Lastpass Kdbx

The LastPass interface is very different from that of Keepass, which doesn't really care what the password is that you're storing. Conversely, LastPass treats everything like a site, so expects an URL hence the problem when importing from Keepass. KeePass Cross-Platform Community Edition - A community maintained fork of the.

Passwords are an integral part of modern society. Nearly every aspect of a person’s digital life involves a password in some fashion or another. From social media sites like Facebook or Twitter to more sensitive items like bank or credit card accounts, passwords are used everywhere. A common method of storing all these passwords is to use a program to store them in a secure database or safe. These databases or safes are generally encrypted with a master password, in order to make sure all of a person’s sensitive account passwords are safe. The question is, however, whether or not these programs are as safe as they seem to be. With tools like John the Ripper and Hashcat available, not necessarily. In this post, we will be going through the steps to crack the master password for a KeePass database, a commonly used program to secure passwords. While KeePass is the focus of this particular post, it is important to note that these steps can also be used for other password repository programs, such as LastPass, Password Safe, and 1Password.


MCH-Kali ( – Kali 2018.3 (Hashcat and John the Ripper are installed as part of the Kali distribution).

MadCityHacker.kdbx – This is a test KeePass database created for this scenario.

Scenario Steps

We start out with our KeePass database on our Kali instance:

With the KeePass database, we now need to extract the master password hash from the file. Thankfully, John the Ripper ships with a useful tool to do just that! The utility is called “keepass2john” and simply needs the KeePass database passed in as a parameter:

As you can see, running this utility produces the following hash, which is in the perfect form to be consumed by Hashcat (The only thing that needs to be done is the first section “MadCityHacker:” removed, as this is just a friendly name for the hash):


The next step is to take this hash string (first saved into a file called “keepass.txt”) and pass it through Hashcat. Hashcat has a number of different options, but for this scenario, we’re going to focus on two: attack mode and hash type.

Hashcat supports typical password cracking attack types, such as dictionary and brute-force, but also includes things like masking, which is filtering down the cracking attempts to certain patterns (for example, a mask of five letters and two numbers will attempt all combinations of that order, such as March18 or Tgyhj37). For this scenario, we will be using the “Straight” mode (attack ID “0”), which is a simple dictionary attack based on a wordlist. The wordlist for this scenario will be the well known “rockyou” wordlist.

Hashcat also has a plethora of hash types that it will attempt to crack; the full list can be found on Hashcat’s help page or on their website here. Since we have a KeePass database, we will be using hash ID “13400” which correlates to “KeePass 1 (AES/Twofish) and KeePass 2 (AES).”

Now that we have the appropriate options ready, let’s get cracking! The command to initiate the cracking will look like the following:

hashcat -a 0 -m 13400 keepass.txt /usr/share/wordlists/rockyou.txt

For real password cracking, using a GPU is the best option, as they are able to process a much larger amount of hashes per second than a typical CPU. For this scenario, I am doing simple CPU cracking on an older system as I know the master password for this database exists in the rockyou wordlist. If you are using this to test the strength of your own KeePass database, I highly recommend using atleast one GPU instead as it will be a more accurate test of strength against an adversary.

With that out of the way, let’s run the aforementioned Hashcat command:

The password for the KeePass database has been cracked successfully! As you can see in the middle of the above screenshot, Hashcat listed out the input hash and it’s associated cracked password of “qwerty.” We can also see, with the “Time.Started” and “Time.Estimated” fields that the crack took a mere seven seconds to complete. A nice feature of Hashcat is that you can monitor how long it’s been running and it’s overall progress (as well as estimated time of completion) throughout the cracking lifecycle. Since this one only took seven seconds, we didn’t need to monitor it for long, but it’s a handy thing to note regardless.

While password databases and safes are a good way to protect your various passwords, it is important to remember that the master password for these need to be well protected as well. The best way to do this is to make sure you make very strong master passwords: 12+ characters (including both upper and lowercase letters, numbers, and special characters), non dictionary words, and nothing personally identifiable, such as birth years or names of family. The best route to take with these master passwords is to actually make them passphrases, as in long and easy to remember strings of words, such as “The dog was taken over to the dog park to burn off some energy.” The longer the master password (or phrase), the better off you will be with protecting your sensitive information.

Having issues? Something not make sense? Or just want to discuss this scenario? Feel free to drop a comment below or contact us through the Contact Us page!

Latest version


A pass extension for importing data from most of the existing password manager.

Project description

A pass extension for importing data from most of the existing password manager.


pass import is a password store extension allowing you to import your passworddatabase to a password store repository conveniently. It natively supportsimport from 53 different password managers.More manager support can easily be added.

Passwords are imported into the existing default password store, thereforethe password store must have been initialised before with pass init.

By default, pass imports entries at the root of the password store and only keepsthe main data (password, login, email, URL, group). This behavior can be changedusing the provided options.

Pass import handles duplicates and is compatible with browserpass. It importsOTP secret in a way that is compatible with pass-otp.

pass-import also provides a pimport script that allows importing passwords toother password managers. For instance, you can import passwords to a Keepassdatabase to a generic CSV file...

The following password managers are supported:

Password ManagerFormatsHow to export DataCommand line
1passwordcsv v6See this guidepass import 1password file.csv
1pif v4See this guidepass import 1password file.1pif
csv v4See this guidepass import 1password file.csv
aegisjsonSettings> Tools: Export Plainpass import aegis file.json
jsonSettings> Tools: Export encryptedpass import aegis file.json
andotpjsonBackups> Backup plainpass import andotp file.json
apple-keychainkeychainSee this guidepass import applekeychain file.txt
bitwardencsvTools> Export Vault> File Format: .csvpass import bitwarden file.csv
jsonTools> Export Vault> File Format: .jsonpass import bitwarden file.json
blurjsonSettings: Export Data: Export Blur Datapass import blur file.json
csvSettings: Export Data: Export CSV: Accounts: Export CSVpass import blur file.csv
buttercupcsvFile > Export > Export File to CSVpass import buttercup file.csv
chromecsvSee this guidepass import chrome file.csv
csvSee this guidepass import chrome file.csv
clipperzhtmlSettings > Data > Export: HTML + JSONpass import clipperz file.html
csvcsvNothing to dopass import csv file.csv --cols 'url,login,password'
dashlanecsvFile > Export > Unsecured Archive in CSVpass import dashlane file.csv
jsonFile > Export > Unsecured Archive in JSONpass import dashlane file.json
encryptrcsvCompile from source and follow instructions from this guidepass import encryptr file.csv
enpassjson v6Menu > File > Export > As JSONpass import enpass file.json
csvFile > Export > As CSVpass import enpass file.csv
firefoxcsvAdd-ons Prefs: Export Passwords: CSVpass import firefox file.csv
fpmxmlFile > Export Passwords: Plain XMLpass import fpm file.xml
freeotp+jsonSettings> Export> Export JSON Formatpass import freeotp+ file.json
gnomelibsecretNothing to dopass import gnome-keyring <label>
gnome-authjsonBackup > in a plain-text JSON filepass import gnome-authenticator file.json
gorillacsvFile > Export: Yes: CSV Filespass import gorilla file.csv
kedpmxmlFile > Export Passwords: Plain XMLpass import kedpm file.xml
keepasskdbxNothing to dopass import keepass file.kdbx
csvFile > Export > Keepass (CSV)pass import keepass file.csv
xmlFile > Export > Keepass (XML)pass import keepass file.xml
keepassxxmlFile > Export to > Keepass XML Filepass import keepassx file.xml
keepassx2kdbxNothing to dopass import keepassx2 file.kdbx
csvDatabase > Export to CSV Filepass import keepassx2 file.csv
keepassxckdbxNothing to dopass import keepassxc file.kdbx
csvDatabase > Export to CSV Filepass import keepassxc file.csv
keepercsvSettings > Export : Export to CSV Filepass import keeper file.csv
lastpasscsvMore Options > Advanced > Exportpass import lastpass file.csv
mykicsvSee this guidepass import myki file.csv
network-managernmAlso support specific networkmanager dir and ini filepass import networkmanager
padlockcsvSettings > Export Data and copy text into a .csv filepass import padlock file.csv
passpassNothing to dopass import pass path/to/store
passmancsvSettings > Export credentials > Export type: CSVpass import passman file.csv
jsonSettings > Export credentials > Export type: JSONpass import passman file.json
passpackcsvSettings > Export > Save to CSVpass import passpack file.csv
passpieyaml v1.0`passpie export file.yml`pass import passpie file.yml
pwsafexmlFile > Export To > XML Formatpass import pwsafe file.xml
revelationxmlFile > Export: XMLpass import revelation file.xml
roboformcsvRoboform > Options > Data & Sync > Export To: CSV filepass import roboform file.csv
saferpasscsvSettings > Export Data: Export datapass import saferpass file.csv
upmcsvDatabase > Exportpass import upm file.csv
zohocsvTools > Export Secrets: Zoho Vault Format CSVpass import zoho file.csv
csvTools > Export Secrets: Zoho Vault Format CSVpass import zoho file.csv

The following destination password managers are supported:

Exporters Password ManagerFormatCommand line
csvcsvpimport csv src [src]
keepasskdbxpimport keepass src [src]
keepassx2kdbxpimport keepassx2 src [src]
keepassxckdbxpimport keepassxc src [src]
passpasspimport pass src [src]


Basic use

To import password from any supported password manager simply run:

If pass-import is not able to detect the format, you need provide the passwordmanager <pm> you want to import data from:

If you want to import data to a password manager other than pass, run:


Usage for pimport can been seen with pimport -h or man pimport.


