To migrate passwords from LastPass to Bitwarden safely, export your LastPass vault as a CSV file, immediately import it into Bitwarden over an encrypted connection, verify all entries transferred correctly, then delete the CSV from your device. The entire process takes under 30 minutes and keeps your credentials encrypted at rest throughout — as long as you handle the temporary plaintext CSV file carefully.
What You'll Need Before Starting
- LastPass account — any paid or free tier; browser extension version 4.x or later installed on Chrome, Firefox, Edge, or Safari
- Bitwarden account — free tier works for personal use; Bitwarden desktop app (version 2024.x or later) or web vault at vault.bitwarden.com
- Operating system — Windows 10/11, macOS 12 Ventura or later, or Ubuntu 22.04+
- A text editor — Notepad (Windows), TextEdit in plain-text mode (macOS), or gedit (Linux) — for inspecting the CSV before import if needed
- Secure file deletion tool — Eraser (Windows),
srmcommand (macOS/Linux), or simply Bitwarden's built-in import that leaves no temp file on disk - Time — approximately 20–30 minutes for a vault of up to 500 items
Step 1: Enable LastPass Export and Download Your Vault CSV
Open your browser and click the LastPass extension icon. Navigate to Account Options → Advanced Options → Export → LastPass CSV File. LastPass will prompt you to re-enter your master password before downloading.
Expected output: A file named lastpass_export.csv downloads to your default Downloads folder. On Windows, this is typically C:\Users\. On macOS, it is /Users/.
Gotcha: If you use LastPass Families or Teams, each shared folder exports separately. You will need to repeat this step for each shared folder and import each CSV individually into Bitwarden. LastPass does not combine shared folders into a single export.
Do this immediately after download: Move the CSV out of any folder that syncs to cloud storage. If your Downloads folder is covered by iCloud Drive, OneDrive, or Google Drive Backup, move the file to a local-only folder (e.g., C:\Temp\ on Windows or a folder in /tmp/ on macOS/Linux) before proceeding.
Step 2: Inspect and Clean the CSV (Optional but Recommended)
Open the CSV in a plain-text editor — not Excel or Google Sheets, which may auto-format fields or prompt you to upload the file. Scan for:
- Duplicate entries — LastPass sometimes exports the same credential twice if it was saved from multiple devices
- Corrupted special characters — passwords containing commas or quotes can misalign CSV columns
- Notes-only entries — Bitwarden imports these as "Secure Notes," which is correct behavior, but confirm they aren't getting split incorrectly
The CSV columns are: url, username, password, totp, extra, name, grouping, fav
If you spot a password field containing an unescaped comma, wrap the entire field in double quotes. Example: "pass,word" instead of pass,word.
Gotcha: Do not open this file in Google Sheets or any browser-based editor. The moment you do, the file may be cached in your browser's local storage or uploaded to a cloud sync service.
Step 3: Create Your Bitwarden Account and Configure Security Settings
If you don't have a Bitwarden account, go to vault.bitwarden.com and register. Choose a master password of at least 16 characters — Bitwarden enforces a minimum of 12.
Before importing anything, configure two-factor authentication:
- Log into your Bitwarden web vault
- Go to Account Settings → Security → Two-step Login
- Enable at least one MFA method — Bitwarden supports TOTP via authenticator app (free tier), email OTP (free tier), YubiKey OTP (premium), FIDO2/WebAuthn hardware keys (premium), and Duo Security (premium/enterprise)
Bitwarden Premium costs $10.00/year (billed annually, single user) and unlocks FIDO2/WebAuthn and YubiKey MFA, the integrated TOTP authenticator, and encrypted file attachments up to 1 GB. The free tier supports unlimited passwords on unlimited devices as of 2026.
Bitwarden uses AES-256-CBC encryption with PBKDF2-SHA256 key derivation. As of 2026, the default iteration count is 600,000 rounds for PBKDF2 on new accounts, though you can increase this or switch to Argon2id in Account Settings → Security → Keys. Bitwarden is headquartered in Santa Barbara, California, USA, and is subject to US data protection law. It has undergone SOC 2 Type II audits and annual third-party penetration tests; the most recent published audit was conducted by Insight Assurance in 2023, with ongoing annual reviews.
