migrating passwords to keepassxc
For someone as concerned about digital privacy as I am, my approach to passwords is surprisingly laissez-faire in comparison. I didn't switch to using a password manager until a few years ago, and even then I must admit that I didn't do a very good job of it. While I do keep some passwords in LastPass, many are also stored in various other (less secure) places, something security experts don't recommend.
LastPass's recent security breach (read: fiasco) was the last straw for me. While I appreciated them proactively informing me about the hack, their nonchalance and inaction appalled me. So I exported my passwords out of LastPass and deleted my account, citing their handling of the recent breaches as my reason for leaving.
I find it strange that the authors of that WIRED article recommended switching from LastPass to Bitwarden or 1Password. Sure, these alternatives might use slightly better security protocols, but because these cloud password managers store passwords for millions of people, they're a much more lucrative target to hackers than a locally hosted vault on your own computer. Far fewer hackers (and of lower caliber, too) will be trying to get into your personal vault.
That left me with the challenge of picking out a new self-hosted password manager to use. Getting started with a free, open-source, self-hosted password manager isn't as easy as going through the slick onboarding interfaces of cloud password managers, but in the end I decided on KeePassXC due to its cross-platform availability (I use both macOS & Windows) and robust features like browser integration.
I learned a few things while migrating that I'd like to recommend you do. First, before migrating, go through your stored passwords and get rid of the ones you don't need. This will make them more manageable. After you migrate, keep your cloud password manager around for at least a few weeks. Don't make the same mistake I did—I promptly deleted all my passwords in Bitwarden post migration and almost suffered a heart attack when I kept incorrectly typing the master password to my vault. And finally, sync your password vault in the cloud and make sure you have a backup copy somewhere (I keep mine on a flash drive).
Bonus tip: I learned in this video (also linked in the resources below) that the traditional rules websites force you to adhere to when creating passwords are poor indicators of password strength. For example, Password123! likely satisfies most websites' requirements since it's 12 characters and contains a capital letter, a number, and a symbol, but it's still far easier for hackers to guess than , say, a password like fnicp, because it has far less entropy.
Resources that informed this post: