How and why to migrate from LastPass to Bitwarden
Security is not all or nothing, it’s better to do something late than never
Last year’s LastPass hack sent shockwaves through the online security community, highlighting the vulnerability of one of the most popular password management tools. As we start to see the effects of the breach unfold, with incidents such as the siphoning of nearly $5 million of crypto from wallets compromised by the breach (source 1, source 2), we are reminded that there is no time like the present to start taking your online security seriously.
This article will guide you through the process of migrating from LastPass to BitWarden, with a discussion of the pros and cons of password managers and links to useful resources and further reading.
Lousy LastPass
In August of 2022, LastPass suffered yet another security breach, only adding to its checkered history. While the scale of the breach was a disaster in and of itself, what was particularly disconcerting was LastPass’s consistent lack of transparency regarding the situation. In the months following the breach, the company provided several ever-worsening updates about the severity of the situation, rather than divulging all of the pertinent information upfront. This lack of transparency left users in the dark, unsure of the risks they faced and the corresponding measures they should take to protect themselves.
In the original notice published in August, LastPass CEO Karim Toubba wrote than hackers had gained access to “some source code and technical information were stolen from our development environment”. Doesn’t sound particularly alarming, does it?
Turns out the true extent of the breach was not some minor oopsie-daisy but rather—as we would find out over the following months in a slow and painful drip-feed of ever worsening updates—what had occurred was literally the worst case scenario; the hacker was able to obtain vault backups containing both encrypted and unencrypted information including names, email addresses, billing addresses, partial credit cards, website URLs and passwords.
To add insult to injury, LastPass won’t say how old the backups were nor is it clear what their retention policy is, meaning that even if you deleted your entire account before November 2022, you have no way to know whether the attacker got hold of old backups of your account information.
Fortunately usernames and passwords were among the encrypted items, since LastPass and other password managers encrypt passwords and never store your master password, however this still left the hackers with thousands of customer password vaults. Theoretically — lacking the master passwords — the hackers find themselves with no way to open these vaults, but the reality is that local access to a vault makes breaking in significantly easier. Here are a few of the many reasons that local access to customer vaults is a big deal, in no particular order. Local access means:
- 2FA security measures no longer apply
- The hackers can attempt to brute force passwords directly, without worrying about attempt limits or other mitigations
- Changing one’s master password to something more secure will have no effect, since the stolen vault is not updated
- The hackers can attempt to decrypt vaults using passwords leaked in other breaches
Put simply, LastPass has demonstrated that its security infrastructure, both software and DevOps, is not robust enough to warrant trust. Moreover, its management appears more interested in minimizing negative publicity than ensuring client safety. LastPass cannot and should not be entrusted with your passwords.
Is BitWarden Better?
BitWarden is a rising star in the realm of password management software, having garnered attention for its lack of data breaches and open-source nature. Being open-source is ultimately what sets BitWarden apart from its competitors, particularly LastPass, allowing it to develop rigorous security, foster transparency and trust, and empower a global community of contributors to continuously enhance its security features.
In contrast to LastPass, Bitwarden provides a self-hosting option, allowing users to maintain full control over their data’s storage and security, an attractive feature for security-conscious individuals and organizations. If you have the means and technical know-how to self host, this is the gold standard option, and you can find a great resource here on deploying a self-hosted instance. Unfortunately, for many individuals self-hosting may be infeasible, not to mention it has its own set of challenges and trade-offs. Therefore, this article focuses on migrating from LastPass to hosted Bitwarden.
Why Password Managers
It is at this point that some of you may be wondering whether password managers are worth the hassle at all. As the saying goes, “you can put lipstick on a pig, but it’s still a pig”. Many cynics on Stack Overflow, Hacker News, Reddit, or other forums will be quick to point out that all password manager services have the same endgame, given enough time: get hacked.
They aren’t wrong to be skeptical, especially because it is doubtless that the large potential rewards for a successful hack bring a lot of unwanted attention to these services. However, the truth is that password managers come with benefits beyond just the convenience of not needing to remember all of your passwords, and through proper usage one can mitigate the associated risks.
Firstly, the biggest risk to online security for the average internet user is not having their password manager get hacked. Instead, attackers are significantly more likely to successfully compromise accounts by phishing or by trying reused or common passwords. Enumerated below are three of the most frequent ways accounts get cracked and how a password manager helps mitigate the risk (source).
1) Credential Stuffing
Credential stuffing is jargon for trying reused passwords. The first step in any such attack is to acquire credentials from past website breaches, then test these credentials on other websites. With a password manager, you can use a unique password for each site, completely denying this attack vector.
2) Phishing
This method requires a social engineering element to get a user to click a link that appears to be a site they trust (e.g. Google, their bank, etc.) and convince them to sign in. Since password managers tie saved login information to a specific origin, the lack of autofill can help clue users in to the fact that they are on a malicious doppelganger site; you may not notice you are trying to “goog1e.com”, but you may be tipped off when Bitwarden isn’t autofilling or showing any saved logins.
