1Password and LastPass are probably the two best known names in the password storage business, both having been around from 2006 and 2008, respectively. Back in 2008, the internet was a very different place than it is today, especially when it comes to security. Since then, a lot has changed and the world has (hopefully) become a more security-conscious place – and security experts have come to a consensus on a lot of practices and approaches when it comes to encryption and the proper handling of sensitive data.
Both of these password managers are heavily vetted and constantly under scrutiny from security researchers, crackers, state security agencies, white hat hackers, and more with open bug bounty programs   (though some considerably more generous than others), and are probably “safe” choices for the average computer user.. to an extent.
We’ve been using LastPass to manage our credentials since it first came out in 2008, and have been paying customers from just about when that option was first made available. That said, and while we’re hardly security researchers of the likes of Tavis Ormundy and others, recent issues with LastPass’ approach to security have left us seriously questioning the value the LastPass team places on the security of the user data when compared to some of the other offerings currently available and we’ve decided to make the switch to 1Password, which has a slightly better reputation among security experts due to its more thoughtfully designed security model and its approach to handling sensitive data (in both offline and cloud modes).
The idea here is not to bash on LastPass in any way, the team behind LP has certainly done more in the name of computer security and making the web a more secure place than most other entities save a select few. For all we know, it could truly wind up being the more secure product – there’s just no way to tell how these things play out. But for others in the same boat as ourselves, at some point the question of importing 10 years of accumulated (sensitive!) data from LastPass to 1Password may come up, and speaking only for ourselves, we were surprised at how lacking AgileBits’ offering in this regard was.
The current instructions available for Windows users trying to migrate from LastPass to 1Password are downright horrifying, starting off with a mandatory installation of an entire perl distribution, manually fiddling with cpan dependencies, and executing a command line script to initiate the conversion of the (one-click) LastPass CSV export into a data format that the 1Password application can recognize and import. Like we said, absolutely horrifying, no question about it.
While 1Password is decidedly not a community project, open source initiative, or other such undertaking that would normally merit free contributions from 3rd parties (they certainly have the cash and manpower to do so themselves, making it even more bizarre that they haven’t yet), but in the name of sharing something that we found to address a particular pain point, we’ve developed and released an opensource LastPass to 1Password converter that’s free to download and easy to use, offering LastPass users an easy route for migrating their passwords to 1Password and even securely shredding the decrypted export/import files created during the process.
Our LastPass to 1Password converter is available on GitHub as a zero-click application that offers a convenient user interface for taking a LastPass CSV export and generating a 1Password-compatible 1PIF file that can be easily imported into the 1Password client or browser extension. The procedure is as simple as selecting the LastPass CSV export and then waiting for the conversion to complete. After the conversion has completed, our conversion utility offers to launch the native 1Password client to import the generated 1PIF file and even the option of shredding one or both of the original LastPass export and the generated 1PIF 1Password import file from the disk after the process has completed.
As no post is complete without pictures, here are some screenshots of the conversion utility in action:
Due to the nature of this application, we strongly urge everyone to download the source code, review it quickly, and compile it yourself to use this tool. However, we do recognize that this may be beyond the means of all security-minded folk out there looking to make the switch, so we are providing signed binaries available for download. If you do opt to use the binary download, make sure to validate the authenticode signature like so: