Kirsle.net logo Kirsle.net

I Migrated from LastPass to KeePass

March 29, 2018 by Noah

Today I finally migrated away from using LastPass as my password manager and am instead going to use KeePass. My reasons were the following:

  1. I don't want a browser extension being responsible for my password manager, as the security surface area of a browser extension is unknown.
  2. The usability of LastPass's extension for Firefox has been declining. They removed the ability to "Copy Password" which makes logging in to some sites, like Amazon AWS, a royal pain in the ass.
  3. LastPass is closed source and is a black box and it does weird things, like not ask me for my password often enough, and I have no idea what it keeps available in memory for malicious apps to get into.
  4. I want to keep my things off the cloud where I can.

In this post I'll share my experience with migration, complaints about LastPass and how my current setup looks for syncing my passwords between my phone and computers.

LastPass Complaints

Removal of "Copy Password" in Firefox

Several months ago, the Firefox extension for LastPass lost the ability to "Copy Password" from LastPass.

It used to be that you could click the LastPass icon, click "Show Matching Sites", right-click one of the login entries, and click "Copy Password" if you needed to copy the password.

An example where this is very useful is when logging in to Amazon Web Services:

Logging in to AWS

The AWS login page has three login fields: Account Number, User Name, and Password.

Most sites only have Username and Password, and this is the only use case LastPass knows how to support.

If I use LastPass to "Auto-fill" this login, it will paste my username into the "Account Number" and "Username" fields, which then makes it so I can't log in. So, really the only option is to "Copy Password" and manually type in my username and paste the password.

The Firefox extension lost this ability.

So now I have to click the LastPass icon, "Show Matching Sites", right-click the login entry, "Edit" which opens a new tab to my LastPass Vault, click on the icon to "Show password", select the password, Ctrl-C, go back to the AWS login tab, Ctrl-V and continue.

I waited for months to see if LastPass would bring back the "Copy Password" feature but it seems they don't care to. The Chrome extension still has it, but I don't use Chrome as my primary browser.

Browser Extensions

Web browsers are complicated apps and I don't trust the security of a browser extension that manages my passwords.

The default setting for LastPass apparently causes it to remember your master password for a very long time, even between completely closing and restarting your browser or rebooting your computer. If the LastPass extension has such ready access to my unlocked, decrypted password database, other software on my computer might as well. If any program I use has a vulnerability exploited that gives it any kind of filesystem access, it could probably find where LastPass keeps its data and get into it.

I'd prefer a separate, dedicated app where unlocking and locking my password database is an explicit action, and it isn't just sitting there with its pants down waiting for any malicious app to steal its secrets.

LastPass Export & Migration

In LastPass on Firefox, I clicked the "Export" button which opened a new tab and showed me my entire password database, in CSV format, which I then apparently had to copy/paste into a text editor and save as a *.csv file.

One thing I discovered was that the CSV file wasn't directly usable by KeePass just yet!

Everywhere that I had an & symbol in a password, LastPass encoded that as &, and if I were to just import the CSV into KeePass directly, it would see the string & in my passwords and think they should be taken literally. This meant some logins to sites would fail because the password didn't match exactly.

I did a find/replace in my text editor to convert & into & and then it was ready for KeePass.

I'm using the KeePassXC client for KeePass on my desktop PCs. It's a cross-platform app that runs on Linux, Windows, and macOS.

Importing the LastPass CSV file was pretty straightforward. I told KeePassXC that the first row of the CSV were the headers, and then told it which column to pull each data point from: usernames, passwords, group names, labels, and so-on.

My KeePass Setup

Desktop: KeePassXC

KeePassXC is a cross-platform desktop app that runs on Linux, Windows, and macOS.

The official KeePass software only targets Windows and runs on Linux via Mono, but looks non-native and clunky. KeePassXC uses the Qt GUI framework and looks nice on all platforms, and is compatible with the same KeePass database files.

Mobile: KeePass2Android Offline

For my Android phone, I'm using Keepass2Android Offline because I don't need cloud sync services, nor do I really want to use them. There is also Keepass2Android that supports cloud services, if you want to sync your database via Dropbox or Google Drive or some other services.

Syncing

To sync my password database between devices, I primarily push and pull them to my web server. I don't actually modify my password database very often (to add new passwords for example), so when I do, I can remember to push the database to my web server, so that I can pull it down on another computer later. I use rsync over SSH to sync them.

To get the password database to my phone, I transfer the database over manually, and treat it as "read-only" so I don't forget to transfer it off the phone at any point. To get it from my computer to my phone when I don't have a USB C cable or the Android debugging tools installed, I just use my Go SimpleHTTPServer and my poor man's ngrok so that it doesn't have to be sent over clear text e-mail or anything. Minimizing exposure as much as possible.

I hear that it's okay to host your KeePass DB on cloud providers like Dropbox, if your master passphrase is sufficiently strong, because somebody having your encrypted database is only part of the battle of them cracking into it. My choice not to use Dropbox doesn't have anything to do with the security of my password database, though; it's just because I don't want to use cloud services. With such nonsense as the CLOUD Act, I'm trying to keep as many things close to me as possible, and the "cloud" is really just "other peoples' computers."

Tags:

Comments

There are 0 comments on this page. Add yours.

Add a Comment

Used for your Gravatar and optional thread subscription. Privacy policy.
You may format your message using GitHub Flavored Markdown syntax.