I've long recommended password managers like Roboform and LastPass to keep track of passwords for all online accounts. Besides offering an incredible level of convenience, these tools give you a greater level of security by making it practical to use truly long and complex passwords and generate different ones for every site.
But, as with all things relating to security, there are risks.
For example, what happens if you forget your LastPass master password? Master passwords cannot be recovered. While there are a couple of options that might regain access to your password vault, the worst-case scenario is that you lose the vault -- and everything in it -- forever.
Not to keep beating the same old drum, but the best solution is very simple.
Become a Patron of Ask Leo! and go ad-free!
Export your password list
While logged in to LastPass, click the LastPass toolbar icon and then Tools, Advanced Tools, Export To:
The list of export options include:
- LastPass CSV File - This creates a downloadable comma-separated unencrypted list of all your LastPass entries to a plain text file. You'll be prompted with a Save As dialog to select a location to place this file.
- Internet Explorer - This loads your passwords into Internet Explorer's password vault. (When available, "Internet Explorer" may be replaced with the name of your current browser.) This is not recommended, as browser-remembered passwords are easily compromised.
- LastPass Encrypted File - This creates a single downloadable file. The file is encrypted and requires your LastPass master password to be recovered. It's suitable only for importing data back into LassPass.
- Wi-Fi Passwords - LastPass has the option to capture and save WiFi passwords used on your system. This allows you to export those that have been imported into LastPass.
- Form Fill Profiles - This creates a CSV file of all the form fill profiles you have set up in LastPass.
In almost every case, you will be asked to confirm your LastPass master password before the export can take place.
Differences in other browsers
The example above uses Internet Explorer in Windows 10. In Chrome and Firefox, click the LastPass icon in the toolbar. To reach the list of available export formats, click on More Options, Advanced, and Export.
The path to the Export function may be slightly different in other browsers. The key seems to simply be to traverse down the longest options/more options/advanced path you can find in the LastPass menu.
What to back up and what format to choose
Remember, you only use backups when something goes wrong. As we don't know what exactly will "go wrong", we want to select the most comprehensive and flexible options.
My recommendation is that you:
- Export your LastPass vault to a CSV file.
- Export your LastPass Form Fill Profiles to a CSV file, if you use Form Fill Profiles.
That captures the key information used to log in to accounts and fill forms.
It also exports it in a common, easy-to-use format - plain text - that doesn't require LastPass for you to view it. In fact, a common use of .csv files is to load them into a spreadsheet program like Excel:
When you use Excel (or a plain-text editor such as Notepad) to view the information, you can see that all entries, including the passwords, are easily and clearly visible. You can then use it directly, import it into another program, or even import it into a new LastPass account.
Wait ... clearly visible?! How secure is that?
It's not.
Storing your LastPass backup
As you might imagine, the plain-text, unencrypted backup copy of all your passwords is very valuable in the right hands (your own) and quite dangerous in the wrong ones.
That's why this next step is so important.
You must place that file in a safe and secure place, or encrypt it and then place it in a safe and secure place.
Options might include:
- Zipping the file with a password (make sure to use a recent .zip tool that has good encryption).
- Placing the file on a TrueCrypt/VeraCrypt volume or a BoxCryptor encrypted folder.
- Burning the file to a CD, or copying it to a USB stick, and placing that in a safe deposit box or personal safe.
- Printing it out and placing the paper in a safe or safe deposit box.
You get the idea. Keep it safe and secure.
After doing so, delete any copies of the file left on your computer and empty the Recycle Bin. For extra security, this is one of the few times that I think a free-space wipe might be worth it as well. (CCleaner will do a fine job of that.)
Why go through all this trouble?
A couple of things caused me to think about this recently, and I realized that they apply to everyone.
People forget passwords. They just do. It's just a fact of life. It's annoying when it happens on a "normal" account, but at least there's typically a recovery path. But if you forget your LastPass master password, there is no recovery. This is actually a good thing, because it's a significant level of added security, but it relies on you never, ever forgetting.
Stuff happens. I was tempted to say "people die," but in reality, it's about much more than death. The unencrypted backup of your LastPass database is one option to have available for those who might manage your affairs -- not just after you pass away, but if you're incapacitated or in need of assistance for any reason. It's also something that could turn out to be incredibly useful to you should you not be able to access LastPass for any reason.
What it's not for: LastPass going out of business
One of the objections to password vaults in general that I hear is, "What if the company goes out of business?"
A fair question.
