Last Pass problem. two step app didn’t work, panic and I eventually disabled two step authentication, defeating the point of it. Last Pass support after a day emailed an irrelevant ‘help’ sheet. Purely in my view to clear the request for their convinience. I wrote back no reply. Should I change password managers, I am thinking One Password. PS. how do you hook up those two step authenticator apps anyway: I have no idea how I did it inititally?
LastPass had several breaches over the past couple of years so, yes, you should probably consider other options.
For 2FA, you enable 2FA codes on the respective website, which is where you got the initial seeds usually by scanning a QR code with the authenticator app (LastPass in your case). The one-time codes are later generated from these seeds based on time. These options are always somewhere under security options.
LastPass (I think) offers exporting the seeds as a JSON file. (I’m not using LastPass, but I’m basing this on the fact that 2FAS and other authenticators offer importing these files from LastPass.) You should then import this into another authenticator; 2FAS is a good (and free) option, or you can use 1Password for 2FA as well.
There’s also a guide on the 1Password website on migrating from other password managers, see here.
5 Likes
I’ve been using 1Password since 2008 and agree with @dario. It’s time to move away from LassPass.
LastPass goes independent over a year after serious breaches
7 Likes
Exporting 2FA seeds from LastPass seems to be available, see here for instructions on how to get the JSON file:
Make sure that you delete that file after having imported it into another app as it is unencrypted and contains all the secret seeds for your 2FA-protected accounts.
This actually saves you a lot of time when moving to a new password manager or a 2FA authenticator as otherwise you’d have to go into each account, disable 2FA, and reenable 2FA to get the new seeds. Passwords are less of a problem when migrating to a new app.
3 Likes
Thanks, on the evidence of previous posts by you I take your advice seriously. I will just do it when I have the time. Frankly the 2FA stuff here is too complicated for me, I don’t understand it at all, maybe one of the reasons mine stopped working.
1 Like
Thanks but part of the problem maybe is that information you gave I just don’t understand. I have no idea what a ‘seed’ is for example. I have no idea how the Authernticator app worked in the first place and just set it up, at 50$ when Last Pass panicked me when it suddenly dropped the grid system. It seemed to work for a few months, then suddenly… my suspicion is they have another big problem of some kind.
I can’t see why they can’t just send a code to one’s phone like Apple do. I am sure there is some complicated under the hood reason that I have no intention of finding out about. As it is my passwords are well made, long and tedious to enter manually. Even the Last Pass master one is actually a pain in the neck to enter…
Anyway I am done with Last Pass, stil no response from their ‘help desk’ two days after I said I was locked out of my account. I did get back in as I said, but, wow!
A seed in 2FA is the initial secret (the QR code) you scanned and entered into the 2FA app for it to be able to generate the one-time codes. You did that when enabling 2FA for a particular account. It is what makes the app able to generate these codes.
I suggest you look at the above migration guide from 1Password, and perhaps other folks who use 1Password here can help more (I’m on Bitwarden, which is open source but a bit less user-friendly as it is now, so I’d suggest you try 1Password first).
I suppose that the migration guide will help you migrate both the passwords and 2FA codes to 1Password. In the best-case scenario, you will not need to retype any passwords or do anything manually.
Have a look at LastPass and see where the export options are (see the above article). It should be able to export both passwords for all accounts and the 2FA list. Once you have that, this can be imported into another app and you can cancel the LastPass account.
2 Likes
How important is 2FA anyway then, since I already have it on my apple ID and my computer is locked under a password. All my accounts that matter have a code sent to my phone. How important is it to have it on my password manager and why?
I would like your opinion but since asking I found, on 1Passwords blog an article saying 2FA is not necessary for 1Password. The article does mention an ‘edge case’ that seemed to me unlikely to be anything I would face.
Thanks for your help and time, much appreciated.
1 Like
IMO YES. But I’d got for something you control Like Strongbox or Keepass. ALL cloud services are subject to breaches. At least local copies are subject to different attacks and issues
1 Like
I reckon listening to the latest MPU episode will answer this question well! (Short answer, if your long & complex password gets stolen, without the ‘second factor’ the baddy still can’t get into your account.)
2 Likes
I agree you should ditch Last Pass, and suggest taking a look at Bitwarden. I’ve been very happy with it. You may find the free version is all you need, and if not, the pricing is very reasonable.
4 Likes
Generally, having an authenticator app or a password manager generate the 2FA codes for you is considered more secure than having them delivered via text message. If you can move to an app-based authenticator or a password manager, that’s a good move. In any case, you should use two-factor authentication on all sites that support it.
Can you link the blog article you mention? I gather that it’s about having a 2FA code active for 1Password itself.
LastPass is the only subscription software I pay for. Avoided the sub landmines so far.
LastPass is trash. iCloud keygen is good for basic use.
2 Likes
I’d say the Keepass format is the standard, future-proof locally stored solution and Strongbox is a very nice Mac interface on top of that, with some iCloud smarts added on top of it. So I keep my master passwords on a Strongbox vault stored on iCloud Drive. It syncs without issues.
And on top of that, I let iCloud Passwords do its thing because it’s very convenient specially on mobile. But when I create or change a password, it’s in Strongbox.
2 Likes
First thing, get away from LastPass, such a junk app that’s been hacked countless times.
Two, are you ok paying for a password manager? If yes, go for 1Password, or Bitwarden (paid). If not, use Bitwarden free. Bitwarden is open source BTW.
For 2FA, use Google Authenticator or 2FAS.
1 Like
I do use 2FA on any site that has it; all of them though deliver by text message.
The one time I didn’t look to see the episode and what do you know. Spookily would have been relevant to one of the few times now I have an IT ‘issue’. ! 
Very much thanks for the pointer.
SMS based MFA is generally considered the least secure MFA method due to the possibility of being easily subverted by multiple methods. It may be better than no MFA, but if hardware keys or TOTP codes are offered by a given service provider either of those are the better options.
3 Likes
I would also add that it’s not privacy-friendly for every single service to have your phone number just to be able to text you the 2FA codes if they do not require the number for other purposes.
Authy leaked 30M+ user phone numbers just weeks ago, and I already have text spam and WhatsApp spam I can positively attribute to that breach.
4 Likes