Step 4: Import the LastPass CSV into Bitwarden
- Log into vault.bitwarden.com in your browser
- Click Tools in the top navigation bar
- Select Import Data
- In the "Select the format of the import file" dropdown, choose LastPass (csv)
- Click Choose File and select your
lastpass_export.csvfrom its local-only location - Click Import Data
Expected output: A green confirmation banner reading "Your vault has been imported!" along with a count of items imported. Example: "Imported 247 items."
Gotcha: Bitwarden's free tier has no item limit, but if you are importing into a Bitwarden Organization vault (Teams or Enterprise), note that collection assignments do not transfer from LastPass folder names — they import as top-level items. You will need to manually reassign items to collections after import.
Step 5: Securely Delete the CSV File
This step is not optional. The CSV contains every password in plaintext.
- Windows: Right-click the file, select "Delete," empty the Recycle Bin, then use Eraser (open-source, free) to overwrite the free space, or use
cipher /w:C:\Temp\in Command Prompt - macOS: In Terminal, run
srm -rf /path/to/lastpass_export.csv— thesrmcommand performs a secure overwrite before deletion - Linux: Run
shred -u /path/to/lastpass_export.csv— this overwrites the file 3 times before unlinking it
If you moved the file anywhere else by accident, check your Trash/Recycle Bin, your Downloads folder, and any recently-opened-files lists in your text editor before proceeding.
Verification: Confirm the Migration Worked
After importing, run these three checks:
- Item count match: In Bitwarden's web vault, the total item count shown in the left sidebar should equal the number of lines in your CSV minus 1 (the header row). If numbers differ by more than a few items, re-examine the CSV for formatting issues.
- Random spot-check: Open 5–10 random entries in Bitwarden and confirm the username, password, and URL match what you recall or what you can verify in LastPass before canceling your subscription.
- Login test: Use Bitwarden's browser extension to autofill a credential on a site you log into regularly. Confirm it populates correctly and the login succeeds.
You should see: All folders from LastPass appearing as folders in Bitwarden's left sidebar. Favorite items (marked fav=1 in the CSV) appearing with a star icon in Bitwarden.
Recommended Tools to Strengthen Your Setup After Migration
Once your passwords are in Bitwarden, consider whether Bitwarden's free tier fully meets your needs — or whether a more feature-complete manager suits your workflow better.
1Password — Best for Families and Power Users
1Password is worth evaluating if you need Travel Mode (which hides vaults at border crossings), detailed item history, or tighter macOS/iOS integration than Bitwarden currently offers. 1Password uses AES-256-GCM encryption with PBKDF2-SHA256 and an additional Secret Key that is never transmitted to 1Password's servers — meaning even a server breach exposes nothing usable without your local Secret Key.
Pricing: $2.99/user/month (Personal, billed annually), $4.99/month for up to 5 family members (Families plan, billed annually), $7.99/user/month (Teams Starter, billed annually, up to 10 users), $19.95/user/month (Business, billed annually, 1-user minimum). MFA support includes TOTP, FIDO2/WebAuthn, Duo, and USB hardware keys (YubiKey). 1Password is headquartered in Toronto, Canada, subject to Canadian PIPEDA and adequacy decisions under GDPR. It has undergone SOC 2 Type II audits and an independent security assessment by Cure53.
If you are managing credentials for a team, our enterprise password manager deep dive compares 1Password Business against Bitwarden Teams in detail.
Try 1Password — The Secret Key architecture adds a meaningful second factor that Bitwarden's standard setup lacks.
Keeper Security — Best for Compliance-Focused Organizations
Keeper Security is worth considering if your organization operates under HIPAA, SOC 2, or FedRAMP requirements. Keeper's compliance reporting and role-based access controls go significantly beyond what Bitwarden Teams offers out of the box.
Pricing: $2.92/user/month (Personal, billed annually), $4.99/month (Family, up to 5 users, billed annually), $4.92/user/month (Business Starter, billed annually, 5-user minimum), $6.25/user/month (Enterprise, billed annually, 5-user minimum — contact sales for volume above 100 seats). Keeper uses AES-256 encryption with PBKDF2-SHA256 at 1,000,000 iterations. MFA: TOTP, FIDO2/WebAuthn, Duo, RSA SecurID, and hardware keys. Keeper is headquartered in Chicago, Illinois, USA, and holds SOC 2 Type II certification and FedRAMP authorization.