In the case of LastPass, you lose nothing, except for cross-platform synchronization. One of the beauties of LastPass's approach is that it doesn't actually require the internet - or the LastPass servers - to be able to access the content of your vault. In "offline mode", LastPass just continues to work. (As long as you know your master password, that is.)
And yes, in the highly unlikely event that LastPass ever did go out of business or fail, one of the first things I would do is back up my database, as outlined above, in preparation for a move to an alternative password manager. But as long as you're backing up regularly, then even this scenario isn't worth thinking about too much.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
I just looked at this article and found that LastPass has changed the backup steps since the article was written and my previous comment. These are the steps:
Click on the LastPass icon.
Select “More options” from the pulldown.
Click “Advanced” from the resulting pulldown
Select “Export”
Click “LastPass CSV” file
Follow the instructions from there
(Submitted Oct 18, 2017)
This is now August 2021 and the path has been changed, again, though only the first step.
Rather than “More options” it is “Account Options”.
That’s the only new change
The path also appears to be different depending on what browser you use, and whether you installed LastPass’s “binary” version. Fortunately the functionality is present, and findable in all.
An FYI. I read an article yesterday (August 16) that said LastPass has confirmed that a vulnerability existed in its software, which left some passwords exposed. The issue was created by a recent update to their system, and appears to only affect users of Internet Explorer. The patch should be available today.
I have a copy of my master password in a safe place so if i forget it i can retrieve it and i again have it.
Even if you’re positive you’ll never forget your master password, one should still create a LastPass backup periodically. Who knows what could happen to LastPass. After all, it’s a third-party offering completely out of our control. Remember: if your data is only in one place, it’s not backed up, thus ignoring what Leo has been preaching for so long.
TonyB: that’s fine so long as LastPass is still working.
Of course, if I encrypt my LastPass export, I then have to find a safe repository for the encryption key in case I forget it. Preferably not in LastPass, I guess.
I use Roboform and back it up encrypted to a flash drive. The masterpassword is not written or saved anywhere on my computer. I have memnonic to remember it.
Whrere cash is concerned I think the passwords should not be written anywhere.
For internet banking I use a two step password; Roboform has the first, the second is by selection of characters in a key phrase with the selection changing every day. The key phrase is not on the computer I have to remember it. If I were to forget it I would have to go to my bank and create a new one. Better safe than sorry!
Please don’t say “safety deposit box”. The box is in a safe and so is correctly called a “safe deposit box”. Sorry for being so picky but I used to work for a bank and that incorrect term has always grated on my ear. Thanks.
Jim, if you used to work in a bank (as I did), then you know it’s not in a “safe”……..it’s in a VAULT!
Thanks Jim, it’s fixed.
Leo, many thanks for this tip. I have used LastPass for a couple of years now after your recommendation about it. I think it is great but have worried about a back up since I am now totally reliant on it to access pretty well everything. Keep up the good work.
If you remember the rule rather than the password you’ll never lose it.
For instance, you could construct a password from the Harry Potter books and dates published:
Philosopher’s Stone 1997 etc.. becomes PS97CS98PoA99GoF00OotP03HBP05DH07
I use something vaguely similar (but not that, of course) for my LastPass password. Which means that I’m confident that I won’t lose the password, and I can back-up with a LastPass encrypted file.
Yes, but will your wife, children, executor, attorney, etc remember the rule when you are incapable of remembering it?
I am kind of thinking the same. In fact, the time may be when even I will not remember on account of …. what was I was just saying?
Just yesterday I ran into problems with my LastPass vault. I use it every day and I log in sometimes more than once. I did not forget my password; I did not make a typing error, trying 10 times. It happened after my system froze and I had to restart using the reset button. With their help I could recover. My TrueCrypt password I keep on LastPass, so your solution would not work for me. I certainly would forget the password.
Well tomorrow I will have a solution.
Thanks for your beautiful newsletter.
Theo.
Since this article was written, the procedure for backing up LastPass passwords has changed a bit. Now instead of:
Tools -> Export to
there is one more step:
Tools ->Advanced Tools -> Export to
Password issues have been a priority concern for me throughout nearly 20 years of both business and personal internet use. I seek to follow 3 rules when constructing user names, passwords and their linked eMail accounts: 1) Ability to fend off all but the most determined hacker individuals or bank of computers; 2) profiles I could rapidly recall as a time saving device; and 3) a professional face for those profiles used specifically for areas of business as opposed to personal stuff.
Despite commercial availability of 128-bit encryption and other more powerful lines of password defense, I remain unconvinced that it’s safe to centralize my profiles for what appears to me the added convenience of data thieves. I remain of the opinion that web chicanery can and will happen; it’s not if but rather a matter of when each if us will be hit.
