After finding out that there might have been a security breach at LastPass, a company known for their online password management solution, I quickly changed my master password and started to think about possible consequences.
For some time now, I had been thinking about switching to an offline password management solution. Not necessarily because I think that online password managers are inherently less secure, but because it give me more control over my passwords.
I therefor made the decision to migrate all my LastPass account information to KeePass, a free password management software. But simply migrating the data was not enough. If someone did actually manage to steal data from LastPass servers, they might have all my login accounts by now. The chance is slim, especially if you take into account what LastPass has communicated so far, but since I earn my living on the web I wanted to be on the safe side here.
The decision was born to change all my account passwords after the migration. I knew that this would not be easy, with 500+ accounts listed in the LastPass database.
This guide explains how I imported my LastPass login database to KeePass, and how to change all your account passwords in record breaking time. Don't get me wrong, you will still spend hours and hours doing repetitive boring tasks.
Exporting LastPass database
The first task is to export the LastPass database. The information within act as a reference, so that you know how far you got with changing your account passwords. Open the LastPass website and click Sign In to LastPass to log into your account.
Once you are logged in select Export and enter your account's master password again.
LastPass outputs all of your account information in one large list. Select all with Ctrl-a, and then Ctrl-c to copy the information to the clipboard. Save them in a text file on the local system. The list contains all urls, usernames, passwords and other information that you have stored in LastPass's password manager.
Importing Passwords Into KeePass
Download the latest version of KeePass from the developer website. Please note that it is only available for Windows and many mobile devices. I have installed the password manager on an encrypted hard drive for extra protection.
Start KeePass after installation or extraction and select File > Import from the menubar. Select Generic CSV Importer from the options and load the text document with your account information. A click on OK imports the data into KeePass.
Please note that the url is added as the title of each individual password, which is not a big problem. The url field is left blank, which we will utilize soon.
Changing Passwords With KeePass
Now that you have all your LastPass passwords in KeePass it is time to change all of them. Here are a few tips to get you started with that:
- Disable the LastPass add-on in your browser. If you do not do this you will get a "we noticed a password change prompt" all the time.
- A big screen helps you. I had Firefox open in one half, Keepass and the password list in the other, which meant that I did have all information visible on screen all the time.
- Move all Generated Passwords entries to the old group
- Create password groups to sort passwords into. You can create new groups with a click on Edit > Add Group, or a right-click and Add Group.
- Start with your email accounts. Why? Because if they get compromised they may be used to reset passwords that you have just changed. Create a new group emails and change them right away.
- Now think about your most important accounts, e.g. financial, web hosting, shopping. Change those after you have changed the email accounts.
- Open a blank text document and use Tools > Generate Password List to generate a list of secure passwords. I suggest 20+ characters including upper- and lower-case, digits, minus and underline. You may add some special characters to it that are often allowed, for instance !?%&. Copy paste the full list into the text document. You will work through the list when you change accounts.
- Never use the same password for more than one account
- If you are a webmaster, you may have access to multiple accounts from one admin interface. For many WordPress sites, I have an admin account and an author account which both needed changing. To speed things up, you can log in with the admin, change the admin account first, and then change the author account while still logged in as the admin. The same is true for web hosting accounts if you host multiple domains and websites under that account.
- To keep track of things, I always added the url to accounts that I have changed the password for. I also moved those accounts to an appropriate group. This way, it was easier to keep track of the password changing progress.
The biggest drawbacks that you will encounter are sites that limit the number of password characters. I encountered more than one site that only accepted six characters in total. That's crazy.
My routine looked like the following:
- Double-click the next entry in the KeePass database, copy the url, paste it into the web browser.
- While it is loading copy the username from the KeePass database.
- Paste the username
- Copy the password with a right-click
- Paste the password
- Locate the account settings or password change options on the page.
- Paste the old password in if the site required it.
- Copy the next password from the password list and paste it into the new password form, submit.
- Double-click the entry in the KeePass database, paste the new password in there as well.
- Copy the url and paste it into the url field.
- Move the account to one of the groups
You may be able to speed things up further by installing a plugin like KeeFox which brings KeePass functionality to Firefox. Similar extensions are available for other web browsers. I'm currently managing about 50-60 accounts per hour with this system. You may be even faster if you use a browser plugin.