I just did the migration (to 1password though, sorry the lack of tags is very bad for organization), 6 years old customer.
Key points:
- Refresh the website list from the extension before starting, ideally clear the extension cache first (will sign out)
- export from the extension
- attachments and password history are not exported
- there is a lastpass-cli that will help you export attachments
- there is a hacked together PR from myself that will help you export the password history
The import worked very well in 1password aside from attachments/history.
What I did though was tag all my password with "lp-breach-aug-2022" and then as I go through them and change them, I remove the tag
To perform a LastPass migration, there are 4 phases involved:
1. Export passwords
2. Export attachments
3. Export password history
4. Export form fills (THIS IS NOT POSSIBLE FROM MY UNDERSTANDING, form fills also appear to not be encrypted?!)
# 1. Export passwords
In the extension, go to Account Options -> Advanced -> Clear Local Cache, this WILL LOG YOU OUT.
Then, log-in and Account Options -> Advanced -> Refresh Sites, this will update your local cache.
Finally, begin the export process and follow the instructions, make sure to USE THE EXTENSION (not the website): Account Options -> Advanced -> Export -> LastPass CSV file.
When saving the CSV, do not copy-paste the content of the HTML manually, instead use the popup to download the file that LastPass provides. You might need to allow popups for LastPass extension the first time you perform the export, then perform another one to get the popup.
# 2. Export attachments
Use lastpass-cli to export attachments. A script is provided in version 1.3.4: https://github.com/lastpass/lastpass-cli/blob/v1.3.4/contrib...
Keep in mind that the script works also on version 1.3.3, which is the one provided pre-compiled by Ubuntu, you just have to copy-paste the script to your local machine.
# 3. Export password history
This is not possible natively, you can use my modified PR, but it's not trivial, bash knowledge, familiarity with C syntax is expected: https://github.com/lastpass/lastpass-cli/issues/245#issuecom...
Keep in mind that YOU SHOULD AUDIT THE SOURCE CODE, I modified an existing PR and it's hacked together, I brought it only to where I needed it to, to get the password history out for my specific use-case.
# 4. Export form fills
Unsupported from my understanding
# Conclusion
Tag the items or mark them in your new password manager with something to remind you that they were breached on lastpass in august 2022 and remove such mark when you change their password.
Awesome work on the password history export, thanks a lot!
I audited the code to the best of my ability and it doesn't look like it's malicious, but I certainly could've missed something, so to anyone who's thinking about using this, it works, but do your due diligence.
I ran into this before, actually. As of about a year ago, Lastpass partially used cached data to generate some portion of exported data, but that cache is not diligently kept up to date.
No, not true. I'm using 1Password and while I like it, there are a few things LastPass got right where it even beats 1Password.
The one on top of my mind is that you can unlock LastPass with a PIN. My wife has a phone with a glass cover (to protect it from the children), which "broke" fingerprint unlock.
She's required to type the full password every time to unlock it, which is particularly hard on phone (long password).
On top of that, lastpass app (phone) had the option to "force" autofill from a notification. For some apps where the popup never really shows up with 1Password, I was able to force it using LastPass and then fill. With 1Password the only option is to go to the app and copy-paste.
Those are not game-breaking though, given the many, many bugs that LastPass (app on phone) had, the most annoying was: open the autofill and when searching, just no result shows up. This made the autofill useless a good chunk of the time.
On top of that, LastPass EXTENSION (chrome) has the option of choosing between sharing states between browser profiles or not sharing states between browser profiles. This is very useful in my case, because my wife has a chrome profile under my OS user, but we can still have 2 different lastpass "logins".
From this perspective, 1Password is actually entirely broken: if you login into the native application (which is basically required for decent functionality), you are not allowed to login into 2 different 1password profiles through the chrome extension unless they are on different URLs (e.g. mycompany.1password.com vs 1password.ca).
Finally, LastPass was consistent: web, extension and app had the same capabilities.
1Password is highly inconsistent, where the native app has more capabilities than all of them, the extension has no edit capabilities but has better read capabilities than the web version and the web version has a mix of edit and read capabilities. For example, the native app can "batch add tag", but the web cannot do that.
TBH it was more of a throw-away sarcastic outburst, an exclamation, an out-breath, than a genuine question. And also based mainly on the security side of things. I didn't make that clear, however, so I apologise for leading you into expending so much effort on your excellent reply.
All good, appreciate the apology, I'm bad at reading sarcasm, sorry!
And I'm very angry at LastPass too.
To be fair, the thing I'm the most angry about at LastPass is how the product felt completely stale. I remember signing up 6 years ago and there has been no change at all across the board. Bugs, issues, improvements, NOTHING.
They could have avoided all this, they just didn't.
>What I did though was tag all my password with "lp-breach-aug-2022" and then as I go through them and change them, I remove the tag
How did you add the tag, or is it obvious in the UI? I've never used 1Password before but think I'm gonna land there instead of Bitwarden, and I like this idea.
So, keep in mind that 1Password works in a "weird way": you are expected to have the native app installed.
The web portion has *less edit capabilities* than the native app.
You should have the extension and the native app installed at the same time, the extension should connect to the native app (and share login).
In the native app you can click on one item and then hold shift or control (Windows) to select multiple items, then you literally drag them on the tag on the left.
It will feel laggy a few seconds if you tag 1000 items like I did and it might not work perfectly, so double check that all the items got tagged.
To do that check, you have to: click on the tag, then scroll to the end. It will tell you the count of all the items for that tag.
Repeat the "bulk tagging" until the count is what you expect.
Do notice that if you click on one item and then hold shift and click on the item at the end of the list, it will select all of them, so this process is pretty fast. I had to do only 2 tries before all of the items got the tag.
EDIT: You must have added the tag to at least 1 item manually for the tag to show up in the sidebar. To do that just press "edit" on the item and at the bottom there is a "tags" field, you can add one.
In the web version, you just type tags and separate them by commas. The native version has a way better control.
Secret about tag: if your tag is named `foo/bar` it will represent them in a tree-like structure in the native app, so `foo` -> `bar`.
> I discovered that every time you click "export" in lastpass, the export accumulates a copy of the vault. My second export had 2x of everything in it, 3x for third, etc.
WTF
> I see the features in 1Password and I almost cannot forgive myself for holding onto Lastpass for such a long time.
The export process was the thing that mainly held me.
There was also an issue where 1Password would not work properly with a Work Profile on Android if you ALSO had a non-work-profile version of the app, which translated to "if you use 1password at work and in your personal life and you have a Work Profile, you cannot use 1password inside the work profile (it must be outside)"
In the end, this is just a bag of passwords, so as long as it's keeping things safe, it should be acceptable.
It didn't.
And it also doubled the price without giving any software improvement over the years, which is very bad.
>So, keep in mind that 1Password works in a "weird way": you are expected to have the native app installed.
I like this design a lot. LastPass _used_ to work like this ages ago.
>You must have added the tag to at least 1 item manually for the tag to show up in the sidebar.
I did get stuck here for a minute but was able to get it set up. Thank you!
I discovered that every time you click "export" in lastpass, the export accumulates a copy of the vault. My second export had 2x of everything in it, 3x for third, etc.
I see the features in 1Password and I almost cannot forgive myself for holding onto Lastpass for such a long time.
Key points: - Refresh the website list from the extension before starting, ideally clear the extension cache first (will sign out) - export from the extension - attachments and password history are not exported - there is a lastpass-cli that will help you export attachments - there is a hacked together PR from myself that will help you export the password history
The import worked very well in 1password aside from attachments/history. What I did though was tag all my password with "lp-breach-aug-2022" and then as I go through them and change them, I remove the tag