My money in the bank is equally as vulnerable because bank robbers rob banks because that’s where the money is. The same idea applies to identity matters. So, I have a monthly maintenance schedule I follow to care for all my electronic equipment; and I stay as far away from odd and unknown web sites and delete Spam without opening it. Any curiosity about URLs or topics I satisfy through Googling first. I accept that legitimate web enterprises behave in transparent, dependable ways; shenanigans and secretive URLs, odd site names etc. most often seek to mask dishonesty and illegality. I try to behave on the internet as I want others to act toward me, and have faith that most others have more productive, creative and good clean fun things to do than to throw monkey-wrenches at others web lives. And, when they don’t, they run the risk of running afoul of federal laws and penalties applicable to the internet and interstate commerce and utilities.
Wow, Jordan. You must have a crap-load of money……or, perhaps you haven’t heard: there are other things to do in the world besides worry about security.
I think Leo usually strikes a happy compromise that still allows the occasional hockey game or, say, listening to an album or two! :-)
Unless you’re a retired billionaire……I’m guessing there are lot’s more people the hackers are going after first. (No offense intended….but, if you’re that loaded…hire a consultant.)
Give yourself a break! Have some fun!
Does LastPass have a limit to the number of logons it manages? I can’t get it to generate or save any new logons I create.
LastPass allows you to store an unlimited (or at least, a very large) number of passwords. I have about 350 saved passwords. I’d back it all up and reinstall LastPass and see if that fixes the problem.
He wasn’t talking about quantity of passwords…….he was asking about LOGONS. (Totally different question)
Slightly different question same answer. There’s no limit to the number of accounts it can store
How do I get rid of the social media bar on the left side of your newsletter web page? It covers the edge of the text and makes it hard to read your post.
To remove social media bar.
1. Hover cursor over the offending bar
2. Click on arrows that appear at the bottom of the bar.
It is not true that exporting to a LastPass-encrypted XML file is only useful for later re-importing into LastPass. The XML file can be opened using the LastPass Pocket application. So, saving to the encrypted XML file is a good way to back up LastPass data; just be sure to have a copy of LastPass Pocket beforehand. LastPass Pocket is available for Windows, Mac, and Linux: https://lastpass.com/misc_download2.php
I believe the various LastPass Portable apps can also open the encrypted XML file.
Exporting to plaintext and then messing around with other utilities is an unnecessary waste of time.
I have only one export option, to export to a csv file, which is hardly any good. How do I get the rest of the options?
How is that “hardly any good”? It exports the most important data of all. What do you feel you’re missing?
Only one export option, I’m guessing that Jack is using the Google Chrome web browser. Chrome actually does not export the information, it produces a webpage with all the information visible on the page. I’m guessing that this is a bug in Chrome.
It is possible to copy and paste all the information in the webpage but LastPass should make and save the CSV (comma separated values) file for the user and it should not have all that sensitive information on screen as a browser page.
I informed LastPass about this problem with Chrome exports a few months ago but I have had no response and the bug still exisits.
The other way to go is to install the Firefox web browser. Firefox has a number of export options which work correctly.
The Chrome has been the most used web browser for some time so I’m amazed that LasPass has only two export options (CSV & Form Fills) for it and both options do not produce an export file.
Ooops. I have just upgraded to Firefox Quantum (v57) and now Firefox ONLY has the CSV File and Form Fills export options. The CSV File option does not export a CSV file it just displays the data in a webpage. So now Firefox and Chrome do the same thing, they no longer export the information as a CSV file.
How can I restore the local vault from the data stored on Lastpass servers?
Hi Leo thanks for sharing informations.
I think i would make a cvs backup to easly reuse it in case something go wrong with lastpass and print it as well in case i lost my cvs file ( hard drive fail!).
You can export your LastPass vault to a CSV file. Convert the CSV file to a document (or excel sheet). (Enter the LastPass password somewhere in the document/excel sheet.) Password-protect the document (or excel sheet) with a unique password only you would remember. Then save the password-protected document (or excel sheet) somewhere (anywhere, including on a USB and or in the cloud, preferably a copy with each cloud service provider). Apart from your LastPass password you need to remember only the password for the password-protected document (or excel sheet). If the document (or excel sheet) falls into someone’s possession, they shouldn’t be able to open it because it is password-protected.
I keep my Lastpass password in my Enpass vault. Yes, I use 2 password managers simultaneously.
