Why I had to switch password managers after a decade
On twitter there was a thread by TfT Hacker on switching password managers. Initially I wasn’t convinced because back in 2009 when I picked Lastpass they where the most paranoid option out there.
But thanks to some excellent feedback by Palashkaria I learned that due to the acquirement by LogMeIn in 2015, everything had gone down hill.
Should have paid more attention to it back then, but better late then never.
So when it comes to a Password manager the main thing is Zero Knowledge setup, this means that all your notes, passwords, details, etc.. are fully encrypted on the client side and the job of a password management service is just to sync that encrypted file between devices.
When I got started with Lastpass that was exactly what they did, they didn’t even know what vault belonged to what account thanks to a clever salt system that would store my login details separate from the vault data.
But now, in the end of 2022 I realized that they where sending the URL’s of my passwords in unencrypted form back to their system to gather statistical information. While one could argue on how bad that really is, it breaks the main thing a password manager should do, Zero Knowledge.
Still, knowing what sites I visit is already a huge risk because that means you can start doing brute force attacks with 2/3rd of the data to start with. Not a good look. And URL’s are basically Browser History.
Old saying, “Best time to plant a tree was in 2015 when LogMeIn required the seeds, second best time is now”, or something like that. Anyhow, it was time to move.
Time to start digging through whitepapers again, but I don’t have time to go through all if them in depth, quickest solution, ask people that are fanatical about it and after a quick round on Twitter I go two options. 1Password and Bitwarden. Basically what TfT Hacker started with but you know, it’s good to have confirmations.
Great, that’s going to save me a lot of reading. After I did a bit of a dive the end result was that both have good Zero Knowledge setup, sync complete vaults and have applications for nearly everything.
Couple of points moved me towards Bitwarden though
I love my Ubuntu systems, even though it’s sometimes a struggle to get everything to work. Read, gaming and media creation, with special note to equipment that helps you create things faster.
But my password manager shouldn’t be a struggle and 1Password only has a CLI client. Something I could work with, easily even considering I spend half my day on prompts. But when making the choice, why would I pick the option that makes my life harder?
Anything Open Source get’s immidiate bonus points from me (Waves at Logseq), so the fact that I can just go to Github and checkout the source of Bitwarden https://github.com/bitwarden? Big points.
While I’m not going to use it, I have not the time or resources to keep China out of my servers, it’s always good to have options to host your own solution.
Getting started with Bitwarden was easy, I already had an account and the password was in my… lastpass. Right, maybe change that master password while I’m at it. Even though it’s all encrypted, being a bit paranoid is a good start
Size matters and with passwords the longer the better. Bonus points if you use symbols to make it harder. Terrible jokes aside, use a passphrase that’s made up out of multiple words. It’s easier to remember for you and harder to crack for others making it an absolute win. Don’t know the words or afraid you’ll forget? Walk around the house and make a picture of something that’s busy. Then put those elements in a sentence and if possible add some symbols or numbers.
You could have that photo on your desk and people still wouldn’t be able to figure out what objects and what order they need to be typed. But you do. Random objects though, if you start using a family photo or something then it kind of defeats the purpose.
Exporting from Lastpass is easy, just be careful because the .csv file isn’t encrypted and should be removed as quickly as possible. In your vault go to Account Settings and then under Manage your vault you can find the export option. You might need to jump a few hoops, like getting an email and typing in your Master Password again but you should get a nice text output of all your passwords. If it doesn’t download you can use the “Save as” option in your browser.
Be careful that you don’t save it somewhere that’s in cloud storage, having your unencrypted passwords synced to Dropbox, Google Drive, Onedrive or other platform would be bad.
While I do outsource a lot of things to webservices, that doesn’t mean I trust them to help me out always. And for Lastpass I made a monthly backup by doing an export and then encrypting it with GnuPG. What this basically does is encrypt the text file with a simple password. The same rules apply here, longer passwords are better.
You can download GnuPG for nearly every system here https://gnupg.org/download/index.html
Command to encrypt with password “gpg -c FILENAME” and to decrypt “gpg -d FILENAME”, I could talk about what cipher to use here but for most people the current default of gpg, AES128, will be more then enough. Feel free to pick something different if you’re particular paranoid.
For this step it would be best if you’re bitwarden is still empty, if it’s not then make sure all your existing passwords are already in a dedicated folder. I’ll get back to that later.
Import itself is easy enough, if your in the webinterface you can go to Tools and pick Import. There’s a Lastpass CSV specific one. Load the file and run import. It should be fine, but if you have weird things like me you might get an error message. If you do, go to lastpass, remove/change that particular key and start the process from export again.
Once everything is imported into Bitwarden, I moved everything to a “Lastpass Import” folder. While I don’t have time to change all 1500 passwords I had, keeping them seperate means I can update passwords I care about over time and move them into a permanent spot and know what passwords I trust less.
Great, now you can deinstall Lastpass everywhere and install Bitwarden.
There is a last step, and that’s getting rid of Lastpass for good. I made a note to do so in a couple of weeks because I want to make sure everything works perfect before I destroy the original.
In lastpass you have an option to fully delete an account, you can find it here https://lastpass.com/delete_account.php
While nice, I would still go ahead and change as many of your passwords as possible. Because there is no way to guarantee that they really removed it and are not keeping a backup somewhere.
Ok, so that takes care of the passwords, but I was also using Lastpass Authenticator. Since I have the tendency to have a lot of 2 factor authentications setup and I do weird things like switch or factory reset my phone having some way to sync 2FA is essential for me. This was one of the main reasons I switched from Google Authenticator to Lastpass Authenticator.
Bitwarden recommended Authy and after having a look it had the things I needed, so I’m going to trust them on this one and installed Authy. Clean interface, quick buttons to all my codes. But changing the 2FA is going to be a pain.
There’s no way to automate this, you just need to go to each site and update your 2FA be hopefully updating or probably doing a disable and re-enable. It’s a pain and something that’s going to cost me a couple of hours.
I’m going to have to dig into the Family Plan, I want to share a couple of passwords in a controlled manner, mostly for my Family but to fully dive into the Family plan I need to commit for a year and that’s around 40, will probably set this up next week and then write about how that experience was. Stay tuned!