Yes it’s painful but I’ve found going through my vault to be a useful house-keeping exercise. I would say for each account think about the risk to you if hackers got access - they will be after quick $ plain and simple. Most of my accounts contained no financial details and only basic personal data that I’ve already lost several times through various other high profile breaches (including unencrypted in the LastPass breach).
Don’t sweat the small stuff.
This is what I did too. It was a good time to cull the accounts not needed anymore - delete delete delete. It took me several hours to change around 100 yesterday, and I initiated the requests from just clicking the login URL link in each vault record.
Prioritize. There are some very important ones finance/bank, email and then probably others that our less important. I'm changing high priority ones and then the others will get changed as I login to the sites. I started creating a tag for the ones that I've changed and removing the lastpass tag that was placed there when they were imported.
It is a lot of time and we should be getting our money back from lastpass, plus compensation for time.
>Most websites hide their "change password" option deep inside their website and you have to literally dig each one out
Somebody smart once said that. If it's true, then clicking a link in an email is faster. You can have several going at once, too.
This is absolutely faster, instead of logging in, searching for a password reset option, entering your email/user again... just click before logging in. Some sites don't even have a password reset option in your account and suggest to logoff and click the "forgot password" button.
Edited to add: I've moved to another password manager, and started changing passwords from there. This allows me:
\- to keep track of what I actually changed
\- mitigate the possibility that Lastpass is backdoored / LP code was changed to catch all new data entered
Do this not the way I did: keep both running, verify all data was migrated (you'll find a bunch of posts here in the sub about exports being broken). FWIW, I chose 1Password, as it applies an additional key for encrypting the data and does way better in encrypting metadata. It also has no history of adding trackers to their apps, and apparently even allows direct import from LP since a while. The downside is that your data is actually secure, meaning that if you lose your master password and/or secret key, you're well and truly fkd.
4-6 hours per day for about 3 weeks for 800 password. Went to 1Password. The worst were the ones that changed urls, don’t exist anymore, or don’t even have a change password option unless you click “forgot password.”
Good luck.
On the plus side. I'm discovering quite a few website which have simply deleted my account or no longer exist. My database will be so organized and clean after this exercise.
I had about 1800 passwords to change. I've updated anything important, and am slowly updating the rest as I use those sites or when I have a few spare moments. Everything went into a vault called "from LastPass" and as I update them I move them to a different vault.
Thanks for the response everyone.
I am about 30% done and it feels good. As some has suggested, I did all of the important ones first, leaving only the odd sites that I care a lot less about.
However, as I go through each record, it dawns on me that there are information I have placed on Lastpass that cannot be simply changed like you could with a password. Things like group accounts where I shared one password with other people. Secret questions like what's the name of your first school and what's the make of your first car. I know I'm not supposed to write down secret questions but I always have trouble recalling what I wrote, so I write all of them down when I create an account.
Before master passwords were a thing, I used a lot of passwords that are things I like and numbers that are meaningful. Someone who is able to read your password will get to really know a personal side of you which they could exploit. Unfortunately I have a lot of those where I just migrated to Lastpass without changing the password because they belong to sites that were unimportant.
I can only pray that the stolen data will never ever get decrypted.
Click forgot password saved me a heap of time. I had over 300 to do. Do important ones first then just chip away at the others. It’s amazing how many sites don’t even exist anymore or ones that you end up closing because you never use. I’m going to keep on top of my password housekeeping this time.
It took me over 30 hours. A lot of that came from calling banks that was showing me a "your account is in x state, please call us". Clearly showing that the user/pass combo was right, but not giving me an opportunity to change it. Calling them didn't work cause I couldn't tell them my account number (and they wouldn't take any other ID).
I am still chipping away. I found forgotten sites that had a few bucks here and there. Old VoIP accounts that still had credit, old exchanges that had few bucks. Total of about $100 so far! Also, a good clean up of dead sites and shore up my password complexity. Time consuming but long overdue. Like others have said, prioritize accounts and then chip away at the rest. Looking to get a 100% excellent score in watchtower!
Yes it’s painful but I’ve found going through my vault to be a useful house-keeping exercise. I would say for each account think about the risk to you if hackers got access - they will be after quick $ plain and simple. Most of my accounts contained no financial details and only basic personal data that I’ve already lost several times through various other high profile breaches (including unencrypted in the LastPass breach). Don’t sweat the small stuff.