As I recall, Leo, LastPass WAS hacked once several years ago…and a lot of user data was compromised.
Any comment on that?
IT WAS NOT HACKED. NO DATA WAS COMPROMISED. More here: http://ask-leo.com/has_lastpass_had_a_security_breach.html
Bottom line is that even if they were hacked (WHICH THEY WERE NOT) even they do not have the ability to decrypt your passwords. That means the hackers would not have the ability to decrypt your vault. Only you do, by virtue of knowing your master password, and that never leaves the device you use.
Before deleting a file with sensitive information, I open it as a random access file and overwrite it three times with random numbers. It is fast and I think it is secure.
And ineffective. There’s actually no guarantee that the sectors that you “overwrite” will actually be written to the exact same sectors containing your sensitive data. (There’s no guarantee, and it could be highly filesystem dependent – NTFS could work differently than FAT and so on.) Use a specialized tool to perform what’s called a “secure delete”, or run a free-space wiper after you delete the file.
In both Firefox Quantum and Chrome browsers, when I export as a CSV File, there is no CSV File, but a browser windows opens and I see export.html at the end of the URL. How do I save this to my computer?
Thanks
Click somewhere in the page contents. Select all the text, use the [Ctrl]+[A] keys for a Windows PC. Copy the text using [Ctrl]+[C] keys. Paste text [Ctrl]+[V] into a text editor. If you save the text in Windows Notepad and save the file with a .csv extension then the saved file will automatically open in Microsft Excel (or another spreadsheet app) on a Windows PC. The contents will automatically sort into columns which show, website, username, password, etc.
Sadly you should not have to do any of the above. LastPass should make and save the CSV (comma separated values) file for you. I informed LastPass about this problem with exports a few months ago but I have had no response and the bug still exisits.
The other way to go is to install the Firefox web browser. Firefox has a number of export options which work correctly.
The Chrome has been the most used web browser for some time so I’m amazed that LasPass has only two export options (CSV & Form Fills) for it and both options do not produce an export file.
In both Firefox and Chrome Ctrl+S will save the web page, but copying and pasting to a text or Word file would produce a cleaner output.
I followed Mark Jacobs instructions and I get a listing in very small print.
No further instructions so how do you save as a CSV?
File, Save As…
Got it !!!
Should have read ‘Malfunction’ post.
Thanks
March 2018 LastPass has failed. It hooked up with Verizon and is now owned by LogMeIn, Corp. I can not get into LastPass even with my Master Password. I have been asking LastPass support to fix the problem but they haven’t been able to. I have used LastPass Premium for 5 years. Only had a couple of problems in that time. For me, their reputation has gone in the toilet. I never thought to back up or how to do it. I never thought about LastPass being sold to another company and I would not have access to any of my passwords. That is totally my fault. I have worked on this problem for a month with support and nothing works. So, I was told today that I needed to delete my account and start over, with over 300 passwords this is a catastrophe. I am depressed about this whole password manager scenario. LastPass is not what it use to be……
My experience with LastPass hasn’t changed one whit, nor has my recommendation. They’ve been owned by LogMeIn for at least a year, maybe two now. The technology hasn’t changed. Nor has the statement that if you lose your master password they cannot help you. It’s not that they wouldn’t want to, the security they implement actually defines that they cannot help you. This is made pretty clear from the beginning, and that level of security is one of the reasons I continue to strongly recommend them. (And I’m unaware of any relationship with Verizon.)
I just discovered a real “oopsy!” in the export — if there are any login fields saved besides username and password (however they’re named) they DO NOT get exported.
For instance, the federal government’s site for paying estimated taxes online uses five fields for a complete login: the social security id is in three parts, there’s a pin code, and then the password. You can get LastPass to save each of these and use them the next time you log in, but when exported you get the four digit portion of the social and the password ONLY.
Any site using more than two fields for login data is affected.
Eeek! Is that true for all export types? Have you reported that to LastPass?
At this point I don’t know as I had enough problems with LastPass that I moved on to BitWarden and removed the LastPass browser extension. I get at my old data in LastPass by logging into their website. I’ll let someone else fight that battle.
The real pain is that in order to know if you’re missing something, you have to go into edit on each saved login and then click on “edit form fields”.
It seems these instructions are for people using the PAID version of LastPass, with the browser extension installed. For the rest of us, you can log in to lastpass.com, click Advanced Options on the left, then Export. You can do this even if you have chosen “Mobile” as your Active Device Type.
https://support.lastpass.com/help/how-do-i-export-my-vault-data-while-logged-in-to-my-vault