for many years, I have more than a thousand passwords stored in it. It's too many to make it practical to manually change them all. Is there a way to get all of them into something else, like BitWarden, and then [semi]automatically change them all?

35 comments

[ 3.6 ms ] story [ 84.4 ms ] thread
if you have crypto, transfer to new wallet asap. use offline computer and use something like VeraCrypt, which is open source and has been audited. don't trust cloud companies to do the encryption for you.
If someone credible could write a blog post on this, that would be very great
You literally just click export. It's under advanced options.

You get a file and you import it wherever you want.

It couldn't be easier.

Last pass has blog posts on this, your password manager has blog posts on this, random people have made countless blog posts on this.

All of these are easily found with your search engine of choice.

Or perhaps this comment is sarcasm? So hard to tell these days.

(comment deleted)
Don't forget to delete the passwords on LastPass. Maybe deleting your LastPass account does that.

And consider changing your passwords on your most important accounts (email, bank, ...)

Lmao, sorry I was talking moreso about which password manager I should switch to.

Everyone’s recommending Bitwarden now, so I guess that?

Saw some posts on Reddit about poorly conducted security audits with Bitwarden so I was a bit concerned.

I exported my vault to CSV and imported them all into Bitwarden in one go.
Yes, you can export them from LastPass as a csv file and import them into bitwarden.

But the steps to this correctly are this:

  1. Logout of LastPass
  2. Close your browser
  3. Open your browser
  4. Log into LastPass
  5. Perform the export from inside LastPass (before doing any other actions inside of LastPass)
If you don’t do the exact steps above, then when you do an export from LastPass, it most likely will export some of your passwords twice (so you will have duplicates). This is a known bug in LastPass that they have never fixed.

You also need to do this (from the bitwarden site):

“Some users have reported a bug which changes special characters in your passwords (&, <, >, and so on) to their HTML-encoded values (for example, &amp;) in the printed export. If you observe this bug in your exported data, use a text editor to find and replace all altered values before importing into bitwarden.”

The import into bitwarden procedure is located here:

https://bitwarden.com/help/import-from-lastpass/

moved from lastpass to Bitwarden few years ago, and it's great. ios app can be bit buggy at times but never stopped me from getting a password. also 10 monies a year for premium is ridiculously cheap and well worth it. also nice that it's opensource.
And Bitwarden recently came out and reaffirmed that the standard version does not sell user data of any kind and will remain free.

It’s also entirely possible to run your own instance / server of Bitwarden.

+1 Bitwarden. I pay for orgs but the free version is just fine.
Love when people call money this way. 10 monies is adorable and Imma start doing this all the time now
(comment deleted)
I don’t understand how people still stayed with LastPass after all their controversies and pulling bait-and-switch on their customers well over a year ago at this point
People have kids and jobs and many other problems.
What does having kids, jobs and other problems have to do with an untrustworthy company which rug-pulls their customers possibly having the password to your bank account and other sensitive information? If anything, having other lives depend on you should make you more concerned with online security.
As someone who's worked in cybersecurity in one capacity or another for my entire life:

It's because people really don't care about security. They don't see it as something that needs effort like managing personal finances or cleaning your car. They want "set it and forget it". Psychologically, it's because there isn't any immediate benefit, and the perceived expected value of the effort is low.

This problem is why I don't enjoy working in cyber security and probably won't go back to it.

In defense of the normies I'd say life is complex. People don't know what they don't know. They're making risk assessments all the time, yet with (sometimes very) incomplete information.

Mechanically minded folks say "why ever trust an auto shop?" Tech folks say "why ever give your data/device to someone else?" Handy types say "why pay so much for mediocre work from a plumber/electrician/etc.?"

You can export your data from LastPass and import it in e.g. 1Password. I did that ~2 years ago. No regrets.
Hope you deleted it from LastPass too!
Some time ago I created a github page which is using google spreadsheet as back-end and in-browser aes encryption/decryption of secrets stored in that spreadsheet. It's not beautiful but good enough for me. Added bonus is I can easily take backups of that spreadsheet.
I host a small VM and run dockerized Vaultwarden behind Nginx on it. It has been a solid setup so far.
Besides the multibrowser / OS limitation, is there any other drawback on using native browser pass managers?
(comment deleted)
Why not something like keepass, bitwarden can also get pwned without your involvement.

Or be a luddite and write it on paper.

Paper can be tedious, but it has never let me down. Unless someone is prone to losing notebooks, or is burgled on a regular basis, I can recommend a password notebook as an effective and reliable method of password storage.
Completely agree, if your password's security model is similar to your house key or credit cards.
Convert to keepass and sync the key file across your devices with a cloud service.
For years I've been telling people I know to NEVER trust all their security to one-password services. Given so many tech companies penchant for playing stupid and loose with internal security without customers even being aware of it, this kind of thing was bound to happen. All the worse to trust a password vault service under the circumstances.

Too many people who should know better on this site itself kept recommending things like Lastpass... Incredible.

The easiest way is having lastpass export your vault of passwords as a CSV. Most other passwords managers (Bitwarden, 1Password, Dashlane, etc.) should be able to import that for you into their vaults.

I did this (moved from LastPass to 1Password) back when LastPass changed how they were doing their free vaults and with LastPass’s less than stellar track record on security. I will at least advocate for 1Password as their family vaults are amazing for sharing things securely with the wife and my parents.

Since they have everyone's password vaults, it is likely a matter of time before your vault is decrypted. You should change all of your last pass passwords.
Switched to self-hosted Bitwarden on my own domain behind a VPN. Everything on disk is encrypted.