This is what I did too. It was a good time to cull the accounts not needed anymore - delete delete delete. It took me several hours to change around 100 yesterday, and I initiated the requests from just clicking the login URL link in each vault record.
Prioritize. There are some very important ones finance/bank, email and then probably others that our less important. I'm changing high priority ones and then the others will get changed as I login to the sites. I started creating a tag for the ones that I've changed and removing the lastpass tag that was placed there when they were imported. It is a lot of time and we should be getting our money back from lastpass, plus compensation for time.
Don’t log in to the sites, just click forgot password.
Not sure if that's faster or not... it'll send you a password reset via email and you have to go through that.
>Most websites hide their "change password" option deep inside their website and you have to literally dig each one out Somebody smart once said that. If it's true, then clicking a link in an email is faster. You can have several going at once, too.
This is absolutely faster, instead of logging in, searching for a password reset option, entering your email/user again... just click before logging in. Some sites don't even have a password reset option in your account and suggest to logoff and click the "forgot password" button. Edited to add: I've moved to another password manager, and started changing passwords from there. This allows me: \- to keep track of what I actually changed \- mitigate the possibility that Lastpass is backdoored / LP code was changed to catch all new data entered Do this not the way I did: keep both running, verify all data was migrated (you'll find a bunch of posts here in the sub about exports being broken). FWIW, I chose 1Password, as it applies an additional key for encrypting the data and does way better in encrypting metadata. It also has no history of adding trackers to their apps, and apparently even allows direct import from LP since a while. The downside is that your data is actually secure, meaning that if you lose your master password and/or secret key, you're well and truly fkd.
4-6 hours per day for about 3 weeks for 800 password. Went to 1Password. The worst were the ones that changed urls, don’t exist anymore, or don’t even have a change password option unless you click “forgot password.” Good luck.
On the plus side. I'm discovering quite a few website which have simply deleted my account or no longer exist. My database will be so organized and clean after this exercise.
I had many that were defunct, so I was able to clean up my password database significantly.
THe ones i HATE are the (few, thankfully) that only allow you to initiate pw changes via the app, not a web browser. Stupid.
I'll have to change about 500 passwords. Just gets me sick to think about it.
I have over 1100 and in the end, moving to another and changing them all was worth it.
Which one did you choose? Bitwarden, 1password... Or?
1Password, for their encrypted metadata and additional secret key next to the master password.
I had about 1800 passwords to change. I've updated anything important, and am slowly updating the rest as I use those sites or when I have a few spare moments. Everything went into a vault called "from LastPass" and as I update them I move them to a different vault.
Thanks for the response everyone. I am about 30% done and it feels good. As some has suggested, I did all of the important ones first, leaving only the odd sites that I care a lot less about. However, as I go through each record, it dawns on me that there are information I have placed on Lastpass that cannot be simply changed like you could with a password. Things like group accounts where I shared one password with other people. Secret questions like what's the name of your first school and what's the make of your first car. I know I'm not supposed to write down secret questions but I always have trouble recalling what I wrote, so I write all of them down when I create an account. Before master passwords were a thing, I used a lot of passwords that are things I like and numbers that are meaningful. Someone who is able to read your password will get to really know a personal side of you which they could exploit. Unfortunately I have a lot of those where I just migrated to Lastpass without changing the password because they belong to sites that were unimportant. I can only pray that the stolen data will never ever get decrypted.
It took many days (maybe 12 or 14) but I had 800 plus and a big mess they were too. Not sure of the hours total - certainly more than 50.
Click forgot password saved me a heap of time. I had over 300 to do. Do important ones first then just chip away at the others. It’s amazing how many sites don’t even exist anymore or ones that you end up closing because you never use. I’m going to keep on top of my password housekeeping this time.
I planned a whole day to do it. Did it during the holidays when had extra time.
It took me over 30 hours. A lot of that came from calling banks that was showing me a "your account is in x state, please call us". Clearly showing that the user/pass combo was right, but not giving me an opportunity to change it. Calling them didn't work cause I couldn't tell them my account number (and they wouldn't take any other ID).
I am still chipping away. I found forgotten sites that had a few bucks here and there. Old VoIP accounts that still had credit, old exchanges that had few bucks. Total of about $100 so far! Also, a good clean up of dead sites and shore up my password complexity. Time consuming but long overdue. Like others have said, prioritize accounts and then chip away at the rest. Looking to get a 100% excellent score in watchtower!