A brief history

LastPass was my password manager of choice for close to 15 years. I really, really liked the convenience and ease of use it provides. Even after the acquisition by LogMeIn I continued using it. Then, as it is often the case they were breached. To be fair LastPass was, and is being very transparent about it.

At first, I wasn’t too worried, as LastPass said the breach was on a development environment and no data was actually extracted. Then things got worse, data was actually extracted: the encrypted backups of the password vaults. Now, passwords are still encrypted, but website urls were not. A determined adversary can brute-force the master password and decrypt the vault. This was my breaking point, and it was when I decided to switch to something more secure.

At first, I considered self-hosting my own instance of a password manager. I really liked Psono and Passbolt.

Psono seems good, but it’s a bit too much for me. I don’t need all the features offered, and the UI does need a bit of work in my opinion.

I like the Look & Feel of Passbolt, but it’s not open source, and the CE edition does need a bit more features for it to be a viable solution for me. It has no mobile apps (they are on the roadmap). Besides, MFA is going to be offered as a pro feature, which I believe is not a good choice for a product focused on security.

In any case, I was willing to compromise, and the features offered by each are pretty good. Both offer end-to-end encryption, browser extensions, secure notes, and a good enough user experience. Both require at least 2 CPU cores and 2 GB of RAM to run smoothly. Which, if you do the math, means paying $168 USD yearly for a single comparable Droplet, or ~$260 USD if you include automated backups.

For me this was just too expensive. I live in a country where the USD exchange rate has increased ~20% in a year, and it’s expected to get worse. I needed a cheaper alternative.

Exchange Rate

To the moon

Enter Bitwarden, this is an open source password vault with similar feature parity to LastPass. It is available as a browser extension for web browsers like Chrome, Firefox, and Safari, as well as a standalone app for iOS and Android. It also has two-factor authentication and end-to-end encryption of stored data.

In my case I opted for their paid cloud offering, which is cheaper than LastPass at $10 USD per year (vs $30+ for LastPass, or $250+ for a self-hosted instance). I also don’t need to worry about having to manage and secure my own deployment. It’s a sore dick deal.

If I ever want to go self-hosted there is the option of using Vaultwarden, a lighter version of the full-fledged Bitwarden server and Web UI. It includes all the paid features I am already enjoying, so the move to self-hosted wouldn’t be too bad.

Transitioning

Now, the process of moving from LastPass wasn’t that hard, although it was a bit tedious. Bitwarden supports importing data from a variety of sources, including LastPass.

The process is explained in great detail by this guide. You have to be careful if you have any attachments, as these will not be exported. You have to import them manually.

The import process actually recreates all the folders, secure notes, identities and credit cards from LastPass. I didn’t have to move anything.

Now delete the LastPass exported CSV, as all your passwords will be stored in plain text.

LastPass Authenticator to Bitwarden Authenticator

Now, I also used LastPass Authenticator and there is no official way to export this data. Fortunately there is an unofficial way to regenerate a QR for each entry in the LastPass Authenticator: this.

Disclaimer: The following process requires a paid Bitwarden account or a self-hosted instance. You will also need to be comfortable around a command prompt.

If you’re using Windows I recommend installing Windows Subsystem for Linux (WSL) using the steps from this guide. It only requires executing one command in CMD or PowerShell and restarting.

Then, install a distribution from the Microsoft Store. I used Ubuntu, as it is one of the simpler Linux Distros to use. You must set a user and a password on first login.

Next, install the requisites for the tool by executing the following command in the WSL command prompt:

sudo apt-get install -y git python3 python3-pip

It will ask for the password you must have created when first opening the WSL command prompt.

Then you must download and execute the code from this repository, using the following commands in the same WSL console:

git clone https://github.com/dmaasland/lastpass-authenticator-export
cd lastpass-authenticator-export
pip install -r requirements.txt
# Replace the email with your email, and input the OTP code for your LastPass account
python lastpass-authenticator-export.py -u <your-last-pass-email> -o <last-pass-otp>

The last command will ask for your LastPass master password and export all your registered MFA codes into the export folder inside the lastpass-authenticator-export one. It will create an HTML page you can open with any web browser.

If you are using WSL, as I had, you can open the file via the Windows explorer. Just search for the Linux entry in the sidebar, and navigate to where you executed the commands. Usually it will be something like Linux/Ubuntu/home/<user>/lastpass-authenticator-export if you didn’t cd to another directory for the export.

The page will have QR codes for each of the exported entries, which you will have to re-scan with the Bitwarden mobile app. You can download it here. The process is explained in this guide.

This is the tedious part, as you must scan each entry manually. I had around 40 apps with 2FA enabled, which took me around 30 minutes to scan.

I would say that this was worth it for a single reason: the MFA codes can be copied directly from the web browser extension. The convenience of not needing to have my phone at hand everytime I need to access one of the sites is amazing.

After this, the migration is complete. I went for the nuclear option and completely deleted my LastPass account, and changed the password of my most used and sensitive services. You may not want to do this, although I do recommend it.

At this point don’t forget to delete the export folder.

Self-Hosting

If you want to self-host any of the aforementioned solutions, all the developers have excellent resources available online. To be fair, this section is more for me to reference later if I decide to self-host, it’s not a detailed guide.

Vaultwarden

For Vaultwarden the git repo Wiki has excellent articles for installing using Docker, and how to harden your deployment.

There is also an excellent post, that explains how to self-host Vaultwarden on Google Cloud for free. You must have an existing domain though.

Psono

Psono is a more enterprise solution, so it has a complex architecture. The manual deployment guide is here, but they have a quickstart that can be modified to be “production” ready.

Passbolt

Passbolt also has excellent instructions on how to install in a variety of systems. Including a DigitalOcean App to deploy your instance in one click.