Migrating from LastPass to 1Password
Overview
This article will introduce and briefly guide you through the process of migrating from LastPass to 1Password, including how to activate your 1Password access, migrate securely using Single Sign-On (SSO), understanding the differences in item type names, and providing links to more documentation.
IMPORTANT: All LastPass accounts are required to migrate by December 15th, 2023.
Table of Contents
Activate your 1Password Access
You will receive an email from 1Password with subject “1Password: Join <admin email address who sent invitation> on 1Password”. Note: It may say a specific persons name or email if you were invited by a specific employee,
Requirements: You should only access 1Password from a trusted machine, including an OIT-managed computer, or a mobile device with Duo Mobile also installed.
- Before clicking the "Join Now" link, close your default browser or make sure that it is logged into your regular UI account
- Note: By default your regular, not your privileged account, is invited to 1Password. This simplifies integrated Windows authentication for most users, but may be different than how you used LastPass previously
- Click "Join Now" and a new browser window will open with a "Sign in with Microsoft" button.
- After clicking the “Sign in with Microsoft” button, you should be presented with University of Idaho Single Sign-On page to enter your credentials and authenticate, if not already authenticated.
- Once authenticated, you will have access to the 1Password dashboard. There will be no password vaults or group associations until after an admin confirms your access. In order to avoid duplicate passwords in the Private Vault and the need to import twice, please wait before importing any passwords in the next step.
Signing into the 1Pasword Desktop Application for the First Time
You can use Self Service / Software Center to download the 1Password Desktop Application (or https://1password.com/download/), which is required for a secure LastPass migration. You will need to keep the browser window that you signed into open. If you closed it, we will ask you to open your browser and navigate to https://uidaho.1password.com and sign in. Please leave this signed in browser tab open until later in the instructions.
- Download 1Password desktop application from Software Center if using Windows, or Self Service on macOS.
- Go to the desktop application and click “Sign In”.
- At the bottom of the selections available, click the green icon titled “Sign in with SSO”. Enter the following information and click "Next".
- You will see a “Sign in with Microsoft” pop-up and button. Click “Sign in with Microsoft”.
- A new browser tab will open asking if you are trying to sign in to 1Password SSO, click “Continue” and close this browser tab.
- Go back to the desktop application where you will now see a “Grant access to your account” pop-up.
- Remember that opened browser window that you signed into https://uidaho.1password.com in the beginning that was requested to remain open? Go to that browser window / tab where you are signed into 1Password and you should have a pop-up asking to “Allow new device?”. If that is your device, click “Allow”.
- In your browser, you will now be presented with a 6-character code to enter into your desktop application.
- Enter the code into your 1Pasword desktop application and click “Submit”. Then “Done”. If you are returned to a “Sign In” pop-up and you see a green check mark next to your email, then click “Done” again.
- Congratulations, you have signed into your desktop application.
In order to avoid duplicate passwords in the Private Vault and the need to import twice, please wait for a confirmation email from OIT Security before importing any passwords.
- The email will explicitly say that your account has been confirmed and you may proceed with importing passwords.
- If you DO NOT have any shared folders being imported, then you may proceed with import prior to receiving confirmation. If you are unsure, please wait for the confirmation before proceeding.
How to Migrate from LastPass to 1Password Securely Using SSO with Microsoft Entra ID
You can use Self Service / Software Center to download the 1Password Desktop Application, which is required for a secure LastPass migration. Once you have the 1Password Desktop Application installed, follow these steps to migrate:
Note: if you are migrating from an su- account in LastPass to a standard account in 1Password, make sure you are logged out in your default browser, or only logged in with your su- account.
- Open the 1Password desktop application.
- Click on "File" in the menu bar, then select "Import".
- In the import wizard, "LastPass" should be the default, if it is not then please select it. Enter your email address you are migrating from LastPass and select “Next”.
- The button will change, and you will see a new button titled “Sign in with SSO”. Select this button.
- Your default browser will open to a page that will ask you to confirm your SSO authentication. Select “Continue” to authorize this consent and close the browser window.
- You may see an error that tells you to check your inbox to “Verify a new device or location” from LastPass.
- Open your inbox and select “Verify new device or location” from the email.
- You will need to go back to your desktop application and start the import again.
- Close the import window, enter your email, select next, select Sign in with SSO, authorize the pop-up in the new browser window.
- There should be a “Successfully authenticated with LastPass” message in the import wizard window. Select the “Import” button.
- If you have shared folders those will be imported to 1Password vaults, when you hit “Import” in the 1Password Desktop Application, you will be asked if you want to check either of two check boxes (permissions only migration and email name change migration) but you can leave them unchecked and continue.
- Import will finish letting you know how many items were imported. Select “OK”.
- You have now successfully completed the migration!
IMPORTANT: Access to your LastPass vault will remain until December 15th, 2023.
