password manager

How to Migrate from LastPass to Bitwarden (or Proton Pass)

LastPass Bitwarden
Difficulty: Easy Estimated time: 1-2 hours

Step-by-step guide to switching from LastPass to Bitwarden, the open-source password manager. After LastPass's 2022-2023 breaches, the migration is overdue. We'll cover both Bitwarden (most users) and Proton Pass (full EU sovereignty).

Prerequisites

  • LastPass account access
  • Encrypted disk or USB drive for the temporary export file
  • Hardware security key recommended (YubiKey or similar)

Steps

  1. Decide between Bitwarden and Proton Pass

    Bitwarden = mature, polished, US-headquartered but self-hostable on EU. Proton Pass = newer, fully Swiss-jurisdictional, integrated with Proton ecosystem.

  2. Create a new account on chosen platform

    Bitwarden free or Premium ($10/year), or Proton Pass free or as part of Proton Unlimited.

  3. Export your LastPass vault

    LastPass → Advanced Options → Export. Choose CSV format for broadest compatibility.

  4. Import vault into new platform

    Both Bitwarden and Proton Pass have direct LastPass importers that handle the standard CSV format cleanly.

  5. Set up two-factor authentication

    Configure TOTP, security key (YubiKey), or passkey on the new platform. This is non-negotiable for password manager security.

  6. Recreate folder structure and tags

    Both platforms use slightly different organization concepts. Recreate your most important categories.

  7. Install browser extensions and mobile apps everywhere

    Bitwarden and Proton Pass both have full cross-platform coverage. Install on every device you currently use LastPass on.

  8. Test critical logins

    Verify autofill works on your most-used services. Test password generator, secure notes, and TOTP storage.

  9. Update sites with weak or breached passwords

    LastPass's 2022-2023 breaches mean passwords stored before the breach should be considered compromised. Use the migration as opportunity to rotate.

  10. Cancel LastPass and securely delete export

    After 30 days of confidence, cancel LastPass, delete the unencrypted CSV export securely.

Why You Should Have Migrated Already

LastPass had two consecutive serious breaches in 2022-2023:

  • August 2022: source code and proprietary technical information stolen
  • December 2022: customer vault data stolen, including encrypted password vaults

The December 2022 breach is the operational concern. LastPass disclosed that attackers obtained customer vault data — encrypted, but with metadata exposed (URLs, usernames). For users with weak master passwords or older vault encryption iterations, the encrypted vaults are vulnerable to brute-force attacks given enough time and computing resources.

Practical implication: any password stored in LastPass before December 2022 should be considered potentially compromised. The migration urgency varies by threat model — high-value accounts (banking, work email) should have rotated passwords already; low-value accounts (one-off forum logins) less urgent but still worthwhile.

The 2026 migration question isn’t “should you?” — that’s settled. It’s “to which alternative?”

Choosing Between Bitwarden and Proton Pass

Both are credible. The choice depends on your sovereignty priorities:

Bitwarden (US-headquartered, fully self-hostable)

Pros:

  • Most mature open-source password manager
  • Largest ecosystem of integrations and clients
  • Cheapest premium tier ($10/year)
  • Self-hostable on Hetzner via Vaultwarden for full sovereignty
  • Battle-tested at enterprise scale

Cons:

  • US-headquartered (CLOUD Act exposure for hosted version)
  • Self-hosting requires technical capability

Best for: most users who want polished UX, broad ecosystem, and cheapest pricing. Self-host on EU infrastructure for full sovereignty.

Proton Pass (Swiss, fully sovereign)

Pros:

  • Swiss legal jurisdiction (stronger than GDPR)
  • Generous free tier with all features unlocked
  • Integrated with Proton ecosystem (Mail, Drive, VPN)
  • Audited end-to-end encryption
  • Cleaner privacy posture than Bitwarden

Cons:

  • Newer (launched 2023, less mature than Bitwarden)
  • Smaller ecosystem of third-party integrations
  • Not self-hostable
  • Some advanced features (SAML SSO, Active Directory) only on enterprise tiers

Best for: users in or considering the Proton ecosystem, users prioritizing Swiss jurisdiction, consumers and small teams.

