Or: How to migrate from LastPass without fuss

As you may have heard, LogMeIn has acquired LastPass. This would normally not be very interesting news, but LogMeIn have turned out to be a bit shady, which means that I trust LastPass much less under its new owner. Also, since Persona, the solution to all authentication problems never panned out (damn you, Mozilla, damn you to hell!), I am forced to find a new password manager.

To give you a bit of history, I started out, as many of us do, using only one or two passwords for everything. This was, of course, entirely insecure, because I was giving my email and Dropbox password to every shady game site and bank out there. One day, I decided I should switch to something else, but I didn’t like carrying and synchronizing a file every time I added a password, so I opted with something with less state: SuperGenPass

A timeline

SuperGenPass generates a site-specific password from a master password (although the algorithms it uses are now a bit antiquated and someone should really add bcrypt or something to it), so all you need to remember is one password and every site gets its own, completely unique password, without being able to reverse it to discover the master one.

SuperGenPass served me great, but it had two major flaws: Because it keeps minimal state, you set its parameters once at the start and then just use it, which means that you can’t change your password, and you can’t use custom character sets for, say, the bank website, which only allows passwords up to three characters long and only consisting of the letters “lol” in that exact order.

After a few years on SuperGenPass, I decided it was time to bite the syncing bullet and move to a manager. I looked around and LastPass was the best one, as it offered the best integration with all my tools (Firefox on Linux and on Android). That worked pretty well, although not without the occasional hitch, but the extensions for both Linux and Android were reasonable enough that passwords would get saved with one or two clicks and auto-filled with no clicks.

The migration

It seems that all good things must come to an end, however, and LastPass was no different. After the acquisition, I looked into how I can move to the open source and trusted KeePass. For moving my logins and passwords over, this turned out to be as easy as an export and an import, and all my passwords were in LastPass a few minutes later.

The bigger problem then was how to handle password syncing and auto-fill on the phone. Dropbox does a good job of syncing the password database, and KeeFox is a great Firefox extension that automatically saves new passwords and fills existing ones, but doesn’t work on Android. KeePass2Android is another very featureful app that does a great job at automatically syncing the file when necessary. However, it lacks browser integration, so logging in to a site is an exercise in frustration, as it requires quite a few taps to find and copy the password every time.

My needs were, in reality, only two:

  • Save new passwords when I sign up to sites.
  • Use these passwords to automatically fill the form of the site I am currently on, if a password was previously found.

Firefox does both automatically (and it syncs its password database securely), but it’s very Firefox-specific, so it’s not very easy to get the password if you need to log into a service on another PC. KeePass makes it very easy to get the passwords, but, as I mentioned before, it doesn’t sync, and KeeFox disables the built-in Firefox password manager because otherwise there are conflicts between the two.

The solution

Since Firefox does half of what I want, and KeePass does the other half, why couldn’t I join them and get a whole? What’s so terrible about the built-in password manager, that needs to be disabled when KeeFox is used?

As far as I can tell, nothing. That’s exactly what I didn’t do, and it has been working fine. To clarify, my current setup involves running KeeFox and preventing it from filling in passwords, while enabling the built-in password manager and password sync.

Here’s how to do that for Firefox:

The options I have set in Firefox and KeeFoxThe options I have set in Firefox and KeeFox.

This still allows KeeFox to capture new sites and their passwords the first time you sign up, so your password database will still be complete. However, the logging in process is a bit different: Firefox will ask you to save the password you just used in its database, and you should accept. If you need to log in and Firefox has never seen the password before, all you have to do is click the KeeFox icon and select the website, and the credentials will be filled in.

KeeFox will never autofill any credentials (because we told it not to), but Firefox will, and it will sync the credentials to all devices transparently, which is exactly what I (and presumably you) want. Then, the next time you try to log in to a website on your phone, Firefox will automatically fill in the username and password it saw the last time you logged in anywhere (including the computer). Also, whenever you try to sign up to a site, KeeFox will prompt you to save the password, and Firefox will as well, and you should say yes to both (one is for adding the password to the KeePass database and the other for the Firefox password manager).

This setup should work equally well for Chrome, but I’m not sure if there’s a Chrome extension for KeePass, and there it is. Completely open-source password management, with convenient site addition and auto-fill!

If you have any recommendations, corrections or feedback, please leave a comment below or tweet at me. Thanks!