Prioritize Password Rotation
There is ongoing risk that passwords in LastPass, particularly those which existed in LastPass prior to Fall 2022, could be compromised by attackers targeting U of I. To mitigate this risk, passwords should be rotated as soon as reasonable, without creating additional risk for your team.
Phase 1: Immediate Response (Month 1: Week 1-2)
- OIT Privileged Accounts: Change all OIT privileged account passwords if they were stored in LastPass, using https://help.uidaho.edu. These accounts have the highest level of access to U of I resources and must be prioritized.
Phase 2: High Priority (Month 1: Week 1-4)
- Internet Accessible Login Accounts: Change passwords for all accounts that were stored in LastPass that have Internet-accessible login methods. These accounts, including user and service/functional accounts, have significant access and could pose a high risk. Prioritize these based on the privileges of the account.
Phase 3: Medium Priority (Month 2-3)
- Internal UI Accounts: Complete password changes for all internal user accounts. While these accounts might have less access, they can still be a potential risk.
- Shared Accounts for Non-Critical Services: Update passwords for any shared accounts. These can often be a weak point in security as they are used by multiple individuals.
Phase 4: Lower Priority (Month 4-6)
- Non-privileged Local Accounts: Start changing passwords for non-privileged local network accounts. These accounts pose a lower risk but should still be updated.
- External User Accounts: Update passwords for external user accounts. These accounts might have limited access but can still pose a risk if compromised.
Use your best judgement in prioritizing password rotation, but if in doubt, prioritize:
- Privileged account passwords
- Internet-accessible services
- Passwords that have not changed since the November 2022 LastPass breach
Differences in Item Type Names and Shared Folders
When you import your data, your item types will change:
Table 1: Item type name conversions
|
LastPass item type
|
1Password item type
|
|
Password
|
Login
|
|
Address
|
Identity
|
|
Application
|
Login
|
|
Custom item
|
Secure Note
|
|
File or one-time password attached to an item
|
Automatically attached to the same item*
|
|
Bank Account, Credit Cards, and others
|
Equivalent item type
|
In addition, your shared folders in LastPass will be converted to Vaults in 1Password. Your current permissions will be migrated as well. At this time, OIT Security is not aware of any items not being migrated.
Private folders in LastPass will be converted to tags in 1Password. Regarding password history import, private items password history will not be imported, but shared items password history will be imported. Once one admin imports a shared folder, it will not be available for other admins to also import. The sharing permissions will be retained after migration is complete regardless of which admin imports first.
Erroneous / Expected Errors or Warnings
During the migration process, you may encounter some errors or warnings. These are usually due to differences in the way LastPass and 1Password handle certain types of data. If you encounter an error or warning, please contact OIT Security (oit-security@uidaho.edu) for any questions or concerns.
Use of Watchtower for Password Changes
1Password has a feature called Watchtower that alerts you to password breaches and other security problems on the websites you have saved in 1Password. After migrating to 1Password, you can use Watchtower to assist in keeping track of any passwords that were stored in LastPass, which are required to be changed with per the "Migration Schedule". Due to the breach, all imported passwords will automatically be tagged to allow you to keep track of the passwords requiring a change. Once a password is changed, please remove the tag associated with it.
There are two tags associated with LastPass and imports:
- 'LastPass'
- 'LastPass import <date_time_of_import>'
Using Tags within 1Password to Organize your Passwords
In 1Password, tags are a powerful feature that allow you to organize your items in a way that makes sense to you. You can add tags to any item in 1Password to make it easier to find and manage.
- To add a tag, open the item you want to tag and click ‘Edit’. Then, in the ‘tags’ field, enter the name of the tag you want to add.
- If you want to add multiple tags, separate them with commas. Once you’re done, click ‘Save’.
- The tagged items will now appear when you search for that tag in the 1Password app or browser extension.
- Removing a tag is just as easy. Open the item, click ‘Edit’, and then delete the tag from the ‘tags’ field.
- Tags can be used in many ways. For example, users can tag items based on the type of information the contain, such as ‘financial’ or ‘personal’. Or, you could use tags to indicate the importance of certain items, like ‘important’ or ‘urgent’.
The flexibility of tags allows you to customize 1Password to suit your needs. Remember, tags are for your use only - they’re not visible to anyone you share items with.
Account-Related Settings and Other Metadata
Account-related settings and other metadata from LastPass are migrated into a 1Password Secure Note in the vault titled "! LastPass Imported Shared Folders Metadata". This ensures that no important information is lost during the migration process. This vault be removed when all users have been migrated to 1Password.
Next Steps
After completing the migration process, you may want to familiarize yourself with 1Password's features and settings. You can find more information and guides on the 1Password Support page and the Getting Started with 1Password guide.
Get to Know the Browser Extension and the Apps
If you’re new to 1Password, learn how to use the browser extension and apps to manage your passwords, secure notes, and more.