migration lastpass csv-import password-manager family-finance securekeep

How to Import Passwords from LastPass to SecureKeep (Step-by-Step)

After three breaches, leaving LastPass is the easy part — knowing where your passwords land matters more. Here is the step-by-step way to export your LastPass vault and import every entry into SecureKeep on iPhone or Android, in under sixty seconds.

A laptop and an iPhone side-by-side on a desk, mid-transfer, representing migrating data from one app to another.

The hardest part of leaving LastPass isn't the export. It's deciding where your passwords go next.

After the 2022 breach — when attackers walked off with encrypted vaults belonging to millions of users — a lot of people quietly started looking around. Some moved to 1Password. Some to Bitwarden. Some downloaded their export, opened the CSV, looked at three hundred lines of plaintext credentials, and froze.

If you are at that step right now — CSV downloaded, decision pending — this guide is for you.

The short version: SecureKeep imports a LastPass CSV directly. Every entry, every URL, every TOTP secret, in one bulk transaction, on your phone, with no cloud account in the middle. The whole switch takes about sixty seconds once the CSV is in front of you.

The long version is below.

What You'll Need

Three things, all of which you already have:

  • A LastPass account you can still log into in a browser.
  • A computer to run the export from. (LastPass's mobile app does not export. The browser extension or web vault does.)
  • SecureKeep installed on your phoneiOS or Android. The CSV import lives at Settings → Import from CSV, or directly inside the credentials list.

That's it. No second password manager. No bridge tool. No cloud upload.

Step 1 — Export Your LastPass Vault

The cleanest export path is through the LastPass web vault.

  1. Open https://lastpass.com/ in a browser and sign in.
  2. Click your account name in the bottom-left, then choose Advanced Options → Export → LastPass CSV File.
  3. Re-enter your master password if prompted. LastPass will download a file named something like lastpass_export.csv.

The file contains every credential you've stored in LastPass: site name, URL, username, password, the extra field (your secure notes attached to logins), and — if you added them — TOTP secrets in a column called totp. Folder names appear in a column called grouping.

It is also entirely plaintext. Every password, readable. We will deal with that in Step 4.

Step 2 — Open SecureKeep and Tap "Import from CSV"

On your phone:

  1. Open SecureKeep and unlock your vault. (If you don't have one yet, the first-run wizard will walk you through creating one in about six minutes — come back here when you're done.)
  2. From the dashboard, tap Passwords, then tap the Import CSV button in the top-right of the credentials list. (You can also reach it from Settings → Tools → Import from CSV.)
  3. The picker that opens is the standard iOS/Android files picker. Find the lastpass_export.csv you downloaded.

A small note on a security choice we made: the document picker doesn't trigger SecureKeep's lock-on-background protection. We deliberately exempted file pickers in v3.0.0 — otherwise the act of choosing your CSV would lock your vault and you'd have to start over. The exemption is narrow, scoped to known system pickers, and ends the moment the picker closes.

Step 3 — Review the Detected Format and Confirm

SecureKeep auto-detects the LastPass format from the columns in the file. You'll see a banner that reads "Detected format: LastPass" along with a count: how many rows the importer found, how many will be skipped because they're empty or duplicates, and the final number ready to import.

Two things happen automatically here:

  • Host-based deduplication. If you already have a credential for gmail.com, importing another one for mail.google.com won't create a duplicate. The importer matches by hostname and skips the redundant entry. This matters because most people doing a LastPass export already have a few "I added this manually" entries in SecureKeep — the importer respects what's there.
  • TOTP secrets land in the right place. Any totp field in your LastPass CSV becomes a structured TOTP secret on the imported credential, separate from the password and separate from any backup codes. This is part of v3.0.0's structured 2FA — your authenticator codes don't get glued onto the back of the password field anymore.

Tap Import and confirm. The whole import is all-or-nothing: if any single row fails to encrypt and write, the entire import is rolled back and your vault is left exactly as it was. You won't end up with "I think I imported 187 of 200 — which 13 failed?" There are no partial states.

Step 4 — Delete the CSV

This is the step most guides skip. Don't.

Your lastpass_export.csv is a plaintext copy of every credential you own. Sitting in your Downloads folder. Indexed by Spotlight. Possibly synced to iCloud Drive or Google Drive depending on your settings.

After the import succeeds:

  • Delete the CSV from your Downloads folder.
  • Empty your Trash (macOS) or Recycle Bin (Windows) — files in the trash are still recoverable until you do.
  • If you saved a copy anywhere else (a USB stick, a folder you named "passwords-temp"), delete those too.
  • If you emailed it to yourself for any reason, delete the email and the deleted-items folder.

