1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

LastPass to KeepassX

Discussion in 'BlackHat Lounge' started by cottonwolf, Jul 7, 2015.

  1. cottonwolf

    cottonwolf Regular Member

    Joined:
    Jan 20, 2015
    Messages:
    469
    Likes Received:
    239
    I've used lastpass lately because it was mentioned in a thread on bhw, it was my first password manager and it was convenient. But it got hacked in June which got me thinking. Note, read their blogpost and decide for yourself.
    I've been reading some server forums and they were praising self reliance, relying on your data, backups, etc vs relying on third parties.

    So I got myself to work and realised how easy it is to get your lastpass passwords into your own keypassx database.

    You obviously don't want to transfer tens or hundreds of passwords by hand. So here's how:

    You should have a server or machine capable of running python v2.6 at least. Linux and macosx should do. Winblow might need extra install. I got Winfos, but didn't bother with installing any programming environments.

    Quick resources:
    https://ssd.eff.org/en/module/how-use-keepassx
    https://www.keepassx.org/downloads
    http://www.guidingtech.com/11787/transfer-passwords-lastpass-to-keepass-right-way/
    https://github.com/anirudhjoshi/lastpass2keepass
    http://git-scm.com/book/en/v2/Git-Basics-Getting-a-Git-Repository
    www.digitalocean.com
    www.vultr.com
    www.serverpilot.io

    1. Download KeyPassX.
    https://www.keepassx.org/downloads
    This is a nice site for security minded folks, somewhat. That's the site that got me going.
    https://ssd.eff.org/en/module/how-use-keepassx

    2. Once you've downloaded, make a db with a strong password with/without a keyfile.

    " How KeePassX works

    KeePassX works with files called password databases, which are exactly what they sound like—files that store a database of all your passwords. These databases are encrypted when they're stored on your computer's hard disk, so if your computer is off and someone steals it they won't be able to read your passwords.
    Password databases can be encrypted via three methods: using a master password[​IMG], using a keyfile, or both. Let's look at the pros and cons of each.


    Using a Master Password

    A master password acts like a key[​IMG]—in order to open the password database, you need the correct master password. Without it, nobody can see what's inside the password database. There are a few things to keep in mind when using a master password to secure your password database.

    • This password will decrypt[​IMG] all of your passwords, so it needs to be strong! That means it shouldn't be something easy to guess, and it should also be long—the longer the better! Also, the longer it is, the less you need to worry about having special characters or capitals or numbers. A password that is only made up of six random words (in all lower case, with spaces in between) can be harder to break than a 12-character password made up of upper and lower case letters, numbers, and symbols.
    • You need to be able to remember this password! Since this one password will allow access to all your other passwords, you need to be able to make sure you can remember it without writing it down. This is another reason to use something like Diceware—you can use regular words that are easy to remember, instead of trying to remember unnatural combinations of symbols and capital letters.

    Using a Keyfile

    Alternatively, you can use a keyfile to encrypt your password database. A keyfile acts the same way a password would—every time you want to decrypt your password database you will need to provide that keyfile to KeePassX. A keyfile should be stored on a USB drive or some other portable media, and only inserted into your computer when you want to open your password database. The benefit of this is that even if somebody gets access to your computer's hard disk (and thus your password database) they still won't be able to decrypt it without the keyfile stored in the external media. (Additionally, a keyfile can be much harder for an adversary[​IMG] to guess than a normal password.) The downside is that any time you want to access your password database, you'll need to have that external media handy (and if you lose it or it gets damaged, then you won't be able to open your password database).
    Using a keyfile instead of a password is the closest thing to having an actual physical key to open your password database—all you need to do is insert your USB drive, select the keyfile, and presto! If you do choose to use a keyfile instead of a master password, though, make sure your USB drive is stored somewhere safe—anyone who finds it will be able to open your password database.

    Using Both

    The most secure method for encrypting your password database is to use both a master password and a keyfile. This way, your ability to decrypt your password database depends on what you know (your master password) and what you have (your keyfile)—and any malicious entity who wants to get access to your passwords will need both. (With that said, keep in mind your threat model[​IMG]—for most home users who just want to store their passwords, a strong master password should be sufficient. But if you're worried about protecting against state-level actors with access to huge computational resources, then the more security the better.)
    Now that you understand how KeePassX works, let's get started with actually using it!


    "

    3. Now, this is the part where I got myself thinking that I won't be manually entering my passwords into keypassx database, so I googled around.
    From this site http://www.guidingtech.com/11787/transfer-passwords-lastpass-to-keepass-right-way/ , I realised there's a github python script for this already. It simply gets your exported csv lastpass database and makes it keepassx compatible.

    3.a, See these steps:

    "Steps to Transfer Data From LastPass to KeePass

    Step 1: Download and run LastPass Pocket, the portable version of LastPass password manager for Windows. Log in to your LastPass account using LastPass Pocket. Just make sure you are connected to the internet.

    Step 2: Once LastPass syncs all your secured data from the server, click on File ->Export.

    Step 3: Select the option to export the data in plain text CSV format. Provide your LastPass password again, select the location where you want to save the CSV file and click on the Export button."

    3.b, Now you've got your csv file of your lastpass passwords, I saved it to desktop as test.csv. I've got windows on my laptop and that's not python friendly. But I've got a digitalocean droplet with serverpilot.io agents running on it, so I had to sftp my test.csv onto the server with Filezilla.

    You can get a cheap server for an hour on digitalocean or vultr, for example. They always run promo codes. I don't put my aff link here, because some of you are cunts and I don't need the drama.

    If you run serverpilot, your free accounts username is serverpilot. If you sftp to your server, you'll get to your homefolder. Which has your public, log and misc folders. Read more about serverpilot if you're interested.

    You can then paste your test.csv file with filezilla to your server.

    Once you're on your server, make a separate folder for this small project for now either via filezilla or ssh with putty.

    mkdir foldername
    cd foldername

    *cd foldername only works if you're in its direct parent folder. otherwise you have to get your path, eg. cd /srv/users/serverpilot/foldername

    *If you've got git clone on your server, then just run. I've just had git on my server, so I just ran:

    git clone https://github.com/anirudhjoshi/lastpass2keepass

    *With command: ls , you can see the folder contents, which will be a folder called lastpass2keepass. So go there:

    cd lastpass2keepass

    *Move your test.csv file to this folder either with filezilla or shell commands. Filezilla is graphical and easier.

    mv /srv/users/serverpilot/test.csv /srv/users/serverpilot/foldername/lastpass2keepass

    *I just used filezilla, the above command might not be perfect.
    *Now, you have both the git cloned repo in your /srv/users/serverpilot/foldername/lastpass2keepass folder and your exported test.csv database of lastpass passwords in the same folder, now you need to run the python command .Then by referring to https://github.com/anirudhjoshi/lastpass2keepass, usage run the magic. The magic converts the exported csv file to importable keepassx file.

    python lastpass2keepass.py test.csv

    *test.csv is the file of your exported csv lastpass file. If you named it pewep.csv, then use that instead.
    Now you just have to download your exported keepassx file made by the python script. My file had the name of test.csv.export.xml.
    I used filezilla to copy it to my desktop and imported into my opened keepassx database. And it got imported.

    Please don't bother me with thanks or questions. I'm gonna report PM-ing jackals.
    If you've got lack of experience with linux, then learn more about it. Start on youtube with elithecomputerguy.
    If you've got reading comprehension problems, then help yourself and start googlin around.
     
    Last edited: Jul 7, 2015