In December 2022 LastPass announced to their users that they had been subject to a data breach. This led me to consider moving to another password manager which I did, settling on 1Password.
I transferred over 1,700 passwords and I calculated that changing an average of three a day was going to take me a year and a half to change them all. Well, it has been somewhat quicker than that as I have finished! In doing so I have reduced the number from 1,700 to 677.
I thought that it might be useful to know what I did and how I managed to reduce that number by over 60%
Plan of Attack
Changing 1,700 passwords was a pretty daunting prospect so I knew that I needed to find a way to significantly reduce that number and quickly. I did that by:
- firstly I went through and removed all my work-related accounts. I found that I had passwords from jobs I left years ago and my current employer uses a different solution. This removed quite a chunk
- next, I searched for all those marked “Generated Password”. These are where LastPass has stored the password it had created but more often than not no actual credentials which rendered them useless. I felt that if I didn’t know the username or the URL that meant nobody else was likely to either
- finally, I found all those that were sites with only an IP address and I checked these and most no longer were valid.
Now I had a considerably reduced list to play with I could go through them all and laboriously log in to each one and change the password. This in itself get rid of a whole load more as many of the sites simply no longer existed. Boom! They were gone too.
In a lot of cases I would have been happy to delete my account as I knew that I wouldn’t need it any longer but very, very few sites provide an option for you to delete your account clearly hoping that you will remain a customer forever.
The other slightly irksome thing was that sites that I hadn’t used for a while, by which I mean I hadn’t logged into for years, suddenly started sending me marketing emails despite me neither requesting or agreeing to them. Clearly they took my logging in and resetting my password as an opportunity to ‘engage’ with me. I just unsubscribed as soon as the mails came through so that little trick didn’t work.
Final Thoughts
Little and often has seen the move to 1Password be completed relatively painlessly and I am preferring the UI on it too. Now I just have to hope that 1Password takes more care of my data than LastPass so I don’t ever have to go through this again.