Lastpass to Bitwarden migration; so many passwords

LastPass to Bitwarden migration ... a tale of <somethings>

Or "boredom for a week". Every idle moment for nearly 10 days. I moved passwords from LastPass to Bitwarden. Why?

LogMeIn is the company that bought LastPass, the password manager I have been happily using for the last 10 years or so. I liked LastPass. I used to pay for it too. It stored login details, generated secure passwords, kept secure notes, and generally behaved itself across all my devices, including Linux desktops. And then they were bought by LogMeIn.

LogMeIn like to raise prices. And the increase in price this year (2021) finally pushed me to switch to anything else. And the free account is crippled, to force people to pay. And I used to pay. But no more, at least to LogMeIn.

I decided wanted an Open Source or Free Software solution, so - in theory - I could host it myself. Obviously, I'm not going to. I'd heard good things about Bitwarden so I decided to switch. I even paid them the $10 that they want for a Premium account compared with $40 for LastPass this year. I wonder what LogMeIn will charge next year.

I seem to have a LOT of logins

Obviously, there is an export from LastPass and import into Bitwarden . I didn't do that. Not because it doesn't work. Lot's of people do do that, and it works fine. No, since I've had LastPass for around 10 years, which is my best guess based on the last time I actually used some of the passwords, I thought I'd move them over manually and check that they actually work.

It turned out I had a lot of site logins, secure notes, and other secured details. No, really, a lot. Over 600.

The login details seemed to fit into the following categories:

  • Sites I actually use a lot. Not that many, it would seem.
  • Shopping sites that I have used once. Lot's of these. Simply loads.
  • Services, tools, sites that have just gone away. Bit rot in the Internet. The demise of websites seems quite alarming. 5 years is a long time on the Internet; enough time for their birth, brief existence, and (often) sudden death.

I laboriously tried every login. Some had disappeared, like "delicious", the bookmarking service (bought by pinboard it turned out, which I also had an account for). Many had timed out my login - the details had miraculously simply disappeared. Other's had to be coaxed into allowing me to reset my password, just so I could (attempt) to close my account. Speaking of which ...

"Why can't I close that account?"

It's pretty easy to sign up for accounts. Enter email address and password, and hey presto, new account. For many sites, not so easy to close the account. First, there is finding how to close it. Some sites don't make that easy. However, lots of sites simply don't have any way of closing the account. Nope, it's forever. Bastards. So for them I anonymise the information as much as possible, switch the email to something opaque (like Blur Abine's masked email service), dump the login into my sin bin of "can't close the damn account", and then try to forget about the site.

Why, oh why, did I use my real email address so much?

This was, and is, a major mistake. I used my main email address to sign up to 100's of web-services and shopping sites. ';--have i been pwned? - you bet. All my "main" email addresses have been compromised by data breaches. They are now permanently on spammer's lists, which explains a thing or two about the some of the emails in my spam folder. And it was so easy to just use the address that I knew, despite having a Blur Abine masked email account. Half of those now-defunct websites probably leaked, or worst, sold my email address.

Anyway, I have a plan for this particular error: don't use the same email address for more than one service. Which means that I need roughly 300 email addresses. Yeah, right!?

Actually, there is a way to solve this: email aliases. I'm going to solve this particular problem with SimpleLogin which is, handily, an email alias solution. Essentially, I can use my own domain, and I have a few of those just hanging around doing nothing, and then create aliases for all the sites. So github@mymaildomain is going to be a thing, along with twitter@mymaildomain and aerlingus@mymaildomain. I think you get the idea. Looks like they will get $30/year out of me as well. (This is starting to get expensive - I mean I pay for email too). Incidentally, this is another case of where I could self-host SimpleLogin, but for $30/year, I'm not going to.


So I ended up with over 350 remaining sets of login details and secure notes that still work or exist. And this really does seem like too many. I'm going to do a second pass through all my logins and switch my over-used main email address to a SimpleLogin alias. And this will allow me a second chance to delete or "defunct" a few more sites that I don't really need. It's all about trying to reduce digital footprints. But this whole saga makes me wish there was some kind of personal, universal SSO (Single Sign On) solution for controlling this explosion of logins.

Which kind of brings me to my point (or rant):

Why not personal Single Sign On?

Why do I even need a secure password generation and storage system. It's because 'us' techies messed up. The easiest solution is just to get some details from a user to open an account, often without thinking about how it might be closed; and as I recently discovered, that's a TODO item that often never gets done.

But it leaves a problem: securing passwords and emails from malicious entities. Which results in the suboptimal solution of password managers. A whole plethora of them: Bitwarden, 1Password, KeePass (and the -X variant), Dashlane, LastPass (now in the sin-bin), and the things built into Chrome and Firefox, and many, many more. Oh, never use the things built into Firefox and Chrome; particularly not Chrome - why give even more data to Google.

So, naturally, I thought about the solution to the problem. I am an engineer, of the software persuasion, after all.

What I want is a "thing" that I can open with a nice secure password. And then that thing is the thing that authenticates me with a service. All the service gets is a nice, opaque, token (cryptographically signed) that says "yes, it's the same person as the last time that token was used." And that's the essence of SSO.

Obviously, it exists. I didn't invent it. I'm not smart enough to. But it exists in siloed, bunkered, solutions. "Sign in with Google". "Sign in with Facebook". "Sign in with Twitter". "Sign in with blah".

However, I don't want to have to trust 'blah' to be my SSO. It should be portable and not tied to a particular (mostly it seems, based in America) corporate entity that may not have my best interests in mind. In fact some of them may just be interested in data-mining me to sell advertising slots to me. The idea of actually telling them which sites I want to log in to - no, that doesn't fly with me at all.

So perhaps decentralised logins are a necessary evil, and the personal password manager is the necessary component to make semi-anonymised identity work around the Internet. It just seems so inconvenient and sub-optimal.

</rant>

And that's where the story ends

If you're still reading; well done!

Bitwarden is nice, but not necessarily nicer that LastPass. It is cheaper, but more importantly, is Open Source (so no tie in) and not owned by LogMeIn.

Email/passwords (plus 2FA) seem like the necessary evil to authenticate with websites, but to obscure email addresses is also a necessary evil; hence the existence of Email Alias solutions.

I still don't know how to have less of them, though. I seem to make an account on every new shopping site/web service/other thing that I come across. It's a habit I'm going to have to break.


I'm publishing this as part of 100 Days To Offload. You can join in yourself by visiting https://100daystooffload.com