I’ve long recommended password managers like Roboform and LastPass to keep track of passwords for all online accounts. Besides offering an incredible level of convenience, these tools give you a greater level of security by making it practical to use truly long and complex passwords and generate different ones for every site.
But, as with all things relating to security, there are risks.
For example, what happens if you forget your LastPass master password? Master passwords cannot be recovered. While there are a couple of options that might regain access to your password vault, the worst-case scenario is that you lose the vault — and everything in it — forever.
Not to keep beating the same old drum, but the best solution is very simple.
Become a Patron of Ask Leo! and go ad-free!
Export your password list
While logged in to LastPass, click the LastPass toolbar icon and then Tools, Advanced Tools, Export To:
The list of export options include:
- LastPass CSV File – This creates a downloadable comma-separated unencrypted list of all your LastPass entries to a plain text file. You’ll be prompted with a Save As dialog to select a location to place this file.
- Internet Explorer – This loads your passwords into Internet Explorer’s password vault. (When available, “Internet Explorer” may be replaced with the name of your current browser.) This is not recommended, as browser-remembered passwords are easily compromised.
- LastPass Encrypted File – This creates a single downloadable file. The file is encrypted and requires your LastPass master password to be recovered. It’s suitable only for importing data back into LassPass.
- Wi-Fi Passwords – LastPass has the option to capture and save WiFi passwords used on your system. This allows you to export those that have been imported into LastPass.
- Form Fill Profiles – This creates a CSV file of all the form fill profiles you have set up in LastPass.
In almost every case, you will be asked to confirm your LastPass master password before the export can take place.
Differences in other browsers
The example above uses Internet Explorer in Windows 10. In Chrome and Firefox, click the LastPass icon in the toolbar. To reach the list of available export formats, click on More Options, Advanced, and Export.
The path to the Export function may be slightly different in other browsers. The key seems to simply be to traverse down the longest options/more options/advanced path you can find in the LastPass menu.
What to back up and what format to choose
Remember, you only use backups when something goes wrong. As we don’t know what exactly will “go wrong”, we want to select the most comprehensive and flexible options.
My recommendation is that you:
- Export your LastPass vault to a CSV file.
- Export your LastPass Form Fill Profiles to a CSV file, if you use Form Fill Profiles.
That captures the key information used to log in to accounts and fill forms.
It also exports it in a common, easy-to-use format – plain text – that doesn’t require LastPass for you to view it. In fact, a common use of .csv files is to load them into a spreadsheet program like Excel:
When you use Excel (or a plain-text editor such as Notepad) to view the information, you can see that all entries, including the passwords, are easily and clearly visible. You can then use it directly, import it into another program, or even import it into a new LastPass account.
Wait … clearly visible?! How secure is that?
Storing your LastPass backup
As you might imagine, the plain-text, unencrypted backup copy of all your passwords is very valuable in the right hands (your own) and quite dangerous in the wrong ones.
That’s why this next step is so important.
You must place that file in a safe and secure place, or encrypt it and then place it in a safe and secure place.
Options might include:
- Zipping the file with a password (make sure to use a recent .zip tool that has good encryption).
- Placing the file on a TrueCrypt/VeraCrypt volume or a BoxCryptor encrypted folder.
- Burning the file to a CD, or copying it to a USB stick, and placing that in a safe deposit box or personal safe.
- Printing it out and placing the paper in a safe or safe deposit box.
You get the idea. Keep it safe and secure.
After doing so, delete any copies of the file left on your computer and empty the Recycle Bin. For extra security, this is one of the few times that I think a free-space wipe might be worth it as well. (CCleaner will do a fine job of that.)
Why go through all this trouble?
A couple of things caused me to think about this recently, and I realized that they apply to everyone.
People forget passwords. They just do. It’s just a fact of life. It’s annoying when it happens on a “normal” account, but at least there’s typically a recovery path. But if you forget your LastPass master password, there is no recovery. This is actually a good thing, because it’s a significant level of added security, but it relies on you never, ever forgetting.
Stuff happens. I was tempted to say “people die,” but in reality, it’s about much more than death. The unencrypted backup of your LastPass database is one option to have available for those who might manage your affairs — not just after you pass away, but if you’re incapacitated or in need of assistance for any reason. It’s also something that could turn out to be incredibly useful to you should you not be able to access LastPass for any reason.
What it’s not for: LastPass going out of business
One of the objections to password vaults in general that I hear is, “What if the company goes out of business?”
A fair question.
In the case of LastPass, you lose nothing, except for cross-platform synchronization. One of the beauties of LastPass’s approach is that it doesn’t actually require the internet – or the LastPass servers – to be able to access the content of your vault. In “offline mode”, LastPass just continues to work. (As long as you know your master password, that is.)
And yes, in the highly unlikely event that LastPass ever did go out of business or fail, one of the first things I would do is back up my database, as outlined above, in preparation for a move to an alternative password manager. But as long as you’re backing up regularly, then even this scenario isn’t worth thinking about too much.