3) Password Spray
Similar to credential stuffing, but rather than trying known username/password pairs from compromised websites on other websites, password spray entails acquiring a list of users, then attempting to log in using a set of common passwords. A properly configured password manager will allow you to set strong, unique passwords not found on any common passwords list.
The primary risk with password managers is that the vault storing your encrypted passwords is stolen, meaning hackers can attempt to brute force your master password as discussed in the section on LastPass above. Ultimately even with open-source development, this risk still exists for Bitwarden. However realistically only a small fraction of your passwords are genuinely vital to keep secure and uncompromised, these being accounts like your primary and recovery email addresses, your bank accounts, and perhaps a work email.
A password manager can be used to reduce the number of complex passwords you need to remember. While password managers are typically sold as a way to reduce this number to just one (your master password), there’s no reason you can’t memorize a small set of essential passwords. This small handful of essential passwords can include accounts that must never be compromised, such as your email and bank accounts, and the rest can be kept in a password manager.
This process can be made easier by “mentally generating” passwords according to a pattern. For example, one might create their password from a short sentence or two which include the website or account the password is for, then have the password be the first letter of each word. Throw in a couple special characters and you have yourself a password! Take the following password as an example:
Timnp,cartmpi2023.Ilitjm,wh2v!$
Looks pretty difficult to remember right? Well It’s just the first letter of each word from two short sentences, including punctuation, plus a special character tacked on the end for good measure.
This is my new password, created after reading that medium post in 2023. I’m logging in to JP Morgan, which has 2 vowels!
If you type the abbreviated password out a few times while repeating the sentence in your head as you do it, you can memorize a very complex password in about five minutes with ease. Sure, hypothetically an attacker who had all of your passwords side by side might be able to figure out the pattern, but if an attacker has all of your passwords in plaintext then you have bigger issues to worry about (not to mention that hackers typically focus their efforts on specific, known to be high value accounts and/or automate the process of attacking many different accounts, so they aren’t going to be sitting there analyzing the pattern in your passwords).
There is a lot of customization that can be introduced when generating passwords this way, such as changing:
- Which letter of each word is used (first, last, first vowel, etc.)
- Whether punctuation is included (or substituted with other characters)
- Whether spaces are included (such as with underscores or dashes)
- What about the website is used in the password sentence (is it something about the website name, is it the logo color, etc.)
- What random special characters are thrown in, or substituted in the place of letters (careful with common substitutions like @ for a)
Once you have decided on your sentence(s), numbers, and special characters, test how strong your passwords are with zxcvbn. Keep an eye on the “10B / second” guess time; you are going to want the estimate to say “centuries”.
Using this method, you can create a couple of ludicrously strong but easy to remember passwords to be used for crucial accounts like your email, bank, and Bitwarden master password, and then sleep easy knowing that even if your Bitwarden vault is stolen, not only will it be computationally infeasible for attackers to gain access to its contents, but that your most important accounts will be safe regardless.
Migration Process
To begin, you will need to export your data from LastPass. From the sidebar, select the “Advanced Options” item, then in the submenu section “Manage Your Vault” there should be an option titled “Export”. After clicking this, you may see a prompt that requires you to confirm the export in your email. Once completed, save the resulting .csv file somewhere safe (you will delete it later anyway).
Once you have downloaded the .csv export file, navigate to Bitwarden’s website and register for a new account. Depending on how you plan to use Bitwarden, you may also want to download their browser extension.
Once you’ve set up your Bitwarden account, it is time to import all of your credentials. Navigate to your vault, click on “Tools” from the navigation bar, then select “Import data”. The only option you need to change before uploading the .csv file is “File format” which should be set to “LastPass”.
Once you’ve successfully imported, delete the local .csv file from your computer. There are a couple of errors you might encounter during the import process, for which troubleshooting information can be found here.
Given both the LastPass team’s lack of transparency around retention policy and the fact that they’ve demonstrated that their communications aren’t to be trusted anyways, the next step I’d recommend would be to first change and then subsequently delete every credential entry stored in your LastPass vault.
You are going to want to delete the account following this anyway, but changing and deleting your vault contents might help in the event that LastPass holds on to your data post-deletion and then gets hacked again. Regardless, the LastPass account deletion process can be initiated at this link.
Furthermore if you had passwords stored in your LastPass vault prior to the November 2022 breach, you should take this opportunity to change the passwords for (at least) your most important accounts, if not all of them. Don’t update the passwords in your LastPass vault, update them only on Bitwarden.
Congratulations! You’ve successfully migrated from LastPass from Bitwarden and protected yourself from the fallout of the November 2022 hack. There are a few more action items on the agenda, but these are optional:
- Set up 2FA for your Bitwarden account for extra security
- Request LastPass purge all your account data (link)
- Rate LastPass one star on your browser’s extensions store (chrome, firefox)
- Finish changing all account passwords (if you didn’t already)
The internet is rife with scams, tricks, and traps that can only be avoided through sound security practice. In following this tutorial you have taken a significant step towards ensuring your online safety, but the fight against malicious actors online is never-ending. Stay safe out there!