This guide focuses on Bitwarden as the most common migration destination. The Proton Pass migration follows the same general steps — both have similar LastPass importers.

Detailed Migration Steps

Step 1: Set Up Your New Account

For Bitwarden:

  1. Visit bitwarden.com and create an account
  2. Choose a strong master password — this is the only password you’ll need to remember; make it long and unique
  3. Save your recovery code somewhere safe (printed, in a fire safe, NOT in any password manager)
  4. Optional: upgrade to Premium ($10/year) for 1 GB encrypted file attachments and emergency access features

For Proton Pass:

  1. Visit proton.me/pass and create account (or use existing Proton account)
  2. Choose strong master password — same considerations as Bitwarden
  3. Save recovery phrase securely
  4. Free tier covers most personal use cases; Plus tier $1.99/month adds advanced features

For Bitwarden self-hosted (advanced):

For organizations or technical users wanting full EU sovereignty:

Hetzner CX22 (2 vCPU, 4 GB RAM): €5/month
Vaultwarden (Bitwarden-compatible, lighter): open source
Caddy reverse proxy + Let's Encrypt SSL: free

Total infrastructure cost: ~€60/year for unlimited users, fully self-controlled.

Step 2: Export from LastPass

LastPass requires master password for export:

  1. Log in to LastPass web vault
  2. Account Options → Advanced → Export (under Manage Your Vault)
  3. Re-authenticate with master password
  4. Choose LastPass CSV File format
  5. Save to encrypted disk or USB drive

Critical security note: The exported CSV contains all your passwords in plaintext. Treat it as the most sensitive file you’ll ever handle:

  • Save to encrypted disk only (FileVault, BitLocker, LUKS)
  • Don’t email it
  • Don’t upload to any cloud service
  • Don’t store on a mobile device
  • Delete it immediately after migration

Step 3: Import into New Platform

Bitwarden:

  1. Bitwarden web vault → Tools → Import Data
  2. Select source: LastPass (csv)
  3. Choose your exported CSV file
  4. Click Import Data

Bitwarden imports:

  • Logins (username, password, URL, notes)
  • Secure notes
  • Folders → Bitwarden Folders
  • Form fill items → Bitwarden Identity / Card items

Proton Pass:

  1. Proton Pass web → Settings → Import
  2. Select LastPass
  3. Choose your CSV file
  4. Confirm import

Both handle the standard LastPass export format cleanly. Edge cases:

  • Custom fields may need manual review
  • Items with weird characters in URLs may need rechecking
  • Form fill addresses migrate but may need format adjustment

Step 4: Set Up Two-Factor Authentication

This is non-negotiable for password manager security:

Bitwarden 2FA options:

  • Authenticator app (Aegis, Raivo, Authy)
  • Email (least secure)
  • YubiKey (Premium, recommended for high-stakes use)
  • Duo (Premium)
  • FIDO2 WebAuthn (Premium)

Proton Pass 2FA options:

  • Authenticator app
  • Hardware security key (FIDO2)
  • Built-in Proton 2FA

Recommendation for both: hardware security key (YubiKey 5 NFC or similar, ~€55) plus authenticator app as backup. The combination is strongest.

Save your 2FA recovery codes somewhere offline (printed in a fire safe, NOT in your password manager).

Step 5: Recreate Folder Structure

LastPass folders → Bitwarden Folders / Proton Pass folders. Your import preserves this in most cases, but review:

  • Did all folders import correctly?
  • Are nested folders preserved?
  • Are shared LastPass folders represented correctly?

For Bitwarden specifically: shared LastPass folders need recreating as Bitwarden Organization Collections (which is a Premium feature for personal use, or part of Family/Business plans).

Step 6: Install Everywhere

Both Bitwarden and Proton Pass have comprehensive cross-platform coverage:

  • Browser extensions: Chrome, Firefox, Safari, Edge, Brave, Opera, Vivaldi
  • Desktop apps: Windows, macOS, Linux
  • Mobile apps: iOS, Android (both App Store and APK)
  • CLI: For developers and scripting

Install on every device where you currently use LastPass. Sign in with master password and verify 2FA on each device.