For healthcare teams evaluating Keeper, see our best password manager for healthcare workers guide.
Try Keeper Security — Built-in compliance reporting makes it the strongest choice for regulated industries migrating off LastPass.
Troubleshooting Common Migration Issues
Issue 1: "Import failed — invalid file format"
Exact error: "There was an error importing your vault. The file type is invalid."
Fix: You selected the wrong import format. In Bitwarden's Import Data screen, confirm you chose LastPass (csv) specifically, not "Generic CSV." Also verify the file extension is .csv and not .txt. If you opened the file in Excel and re-saved it, it may have been saved as .xlsx — re-export from LastPass.
Issue 2: Passwords with special characters are truncated
Symptom: Imported passwords end abruptly or contain garbled characters.
Fix: Open the CSV in a plain-text editor and look for unescaped commas or double-quote marks inside password fields. Wrap affected fields in double quotes: "p@ss,w"ord" should become "p@ss,w""ord" (escape internal quotes by doubling them per RFC 4180).
Issue 3: TOTP seeds didn't transfer
Symptom: LastPass Authenticator TOTP codes exist in LastPass but don't appear in Bitwarden after import.
Fix: LastPass exports TOTP seeds in the totp column, but Bitwarden only imports these on Premium accounts ($10/year). If you are on Bitwarden Free, TOTP seeds in the CSV are silently skipped. Upgrade to Premium and re-import, or manually re-enter TOTP seeds from each service's 2FA setup page.
Issue 4: Shared folder items are missing
Symptom: Personal items imported correctly, but items from LastPass Shared Folders are absent.
Fix: LastPass exports shared folders separately. Repeat the export process from Account Options → Advanced → Export for each shared folder individually. Import each resulting CSV into Bitwarden one at a time, assigning items to the appropriate Bitwarden Organization collection during or after import.
Issue 5: Bitwarden browser extension isn't autofilling after import
Symptom: Items appear in the vault but the extension shows "No items" on a known site.
Fix: Check that the URL field in the imported entry matches the site's actual domain. LastPass sometimes exports URLs as http:// while the site now requires https://, or exports a full path (e.g., https://mail.google.com/mail/u/0/#inbox) instead of the base domain (https://mail.google.com). Edit the entry in Bitwarden to use the base domain, or change the URI Match Detection setting on that entry to Base Domain.
Frequently Asked Questions
Is the LastPass CSV export encrypted?
No. The LastPass CSV export is a plaintext file containing every username, password, URL, and note in your vault with no encryption. This is why handling it carefully is critical — anyone with access to the file can read all your credentials instantly. Treat it like a physical document containing your bank PIN and social security number. Move it immediately to a non-synced local folder, import it into Bitwarden as quickly as possible, and then securely delete it using srm on macOS, shred on Linux, or Eraser on Windows. Do not email it, store it in Google Drive, or leave it in your Downloads folder.
Can I migrate from LastPass to Bitwarden without ever saving the CSV to disk?
Not with the standard browser-based export method — LastPass forces a file download. However, you can minimize exposure: on macOS, change your default Downloads folder to a RAM disk (created via Disk Utility as an APFS in-memory volume) so the file never writes to persistent storage. On Windows, you can use a VeraCrypt encrypted container as your download destination. Either approach ensures the file is gone when you unmount the volume. Bitwarden does not offer a direct server-to-server migration API with LastPass as of 2026.
Will my LastPass folder structure transfer to Bitwarden?
Yes, with limitations. LastPass folders export as a grouping column in the CSV, and Bitwarden reads this column and recreates them as Bitwarden folders in your personal vault. However, LastPass Shared Folders do not transfer automatically — they require separate exports and manual collection assignment in Bitwarden Organizations. Nested folders (subfolders) in LastPass are exported as flat folder names separated by backslashes and will appear as literal folder names in Bitwarden rather than a nested hierarchy.
Should I cancel LastPass immediately after migrating?
No — wait at least one full week before canceling. Spend that week using Bitwarden exclusively as your primary password manager, logging into your most critical accounts (email, banking, work tools) through Bi