Migrating password managers requires careful handling of sensitive data. For developers and power users, the transition from LastPass to Bitwarden offers improved open-source transparency, self-hosting options, and better CLI tooling. This guide walks through the technical process using command-line tools for maximum control and automation.

• For developers and power users: the transition from LastPass to Bitwarden offers improved open-source transparency, self-hosting options, and better CLI tooling.
• LastPass uses PBKDF2-SHA256 with: a default of 600,000 iterations as of 2023, but older accounts may still use much lower iteration counts inherited from years ago.
• A Bitwarden account (free: or premium) 2.
• Use a clean environment: Run on a secure machine without malware 2.
• Start with whichever matches: your most frequent task, then add the other when you hit its limits.
• If you work with: sensitive or proprietary content, look for options to opt out of data collection or use enterprise tiers with stronger privacy guarantees.

Why Developers Choose Bitwarden Over LastPass

Several technical factors make Bitwarden the preferred choice for developers:

• Open-source codebase: Audit the encryption, sync, and storage implementations yourself
• Self-hosting option: Run your own vault server using Docker
• CLI-first workflow: Bitwarden’s CLI is purpose-built for scripting and CI/CD integration
• No team size limits: Free organizations support unlimited users
• Better pricing: Premium features cost $10/year versus LastPass’s $36/year

The security architecture difference is also meaningful. LastPass uses PBKDF2-SHA256 with a default of 600,000 iterations as of 2023, but older accounts may still use much lower iteration counts inherited from years ago. Bitwarden also uses PBKDF2-SHA256 with 600,000 iterations by default, but additionally supports Argon2id. a memory-hard algorithm that provides stronger resistance against GPU-accelerated cracking attacks. For high-risk environments or security-conscious individuals, Bitwarden’s Argon2id option represents a meaningful security upgrade.

Quick Comparison

Prerequisites

Before you begin, make sure you have the following ready:

• A computer running macOS, Linux, or Windows
• Terminal or command-line access
• Administrator or sudo privileges (for system-level changes)
• A stable internet connection for downloading tools

Step 1 - Preparing for Migration

Before starting, ensure you have:

1. A Bitwarden account (free or premium)
2. LastPass credentials with admin access to your vault
3. Node.js installed (for Bitwarden CLI)
4. jq or similar JSON processing tools

Install Bitwarden CLI
npm install -g @bitwarden/cli

Verify installation
bw --version

Step 2 - Exporting Data from LastPass

LastPass provides CSV export through their browser extension or CLI. For programmatic control, use the LastPass CLI:

Install LastPass CLI (Linux/macOS)
brew install lastpass-cli  # macOS
or
sudo apt install lpass    # Debian/Ubuntu

Export vault to CSV
lpass export --format=csv > lastpass-export.csv

The CSV export includes:

• URL
• Username
• Password
• Extra (notes)
• Name (folder/title)
• Favicon (ignored by Bitwarden)

Handling TOTP Seeds

LastPass exports TOTP codes as “One-Time Passwords” in the Extra field. You’ll need to extract these manually for Bitwarden’s TOTP support:

Extract TOTP seeds using grep and sed
TOTP secrets typically appear as base32 strings
grep -oP '(?<=TOTP: )[A-Z2-7]+=*' lastpass-export.csv > totp-seeds.txt

Step 3 - Importing into Bitwarden

Bitwarden’s CLI handles imports directly:

Login to Bitwarden
bw login your@email.com

Unlock vault (will prompt for master password)
bw unlock

Import the LastPass CSV
--format lastpasscsv tells Bitwarden how to parse the data
bw import --format lastpasscsv --file ./lastpass-export.csv

The import process maps LastPass fields to Bitwarden equivalents:

• URL → URI
• Username → Username
• Password → Password
• Extra → Notes
• Name → Folder/Name

Migrating TOTP Authenticators

LastPass stores TOTP secrets in a separate format. For full migration:

Method 1 - Manual Export via Browser Extension

1. Open LastPass browser extension
2. Navigate to Account Settings → Export
3. Export “Export Generic CSV”
4. Extract the “One-Time Password” column

