Good password hygiene is something we talk about a lot, and when we do, we usually recommend that readers adopt a password manager to safely create and store complex passwords. Historically, LastPass has been our go-to recommendation, thanks to its comparatively robust free tier, but it is with a heavy heart that we must rescind this endorsement.
Don’t just educate: Create cyber-safe behaviour
Designing effective security awareness and training programmes
LogMeIn, LastPass’ parent company, has announced that from 16 March 2021, users on the service’s free tier will no longer have unlimited access to their stored passwords on both desktop and mobile devices. Instead, you will only be able to view and manage passwords on either desktop or mobile; from 16 March, users will be asked to pick which platform they want to use to access their password vaults and will be locked out of the other.
Users will be able to switch their active device type from one to the other, but they can only do so a maximum of three times - after that, they’ll have to subscribe to one of LastPass’ paid tiers in order to access their passwords on both platforms. Users will still be able to use unlimited devices of the same type to access their vault, however.
Under the new rules, mobile devices include iOS, iPadOS, Android devices and smartwatches, while ‘computers’ covers Windows, macOS and Linux desktops and laptops, as well as Windows tablets and any implementation of the LastPass browser extension.
LastPass has stated that users won’t lose access to any of their saved passwords, form fills, notes or other data (regardless of what kind of device they initially registered it on), but the company is cutting off email support for non-paying customers, leaving them to rely on the resources in its online support centre.
LastPass’s Premium and Family subscriptions start at £2.60 and £3.40 per month, respectively, and include additional features such as expanded multifactor authentication support, dark web monitoring and improved password sharing.
If, however, you wish to leave LastPass and migrate to a different password manager, it’s thankfully easy to do so without having to re-enrol your credentials individually. LastPass includes a mechanism for exporting all of the data within your vault, which can then be imported into a variety of alternative services with minimal fuss.
Export your passwords from LastPass
We’ll start by removing a copy of our data from LastPass, which is best done on desktop. The first step is to open your LastPass Vault, then click the ‘Advanced Options’ tab in the lower left. Click ‘Export’, and LastPass will download a CSV file to your PC containing a complete record of all the passwords stored in it.
You can open this in any spreadsheet programme (or in Notepad if you don’t have one installed) and you may want to double-check that all of your data has been accurately downloaded.
Set up your new password manager account
Now that you’ve got all of your passwords, you’ll need to pick which service to import them into. For this example, we’ll be focusing on Bitwarden (which offers a similar level of service to LastPass’ free tier prior to the new changes) but services such as KeePass, 1Password, Dashlane and more all support similar data import mechanisms.
Once you’ve selected a new password manager, you’ll want to set up your account and choose a master password. It’s more secure to select an entirely new password, but you can also reuse the same master password from your LastPass account (assuming it hasn’t been leaked anywhere) since we’ll be deleting the original LastPass account at the end of this process.
Import your passwords to your new password manager
Once your new account is good to go, log into Bitwarden’s web vault and navigate to the tools tab in the top menu. Select ‘Import Data’, followed by ‘LastPass (csv)’ on the resulting dropdown. Select the file we downloaded from LastPass, and click ‘Import Data’. Your new password manager should now be fully stocked with all of the data from your previous LastPass vault - including secure notes, identities and more - allowing you to pick up immediately where you left off.
We’re not quite finished, however. With the migration complete, there’s a bit of security housekeeping to do. First of all, you’ll want to securely delete the .csv file you exported from LastPass; this is a complete record of all your stored password data, so you don’t want it lying around on your hard drive for nefarious hackers to stumble onto.
Finally, you should delete your LastPass account. Having two separate vaults with all of your credentials in them increases the potential risk that cyber criminals could somehow gain access to them, so shutting one of them down is the safest course of action. Head to lastpass.com/delete_account.php, click ‘Delete’ and follow the instructions. Note that this is irreversible, so be sure that you’re happy with the state of your imported data in your new password manager before you take the plunge.
