PCWorld (USA)

Lastpass hacked: How to export and protect your passwords

You can leave Lastpass and move elsewhere in just minutes.


Lastpass is no stranger to data breaches. It’s suffered several highprofil­e leaks, with the most recent (and alarming) incident happening just last year. When news first broke in August, the developer assured everyone that customers were unaffected. But in a complete reversal, the company’s December updates were grim ( fave.co/3xdtctq)— customer data had been taken after all.

If you’re feeling like you want to leave the service, you can hardly be blamed. In this latest breach, not only was personally identifyin­g informatio­n like billing addresses, telephone numbers, and IP addresses stolen, but vault data as well. Most damning: Some of that vault data was unencrypte­d.

The good news is that exporting your data is quick and relatively straightfo­rward. You get

the entire vault in a single file that you can then use to upload to a new password manager ( fave.co/3lrkfrz).

Here’s how to export your passwords from Lastpass—and how to do it securely. Plus, learn what you should do afterward to ensure the safety of all your online accounts.


Getting your passwords out of Lastpass is actually very easy. More complicate­d is ensuring the exported file remains secure. Lastpass exports in either CSV and XML file formats, and those file types aren’t encrypted.

You don’t want your passwords downloaded as plain text—even if you delete the file, it can still be recoverabl­e on an unencrypte­d drive. And many people haven’t encrypted their PC drives.

The less complex method is to download the file to a drive fully encrypted by Windows ( fave. co/3wn3lzj), then permanentl­y delete it as soon as you’re done importing your info elsewhere. (Leaving it in the Recycling Bin means the file is available and unencrypte­d whenever you’re logged into your computer.) This isn’t a bulletproo­f method, as you can recover the data while logged into your PC, but it’s a middle ground.

If you can tolerate a little more effort, I recommend creating an encrypted folder using Veracrypt ( fave.co/3jb95dh), then downloadin­g exported vault data to that location. It acts like a safe for the file. Your data only becomes available when the container is unlocked. When you’re done, just delete the whole set while locked; if the container’s password is never shared, the valuable info inside should remain secure.

Once you have your security precaution­s set, follow these steps to get your data out of

Lastpass, via either the web interface or the browser extension.

Note: If you’re using a free account that’s tied to mobile devices only, you should be able to export via the web. If not, a workaround is to start a paid trial, so that you temporaril­y get multidevic­e access.

Step 1: Access your account settings.

• Open the browser extension, then click on the account icon.

Step 2: Dig into the “Fix a problem” menu options.

• Choose Fix a problem yourself.

Step 3: Export your vault items.

• Click on Export vault items. Your file will immediatel­y begin downloadin­g.

Reminder: The downloaded file will be in an unencrypte­d format. Anyone with access to the file can see all of your passwords. For a secure way to download the file, see the notes at the start of this section.

You can now import your file into a new password manager (either another cloudbased service or software installed to your computer). The process should be straightfo­rward, but if you run into any issues, you can look up your new service’s help pages for instructio­ns.

How to export from Lastpass via the web interface

Step 1: Access the Advanced Options. • In the left nav bar, click on the icon for Advanced Options. It should be the second from the bottom.

Step 2: Choose Export.

• Under Manage Your Vault, choose Export. A green banner will pop up at the top of the page, instructin­g you to check your email.

Step 3: Verify the export request.

• Log into the email address associated with your account. Open the email from Lastpass and click the Continue export link within. A browser tab should open, saying the export is ready.

Step 4: Enter your login info to begin download.

• Go back to Advanced Options > Export. To begin the download, enter your user name and password.

Reminder: The downloaded file will be in an unencrypte­d format. Anyone with access to the file can see all of your passwords. For a secure way to download the file, see the notes at the start of this section.

You can now import this file into a new password manager (be it another

cloud-based service or a piece of software installed to your computer). It should be a straightfo­rward process, but if you run into difficulti­es, your new service should have help pages with instructio­ns.


Usually, leaving a password manager for another one is simple. You export your passwords from the old service, import the info into your new service, and then go back to your life.

Ditching Lastpass because of its breach makes matters more complicate­d. Because hackers have your vault data, your master password is the only thing standing between them and access to your accounts. To ensure your security, you’re best off changing the passwords in your vault.

Hopefully you had a strong random master password, which will make brute-force entry into the vault very difficult. But there’s no way around this one if you want to be sure you’re safe. You can’t change your Lastpass master password and be done—the vault data captured is linked to the master password you had at the time of the hack. Updating it now won’t help.

With hundreds of passwords a part of our daily lives, this task is no quick feat. Our recommenda­tion? Work in graduated steps: 1. Move to the new password manager. 2. Immediatel­y change all of the passwords for critical services—banks and other financial institutio­ns, tax preparatio­n, government programs, and so on, anything that could be ruinous if someone got hold of those accounts.

3. Work your way through the remainder of your passwords, starting with those that have more sensitive info stored (such as physical addresses, birth dates, credit card numbers). Now’s a good time to also wipe that info from websites; keep it in your password manager instead.

You want to do this after you leave Lastpass, especially if you’re concerned about remaining security vulnerabil­ities the company has yet to detect. This breach is not Lastpass’s first—and given the company’s history, likely not its last, either.

(Whether Lastpass is that much better at transparen­cy, has that much more difficulty maintainin­g security, or is just a bigger target in general is a question to be answered another time.)

Whatever you do, don’t abandon password managers all together. Security online is imperfect, and so the solutions for it are also imperfect—but some systems are much more flawed than others. Reusing passwords, using weaker passwords, writing them down in a notebook—these won’t keep you safe. You can find a good password manager ( fave.co/3lrkfrz) and a system of use ( fave.co/3axbogj) that works for you.

 ?? ??
 ?? ?? Your exported data from Lastpass will be saved to an unencrypte­d file. (A sample CSV document is pictured here).
Your exported data from Lastpass will be saved to an unencrypte­d file. (A sample CSV document is pictured here).
 ?? ?? Step 1.
Step 1.
 ?? ?? Step 2.
Step 2.
 ?? ?? Step 3.
Step 3.
 ?? ?? Step 2.
Step 2.
 ?? ?? Step 1.
Step 1.
 ?? ?? Step 3.
Step 3.
 ?? ?? Step 4.
Step 4.

Newspapers in English

Newspapers from United States