Method 2 - Using a Python Script

#!/usr/bin/env python3
import csv
import sys

def parse_totp_from_csv(input_file, output_file):
    """Extract TOTP secrets from LastPass export"""
    totp_entries = []

    with open(input_file, 'r', encoding='utf-8') as f:
        reader = csv.DictReader(f)
        for row in reader:
            extra = row.get('Extra', '')
            # Look for TOTP patterns in the notes
            if 'TOTP:' in extra or 'totp:' in extra.lower():
                # Parse and clean the secret
                for line in extra.split('\n'):
                    if 'TOTP' in line or 'totp' in line.lower():
                        parts = line.split(':')
                        if len(parts) >= 2:
                            secret = parts[-1].strip()
                            totp_entries.append({
                                'url': row['url'],
                                'name': row['name'],
                                'secret': secret
                            })

    # Output for manual TOTP entry
    with open(output_file, 'w') as f:
        for entry in totp_entries:
            f.write(f"{entry['name']}: {entry['secret']}\n")

    print(f"Found {len(totp_entries)} TOTP entries")
    return totp_entries

if __name__ == '__main__':
    parse_totp_from_csv('lastpass-export.csv', 'totp-seeds.txt')

Adding TOTP to Bitwarden

After migration, manually add TOTP to each login item:

Get item ID
bw list items --url "github.com"

Update with TOTP (requires premium for TOTP)
bw edit item <item-id> --totp "JBSWY3DPEHPK3PXP"

Step 4 - Bulk Operations with Bitwarden CLI

For large vaults, use scripting for efficiency:

#!/bin/bash
Sync vault after import
bw sync

List all items with specific tags
bw list items --search "" | jq '.[] | select(.organizationId == null)'

Export Bitwarden vault for backup
bw export --format json --output ./bitwarden-backup.json

Step 5 - Folder Organization

LastPass uses folders; Bitwarden uses collections for organizations and folders for personal vaults. Import automatically creates folders:

View imported folders
bw list folders

Reorganize using CLI
bw move <item-id> <folder-name>

Step 6 - Self-Hosting Bitwarden with Vaultwarden

One of the most compelling reasons to migrate from LastPass to Bitwarden is the ability to self-host your vault using Vaultwarden, a lightweight Rust implementation of the Bitwarden server API. This eliminates reliance on Bitwarden’s cloud infrastructure entirely and gives you complete control over your password data.

Deploy Vaultwarden using Docker
docker run -d --name vaultwarden \
  -e ADMIN_TOKEN=$(openssl rand -base64 48) \
  -e SIGNUPS_ALLOWED=false \
  -e WEBSOCKET_ENABLED=true \
  -v /path/to/vaultwarden/data/:/data/ \
  -p 3012:3012 \
  -p 8080:80 \
  --restart unless-stopped \
  vaultwarden/server:latest

After deployment, configure the Bitwarden desktop and mobile clients to point to your self-hosted server instead of bitwarden.com. The clients accept a custom server URL in their settings. All Bitwarden official clients work with Vaultwarden.

For production deployments, place Vaultwarden behind an nginx reverse proxy with a valid TLS certificate:

server {
    listen 443 ssl;
    server_name vault.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/vault.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.com/privkey.pem;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location /notifications/hub {
        proxy_pass http://localhost:3012;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
}

Self-hosting eliminates the risk of a cloud provider breach. the LastPass breach of 2022, which exposed encrypted vaults to attackers, is the clearest argument for keeping your vault under your own control.

Step 7 - Verification Checklist

After migration, verify your data:

• All passwords imported with correct values
• URLs match original entries
• Notes field contains all original data
• TOTP codes work (test with bw get item <id>)
• Folder structure matches LastPass

Verify specific entry
bw get item "GitHub" | jq '{username, password, totp, notes}'

Step 8 - Automate Continuous Migration

For team migrations, script the process:

// migration-script.js
const { execSync } = require('child_process');

function migrateEntry(entry) {
  try {
    // Create item in Bitwarden
    const cmd = `bw create item --organization-id ${process.env.BW_ORG_ID}`;
    execSync(cmd, {
      input: JSON.stringify(entry),
      encoding: 'utf-8'
    });
    console.log(`Migrated: ${entry.name}`);
  } catch (err) {
    console.error(`Failed: ${entry.name}`, err.message);
  }
}

Step 9 - Post-Migration Password Hygiene

The migration process itself is a good opportunity to address password quality across your vault. LastPass and Bitwarden both offer password health reports, but Bitwarden’s Vault Health Reports (available to premium subscribers) are particularly actionable:

• Reused passwords: Identify every account sharing a password. Each reused credential represents a credential-stuffing risk. if one site breaches, attackers will try that password everywhere.
• Weak passwords: Passwords under 12 characters or without character class diversity.
• Exposed passwords: Passwords that have appeared in known data breaches, checked against the Have I Been Pwned database via k-anonymity API without exposing your actual passwords.