Step 7: Test Critical Logins

Before cancelling LastPass, verify the migration works:

  1. Sign out of 5-10 critical services (banking, email, work tools, social media)
  2. Try signing back in using only the new password manager’s autofill
  3. Verify TOTP codes generate correctly (if you store TOTP secrets in your password manager)
  4. Test on mobile — autofill works differently on iOS vs Android, both work but require setup

If anything fails, fall back to LastPass while you fix the issue. This is why running both in parallel for 30 days is essential.

Step 8: Update Weak and Breached Passwords

The migration is the perfect moment to rotate passwords that should have been rotated:

For LastPass users specifically: passwords stored before December 2022 should be considered potentially compromised. Priority rotation:

  1. Banking and financial services (highest priority)
  2. Email accounts (these unlock everything else)
  3. Work-related accounts (compliance and security implications)
  4. Cloud storage and backup services
  5. Major commerce accounts (Amazon, eBay, etc.)
  6. Social media (especially if you use them for SSO)

Use Bitwarden’s or Proton Pass’s password generator to create strong, unique passwords. Both have breach detection that flags compromised passwords automatically.

For lower-priority accounts (one-off shopping sites, forums), batch this work or accept the risk. Realistic time investment for full rotation of 100+ accounts: 4-6 hours over a week or two.

Step 9: Set Up Password Health Monitoring

Both platforms include password health checking:

Bitwarden Reports (Premium):

  • Exposed password report (checked against Have I Been Pwned)
  • Reused password report
  • Weak password report
  • Inactive 2FA report
  • Unsecured website report

Proton Pass Pass Monitor:

  • Dark web monitoring
  • Weak password detection
  • Reused password detection
  • 2FA recommendations

Run the reports monthly initially, quarterly thereafter. Each finding is an action item: rotate, enable 2FA, or update credentials.

Step 10: Cancel LastPass and Securely Delete Export

After 30 days of confidence:

  1. Verify all logins are accessible in new platform
  2. Verify TOTP codes for critical 2FA setups
  3. Cancel LastPass subscription via account settings
  4. Securely delete the CSV export:
    • macOS: srm -v file.csv (older macOS) or use Finder secure empty trash
    • Linux: shred -u file.csv
    • Windows: BleachBit’s secure file deletion
    • Or simply overwrite the file repeatedly with random data, then delete

Don’t skip the secure deletion step. The CSV contains all your passwords; ordinary deletion leaves recoverable traces.

Tips for a Smooth Migration

  • Plan a weekend for this. Two hours of focused migration work is better than two weeks of “I’ll do it later.”
  • Hardware security keys are worth the €55. YubiKey 5 NFC paired with Bitwarden or Proton Pass provides phishing-resistant authentication that’s genuinely difficult to compromise.
  • Family / shared vaults need attention. If you have a LastPass Families plan with shared folders, recreate the sharing in Bitwarden Family ($40/year for 6 users) or Proton Family.
  • For developers, the CLI matters. Bitwarden CLI (bw) is excellent for scripting and CI/CD secret management. Proton Pass CLI is newer.
  • Self-hosting Bitwarden is genuinely viable. Vaultwarden on a €5/month Hetzner server gives you fully sovereign password management. The tradeoff is operational responsibility — uptime, backups, security patches.
  • Don’t use the same master password as LastPass. Some users do this “for muscle memory.” Don’t. Pick a different, stronger master password for the new platform.
  • TOTP storage in password manager has tradeoff. Convenience (one place) vs security (single point of failure). Both Bitwarden Premium and Proton Pass support TOTP storage; for highest-security accounts, consider keeping TOTP in a separate authenticator app.
  • Emergency access matters. Set up Bitwarden Premium’s emergency access (or Proton’s equivalent) so a trusted person can request access to your vault if something happens to you. This is the digital equivalent of a will.
  • The Proton ecosystem story matters if you’re already there. If you use Proton Mail and Proton Drive, Proton Pass integration may justify it over Bitwarden. If you’re not in the Proton ecosystem, Bitwarden’s broader feature set may matter more.

Was this helpful?