The most common mistake people make leaving LastPass isn't the export or the import. It's leaving the CSV around for months afterward. SecureKeep can't reach into your computer to clean that up — only you can.

What Gets Imported, What Doesn't

LastPass stores more than just logins. The CSV export from LastPass is the logins-only export, and SecureKeep imports it accordingly:

LastPass field Imported into SecureKeep
name Credential label
url URL (normalized — http:// upgraded to https:// where applicable)
username Username
password Password
extra Notes
totp TOTP secret (structured 2FA)
grouping (folder) Not imported in v3.0.0 — folders are flat in SecureKeep; tags are coming
fav (favourite flag) Not imported in v3.0.0

LastPass secure notes, form fills, bank account records, and payment cards are not part of the standard CSV export. If you used those, you'll want to export them separately (LastPass offers "Export → Form Fills") and store them in SecureKeep as secure notes or as document attachments. SecureKeep handles those data types, just not via the same CSV path.

Why People Are Leaving LastPass (The Honest Version)

This guide is meant to be useful regardless of why you're switching. But three reasons come up over and over in the email we receive:

The breaches. The 2022 incident in particular shook a lot of people — not because LastPass got attacked (everyone gets attacked) but because customers' encrypted vaults were copied, and the conversation that followed about iteration counts and key derivation made it clear that some users' vaults were significantly less protected than others. If your account was created before LastPass increased its PBKDF2 iteration count, your master password did less work than newer users' did, and that math matters when an offline attacker has your encrypted vault on their disk.

The pricing. LastPass Premium is $36/year. Families is $48/year. Over five years, that's $180 to $240 — for software that lives on someone else's servers. SecureKeep is $7.99 once.

The architecture. LastPass syncs your encrypted vault to LastPass's servers. The encryption is designed so they can't read your vault, but the vault still exists on their infrastructure, and if someone exfiltrates it they have an offline copy to attack. SecureKeep doesn't sync. Your vault lives on your phone, encrypted with a key derived from your master password, and never leaves the device unless you explicitly export a backup. There is no SecureKeep server holding a copy of your vault to be stolen — because there is no SecureKeep server, period.

None of these are reasons to panic-leave a password manager you're happy with. They are reasons to think about what you actually want from one.

After the Import — A Five-Minute Cleanup

Once the import lands, take five minutes to:

  1. Open the Password Health dashboard (Settings → Password Health) and look at the reuse + age summary. LastPass exports won't tell you which passwords you reused across sites — SecureKeep will. Knock out the top three offenders.
  2. Walk through any TOTP codes you imported. Open one, confirm the 6-digit code matches what your authenticator app shows. If it does, you can safely retire the authenticator app for that site if you want.
  3. Set up your Emergency Card and your trusted person. The whole point of having credentials in one place is so the people who depend on you can reach them when they need to. The Emergency Card is the artifact that makes that real.
  4. Delete your LastPass account if you're committed to the switch. (Account → Delete Account in the web vault.) Once you delete, the encrypted vault on LastPass's servers is also deleted — the only place your passwords live is on your phone.

Frequently Asked Questions

Is the import secure? The CSV is read on your device, parsed in memory, and each credential is encrypted with your vault's per-vault data encryption key (AES-256-GCM) before being written to disk. The plaintext CSV exists only in memory during the import and is discarded as soon as the transaction completes.

Can I import to a specific vault if I have multiple? Yes. The import lands in whichever vault is currently open. Switch vaults from the picker before you tap Import CSV if you want it to go to your spouse's vault or a parent vault.

What if some passwords fail to import? The import is transactional and all-or-nothing. If any row fails (e.g., malformed CSV), the whole import is rolled back and you can fix the issue and try again. You won't end up with a partial vault.

Will it overwrite my existing credentials? No. Host-based dedupe means existing credentials are kept; only new ones are added. If you want to replace an existing entry, edit it manually after the import.

Does the import work on iPad / Mac Catalyst? Yes. The same Files-based picker is used on iPad. The import flow is identical.

Can I delete the CSV from my phone too? SecureKeep doesn't keep a copy of your CSV. The picker hands the file to the importer, the importer reads it once, and the import never writes the CSV anywhere. Whatever copy your file system has is the only one — clean it up where you stored it.

What if I had Yubikey / second-factor on LastPass? The export still works with second-factor enabled — LastPass prompts for the second factor at export time. Once exported, the CSV doesn't carry your YubiKey configuration; you'll set up second factors fresh on each account from inside SecureKeep using the structured 2FA fields.

Related reading:

SecureKeep is a $7.99 one-time-purchase encrypted vault for iOS and Android. Multi-vault, emergency cards, voice messages, password health, CSV import from seven password managers — all encrypted locally, no cloud account required. See all features →