⚠️ LastPass recently experienced a security breach that resulted in all customers’ vault data being stolen (most sensitive data encrypted but some less sensitive data unencrypted). This guide is intended to help LastPass users to migrate to a much better password manager, 1Password, while also protecting their online accounts that are now at an increased risk of being compromised.
- Install 1Password 8 app on Mac or Windows computer
- Install 1Password Chrome extension on computer
- Install 1Password 8 iPhone / iPad app on all iPhones and iPads
- Make sure you have the latest software update installed!
ℹ️ Use this link for 50% off your first year of a new 1Password Families account for you and 5 other people (thanks, Troy Hunt!)
- Create 1Password account (more info about each plan option here)
- Use a totally different master password from the one you used with LastPass
- Setup two-factor authentication on 1Password account
- Use “Security Key” option if you're able to
- Print 1Password Emergency Kit, write down password on it, and store in fireproof safe (or somewhere else that’s physically secure)
- Delete Emergency Kit PDF and empty Recycle Bin / Trash to permanently delete it
- Export LastPass data to CSV file
- Import LastPass file into 1Password
- Move LastPass file to Recycle Bin / Trash and empty it to permanently delete it
ℹ️ Try using 1Password Watchtower to hone in on which of your accounts are most at risk.
Advanced users may want to check out this account hardening guide for additional steps to take to secure your online accounts.
- Use 1Password to change all passwords that were stored in LastPass
- It can help to use the list of items displayed in your LastPass account as a sort of “checklist” where you delete each account after you’ve finished changing its password until nothing is left
- Enable two-factor authentication on all accounts that do not have it (this will protect your accounts going forward regardless of how a password of yours gets stolen)
- Permanently delete all items from LastPass account
- Delete / close LastPass account
- Change 1Password master password (in the event the people who breached LastPass end up guessing your LastPass master password)
Jeremi Gosney wrote a brilliant post on infosec.exchange laying out a variety of reasons to move off LastPass
- He also wrote another brilliant post breaking down how easily (or not) an attacker could brute force guess LastPass master passwords. Your threat model may vary!
"I’ve been using LastPass and I’m pretty sure my master password is secure enough such that it won’t be cracked anytime soon. Do I really need to bother with changing my passwords that are stored in LastPass?"
I think the better question to ask is “by when should I have changed my passwords that are stored in LastPass?”. Whoever took all of this encrypted vault data probably is going to hold onto it for…ever. And they’ll likely share it, either by selling it on the black market or, if they’re a nation-state actor, by sharing it with allied nation-states. Thanks to Moore’s Law, computing power continues to increase, become more cost effective, and become more widely available. So imagine how much cheaper and faster it will be for attackers to crack your master password in a few year’s time.
- And let’s not forget about practical quantum computing being on the horizon and the threat that poses to breaking a vast majority of in-use encryption algorithms today. I’m not kidding.
My recommendation to move to 1Password is based on a few reasons
- 1Password's security model is stronger than LastPass', especially in light of this incident that puts customers' data at risk of offline brute force attacks. 1Password has long incorporated a Secret Key to protect customer data from offline brute force attacks. Even if your 1Password master password is a single character long, the Secret Key acts as an "extension" of your password with 26 randomly generated alphanumeric characters
- 1Password is solely focused on building password/secrets management software. That puts them in a better position to be laser focused on keeping their security model up-to-date given an ever-changing threat landscape
- They've been consistently focused on creating a really polished UI and UX for years now, something that LastPass always struggled with and was potentially a sign of poorer quality control in their software in general.
- From both a security model perspective and a UI/UX perspective, I personally think 1Password has an edge over BitWarden (sorry, BitWarden die hard fans). I think BitWarden has solid tech, and I recommend using them in tandem with 1Password for folks who are looking to max out the security of their password manager setup. But it doesn’t make the cut for me as a primary password manager, especially for non-technical folks where UI/UX matters a lot more (my parents will attest to this endlessly)