Switching password managers sounds simple until you discover your two-factor authentication codes won’t transfer – and that’s just the beginning. Here’s why migrating from LastPass to Bitwarden requires more than a quick export, and what most people dangerously overlook about TOTP seeds.
Key Takeaways:
- TOTP authentication codes cannot be exported from LastPass – each one requires manual re-enrollment in Bitwarden
- File attachments and shared folders need separate handling beyond the standard CSV export process
- A direct import method exists that bypasses creating unencrypted files on your computer
- Proper security hardening after migration includes switching to Argon2id encryption and enabling hardware key authentication
- Secure deletion of export files requires specialized tools, not just moving files to the recycle bin
The decision to migrate from LastPass to Bitwarden has accelerated dramatically following LastPass’s security breaches and restrictions on free accounts. While Bitwarden offers unlimited device sync and open-source transparency that security professionals can actually verify, the migration process involves more than simply exporting and importing a CSV file.
Why Your TOTP Codes Won’t Transfer (And What This Means for Your Migration)
The biggest surprise for most people switching password managers is discovering that their two-factor authentication codes don’t come along for the ride. LastPass explicitly states that TOTP seeds – the secret keys that generate those six-digit codes – cannot be exported through their standard data export feature.
This limitation exists for security reasons. TOTP seeds are highly sensitive cryptographic secrets that, if exposed in bulk, could compromise the secondary authentication layer for hundreds of accounts simultaneously. Unlike passwords, which can be changed if compromised, TOTP seeds require manual intervention at each service to reset.
What this means practically is that every account currently using LastPass’s built-in authenticator will need individual attention during your migration. You’ll need to temporarily disable two-factor authentication on each account, then re-enable it by scanning new QR codes directly into Bitwarden’s integrated authenticator.
Step 1: Export Your LastPass Data and Identify What’s Missing
1. Export Your Password Data Using Browser Extension
The most reliable export method uses LastPass’s browser extension rather than the web interface. Click the LastPass icon in your browser toolbar, then navigate to Account tab > Fix a problem yourself > Export vault items > Export data for use anywhere. You’ll need to re-enter your master password to authorize the local decryption of your vault data.
The export will generate a CSV file containing your login credentials, secure notes, and basic folder structure. However, this represents only a fraction of what’s actually stored in your LastPass vault – notably excluding TOTP seeds and file attachments, which require separate handling. The file will download to your default Downloads folder – make note of exactly where it’s saved, as you’ll need to securely delete it later.
2. Download File Attachments Before They’re Gone Forever
File attachments cannot be exported through the CSV process and must be downloaded individually. This includes important documents like passport scans, software licenses, or recovery codes that you may have stored as attachments to specific vault entries.
Accessing vault items through the LastPass browser extension is generally recommended for managing vault data, including attachments. Click on each attachment to download it to a secure temporary folder. This process can be time-consuming, especially for large files, so allow several minutes per attachment for the decryption and download process to complete.
3. Create a List of Every Account Using TOTP Authentication
Before proceeding with the import, create a detailed list of every account currently using LastPass’s authenticator feature. Open your LastPass vault and look for entries displaying the rotating six-digit codes. Write down the service name and associated email address for each one – you’ll need this information to systematically re-enroll each account in Bitwarden.
Pay special attention to critical accounts like banking, email providers, and cloud storage services. These should be prioritized during the re-enrollment process to minimize the window of vulnerability where two-factor authentication is temporarily disabled.
Step 2: Import Your Passwords Into Bitwarden
1. Handle the Unencrypted CSV File Risk (Direct Import Limited)
Bitwarden offers a direct import feature that connects to LastPass’s servers without creating an unencrypted file on your computer. In the Bitwarden browser extension, go to Settings > Import Items, select LastPass as the format, then choose “Import directly from LastPass.” Enter your LastPass credentials and any required two-factor authentication codes.
If the direct import fails (which sometimes happens with certain LastPass account configurations), you’ll need to use the CSV file method. Navigate to vault.bitwarden.com, go to Tools > Import Data, select “LastPass (csv)” as the format, and either upload your exported file or paste its contents into the text box. Essential cybersecurity tools can help you manage this process more securely by providing additional layers of protection during sensitive data transfers.
2. Fix Common Import Errors That Break Your Passwords
A common import problem, particularly when manually copying data from a LastPass web export, is HTML entity encoding, where special characters in passwords get converted to HTML codes. A password containing an ampersand (&) might be exported as &, which will cause login failures if imported unchanged.
Before importing, open your CSV file in a plain text editor and use find-and-replace to convert these entities back: change & to &, < to <, > to >, and ” to “. Make sure you’re using a UTF-8 compatible editor to preserve character encoding.
The most time-consuming part of your migration isn’t the password transfer – it’s systematically re-enrolling every account that uses two-factor authentication. To keep track of your progress and ensure you don’t miss critical accounts, use this interactive checklist throughout your migration process.
TOTP Re-Enrollment Tracker
Track your progress as you migrate each account
By maintaining this checklist as you work through Step 3, you’ll avoid the frustration of discovering missed accounts weeks after your migration is complete. The systematic approach also ensures you prioritize critical services first, minimizing any potential security gaps during the transition period.
Step 3: Manually Re-Enroll Each TOTP Code in Bitwarden
1. Disable 2FA on Each Account Temporarily
Working through your TOTP list systematically, log into each service and navigate to its security or two-factor authentication settings. Temporarily disable the existing TOTP authentication – this will invalidate the codes currently generated by LastPass but is necessary to establish new seed keys for Bitwarden.