Import password from KeePass

This is the same than: pimport pass keepass.xml --out ~/.password-store

Import password to a different password store

Import password to a subfolder

Other examples:

  • If the manager is not correctly detected, you can pass it at source argument:pass import dashlane dashlane.csv
  • Import NetworkManager password on default dir: pass import networkmanager
  • Import a NetworkManager INI file: pass import nm.ini
  • Import a One password 1PIF: pass import 1password.1pif
  • Import a One password CSV: pass import 1password.csv
  • Import a Passman JSON file: pass import passman.json
  • Import Lastpass file to a keepass db: pimport keepass lastpass.csv --out keepass.kdbx
  • Import a password store to a CSV file: pimport csv ~/.password-store --out file.csv

GPG keyring

Before importing data to pass, your password-store repository must exist and yourGPG keyring must be usable. In order words you need to ensure that:

  • All the public gpgids are present in the keyring.
  • All the public gpgids are trusted enough.
  • At least one private key is present in the keyring.

Otherwise you will get the following error:invalid credentials, password encryption/decryption aborted.

To set the trust on a GPG key, one can run gpg --edit-key <gpgid> then trust.

Security consideration

Direct import

Passwords should not be written in plain text form on the drive.Therefore when possible, you should import it directly from the encrypted data.For instance, with an encrypted keepass database:

Secure erasure

Otherwise, if your password manager does not support it, you should take careof securely removing the plain text password database:

Encrypted file

Alternatively, pass-import can decrypt gpg encrypted file before importing it.For example:

You might also want to update the passwords imported using pass-update.

Configuration file

Some configurations can be read from a configuration file called .import if itis present at the root of the password repository. The configuration read fromthis file will be overwritten by their corresponding command-line optionif present.

Example of the .import configuration file for the default password repository in ~/.password-store/.import:



  • pass 1.7.0 or greater.
  • Python 3.6+
  • python3-setuptools to build and install it.
  • python3-yaml (apt install python3-yaml or pip3 install pyaml)

Optional Requirements

DependencyRequired foraptpip
defusedxmlRecommended XML libraryapt install python3-defusedxmlpip3 install defusedxml
pykeepassKeepass import from KDBX fileN/Apip3 install pykeepass
secretstorageGnome Keyring importapt install python3-secretstoragepip3 install secretstorage
cryptographyAndOTP or Aegis encrypted importapt install python3-cryptographypip3 install cryptography
file-magicDetection of file decryptionapt install python-magicpip3 install file-magic


Lastpass Kdbx

pass-import is available in the Arch User Repository.


pass-import is available under my own debian repository with the package namepass-extension-import. Both the repository and the package are signed withmy GPG key: 06A26D531D56C42D66805049C5469996F0DF68EC.

Gentoo Linux


Using pip

From git

Stable version

Releases and commits are signed using 06A26D531D56C42D66805049C5469996F0DF68EC.You should check the key's fingerprint and verify the signature:

Lastpass Kdbx Login

Local install

Alternatively, from git or a stable version you can do a local install with:

The import Library

One can use pass-import as a python library. Simply import the classes of thepassword manager you want to import and export. Then use them in acontext manager. For instance, to import password from a cvs Lastpass exportedfile to password-store:

Alternatively, you can import the same Lastpass file to a Keepass database:


Feedback, contributors, pull requests are all very welcome. Please read file for more details on the contribution process.


Release historyRelease notifications RSS feed



Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for pass-import, version 3.1
Filename, sizeFile typePython versionUpload dateHashes
Filename, size pass_import-3.1-py3-none-any.whl (102.1 kB) File type Wheel Python version py3 Upload dateHashes
Filename, size pass-import-3.1.tar.gz (67.3 kB) File type Source Python version None Upload dateHashes

Hashes for pass_import-3.1-py3-none-any.whl

Hashes for pass_import-3.1-py3-none-any.whl
AlgorithmHash digest

Hashes for pass-import-3.1.tar.gz

Lastpass Kdbx Chrome

Hashes for pass-import-3.1.tar.gz
AlgorithmHash digest