For developer accounts specifically, prioritize rotating credentials for:

• GitHub, GitLab, or Bitbucket accounts with production repository access
• Cloud provider accounts (AWS, GCP, Azure)
• Domain registrar and DNS provider accounts
• Any service that holds API keys used in production systems

After migration, use Bitwarden’s password generator to replace weak or reused passwords. The CLI can generate passwords non-interactively for scripted rotation workflows:

Generate a strong password
bw generate --length 20 --uppercase --lowercase --number --special

Generate a passphrase (easier to type, still strong)
bw generate --passphrase --words 5 --separator "-"

Step 10 - Set Up Emergency Access

Bitwarden Premium and Families plans include an Emergency Access feature that LastPass does not offer in a comparable form. This allows you to designate trusted contacts who can request access to your vault in case of emergency, with a configurable waiting period during which you can deny the request.

Configure Emergency Access in the Bitwarden web vault under Settings > Emergency Access. Add trusted contacts by email address and set an appropriate waiting period (24 hours to 30 days depending on your risk model). This resolves a significant operational security gap that affects single-person households and small teams. if the primary vault holder becomes incapacitated, critical credentials are recoverable without resorting to insecure backup methods.

Security Considerations

During migration:

1. Use a clean environment: Run on a secure machine without malware
2. Encrypt exports: Store temporary files encrypted
3. Delete intermediates: Remove CSV files after successful import
4. Rotate passwords: Consider updating critical passwords post-migration
5. Enable 2FA: Set up Bitwarden with TOTP or FIDO2

Secure cleanup
shred -u lastpass-export.csv
shred -u totp-seeds.txt

The window between export and import is the period of highest risk. The LastPass CSV file contains every password in plaintext. Keep this window as short as possible. ideally complete the full import within the same working session and securely delete the export file before ending the day.

Troubleshooting

Configuration changes not taking effect

Restart the relevant service or application after making changes. Some settings require a full system reboot. Verify the configuration file path is correct and the syntax is valid.

Permission denied errors

Run the command with sudo for system-level operations, or check that your user account has the necessary permissions. On macOS, you may need to grant terminal access in System Settings > Privacy & Security.

Connection or network-related failures

Check your internet connection and firewall settings. If using a VPN, try disconnecting temporarily to isolate the issue. Verify that the target server or service is accessible from your network.

Frequently Asked Questions

Can I use Bitwarden and the second tool together?

Yes, many users run both tools simultaneously. Bitwarden and the second tool serve different strengths, so combining them can cover more use cases than relying on either one alone. Start with whichever matches your most frequent task, then add the other when you hit its limits.

Which is better for beginners, Bitwarden or the second tool?

It depends on your background. Bitwarden tends to work well if you prefer a guided experience, while the second tool gives more control for users comfortable with configuration. Try the free tier or trial of each before committing to a paid plan.

Is Bitwarden or the second tool more expensive?

Pricing varies by tier and usage patterns. Both offer free or trial options to start. Check their current pricing pages for the latest plans, since AI tool pricing changes frequently. Factor in your actual usage volume when comparing costs.

How often do Bitwarden and the second tool update their features?

Both tools release updates regularly, often monthly or more frequently. Feature sets and capabilities change fast in this space. Check each tool’s changelog or blog for the latest additions before making a decision based on any specific feature.

What happens to my data when using Bitwarden or the second tool?

Review each tool’s privacy policy and terms of service carefully. Most AI tools process your input on their servers, and policies on data retention and training usage vary. If you work with sensitive or proprietary content, look for options to opt out of data collection or use enterprise tiers with stronger privacy guarantees.

Related Articles

• Migrating from LastPass to Bitwarden No Data Loss
• Encrypted Cloud Storage Migration Guide Switching
• 1Password vs LastPass: Which Survived Their Breaches?
• Dashlane vs LastPass After Breach: Security Comparison
• 1password Vs Bitwarden 2026 Comparison

Built by theluckystrike. More at zovo.one