Document which accounts you’ve processed to avoid confusion, especially if the re-enrollment process spans multiple sessions. Consider starting with less critical accounts to build confidence with the process before tackling essential services like email or banking.
2. Scan QR Codes Directly Into Bitwarden
Once two-factor authentication is disabled, each service will offer to re-enable it by displaying a QR code containing the new TOTP seed. Instead of scanning this with a separate authenticator app, use Bitwarden’s built-in feature.
In the Bitwarden mobile app or browser extension, open the relevant password entry and look for the authenticator or TOTP section. Select “Scan QR Code” and point your device’s camera at the code displayed by the service. Bitwarden will immediately begin generating the six-digit codes and sync this capability across all your devices.
3. Test Every Code Before Moving to the Next Account
Before considering any account fully migrated, verify that Bitwarden is generating working codes. Enter the current six-digit code displayed in Bitwarden into the service’s verification field. Only after successful verification should you save the changes and move to the next account on your list.
This testing step is vital because a misconfigured TOTP setup could lock you out of important accounts. If a code doesn’t work, double-check that Bitwarden captured the seed correctly by comparing the generated codes with those from the service’s backup codes or by re-scanning the QR code.
Step 4: Secure Your Migration Environment and Delete Export Files
1. Use Secure Deletion Tools (Not Regular Delete)
Standard file deletion doesn’t actually remove data from your hard drive – it simply marks the space as available for future use. Until that space is overwritten, your unencrypted password file can be recovered with basic data recovery software, creating a significant security risk.
For Windows users, download Microsoft’s SDelete utility and run “sdelete64.exe -p 3 [filename]” from PowerShell to overwrite the file three times with random data. Linux users can use the built-in “shred -u -z -n 3 [filename]” command. These tools ensure that your exported credentials cannot be forensically recovered.
If you’re using a solid-state drive (SSD), the situation is more complex due to wear-leveling technology. For SSDs, enable full-disk encryption (BitLocker, FileVault, or LUKS) before creating export files, ensuring that even if data fragments remain, they’re encrypted and unreadable.
2. Clear Browser Cache and Download History
Your browser may have cached portions of the export process or retained records of the downloaded files. Clear your browser’s download history, cached data, and any temporary files that might contain fragments of your password data.
In Chrome or Edge, go to Settings > Privacy and Security > Clear Browsing Data, select “All Time” as the time range, and check boxes for browsing history, download history, and cached images and files. Firefox users can find similar options under Settings > Privacy & Security > Cookies and Site Data.
Step 5: Harden Your New Bitwarden Vault Security
1. Consider Argon2id Key Derivation (Check Device Compatibility First)
Bitwarden defaults to PBKDF2 for password-based key derivation, but offers the more secure Argon2id algorithm, which won the Password Hashing Competition for its resistance to GPU-based attacks. Navigate to Settings > Security > Keys in your Bitwarden account to make this change.
Bitwarden’s default Argon2id settings are 3 iterations, 64 MB memory usage, and 4 threads, which offer strong security. Users can consider increasing these values for enhanced security if their devices can handle the increased processing time. However, if you use iOS devices extensively, consider reducing memory to 48 MB to prevent autofill performance issues. The improved security comes from Argon2id’s “memory-hard” design, which makes brute-force attacks exponentially more expensive for attackers.
2. Enable Hardware Security Key Authentication
Hardware security keys provide phishing-resistant two-factor authentication that’s significantly more secure than SMS or authenticator apps. Bitwarden supports FIDO2/WebAuthn keys like YubiKey even on free accounts, making this high-security option accessible to all users.
Purchase a reputable hardware key and register it in Bitwarden’s Settings > Security > Two-step Login section. Keep a backup key in a secure location, as losing your primary key without a backup could result in permanent account lockout if other recovery methods aren’t properly configured.
3. Generate and Store Your Emergency Recovery Code
When you enable two-step login, Bitwarden generates a unique recovery code that can bypass two-factor authentication if your primary method is lost or unavailable. This code is your only guarantee of account access in emergency situations.
Print this recovery code immediately and store it in a physical safe or security deposit box. Never store it digitally or inside your Bitwarden vault, as this creates a circular dependency that defeats the purpose of emergency access. Write the current date on the printed copy, as recovery codes may change when you modify your two-factor settings.
You’re Now Protected by Open-Source Security That You Can Actually Verify
Your migration to Bitwarden represents more than just a password manager change – it’s a shift toward transparent, verifiable security. Unlike proprietary solutions, Bitwarden’s open-source architecture allows security researchers worldwide to continuously audit and improve the codebase, providing assurance that goes beyond marketing claims.
The manual effort required for TOTP re-enrollment, while initially inconvenient, demonstrates the strong security model that makes bulk export of authentication seeds impossible. This same protection now secures your data with AES-CBC 256-bit encryption, HMAC authentication, and zero-knowledge architecture that ensures even Bitwarden cannot access your stored information.
Your commitment to following proper migration procedures – from secure file handling to cryptographic hardening – establishes a foundation for long-term digital security that scales with evolving threats and technological changes.
For detailed guidance on implementing strong cybersecurity practices in your personal and professional environment, TechEd Publishers provides clear, actionable security resources designed for everyday technology users who want to stay protected without becoming security experts.