LastPass Migration Checklist: Move Passwords Safely in 2026
Step-by-step LastPass migration checklist: export safely, choose a new password manager, import, rotate high-risk passwords and secure recovery codes.
Migration goal: reduce account risk without losing access
A password-manager migration should be treated like a security project, not a quick export/import. The goal is to move the vault, rotate the most sensitive credentials, and preserve recovery access without exposing the export file.
- Choose the replacement vault before exporting anything.
- Export only on a trusted device and delete unencrypted files immediately after import.
- Rotate email, banking, cloud, and password-manager master credentials first.
- Save MFA recovery codes in the new vault or offline secure storage.
What is the safest way to migrate from LastPass?
The safest workflow is to prepare the new vault, export on a trusted computer, import immediately, delete the export file, then rotate the highest-risk passwords and update MFA recovery codes.
| Step 1 | Pick replacement manager and create a strong master password |
|---|---|
| Step 2 | Export/import on a trusted device only |
| Step 3 | Delete export files and empty trash/recycle bin |
| Step 4 | Rotate critical passwords and verify MFA recovery |
Decision checklist
- Do not email the export file to yourself.
- Do not store CSV exports in cloud sync folders.
- Prioritize email, bank, tax, cloud, and identity accounts for rotation.
- Keep old vault read-only briefly only if needed, then close it after verification.
Related guides
- LastPass alternatives — choose a replacement vault
- 1Password vs Bitwarden — compare two common migration destinations
- Password manager comparison — compare more options
- Password generator — create replacement passwords
FAQ
Should I rotate every password after leaving LastPass?
Prioritize critical accounts first: email, banking, tax, cloud storage, password manager, and accounts with reused passwords.
Is a password export file risky?
Yes. CSV exports are often unencrypted, so delete them immediately after import and avoid cloud-sync folders.
Should I keep my old vault active?
Keep it only long enough to verify migration, then close or disable it once you are confident nothing is missing.