as the lastpass export is comma delimited, the scripts have trouble when there are commas in the content. This is most likely occuring in the 'extra' field of the export. Programs like Google Sheets and MS Excel seem to be handling the issue a bit more gracefully by recognizing that there is a linefeed character at the end of the row of data (^M) which helps them parse the file cleanly and "walk it back" from right to left and from left to right. So the first three commas in the line should be clean for the url, username and password fields. And the last three commas should be clean for fav, grouping and name fields. But it's the 'extra' field that can contain commas if someone makes a secret note that has, for example, a mailing address for a credit card which usually contains a comma between city and state. They might also have written some explanatory text about the secret which contains commas. Plenty of other secrets in my experience contain commas as well. A tab-delimited export from lastpass would be preferred since it's unusual for someone to paste tabbed content into a secret (though it might happen of course).

So you should count the commas between start of line (^) and end of line ($), looking for the linefeed ^M as the last character and see if you can cleanly import all secrets exported without users having to do weird workarounds to accomplish the import.

Currently the LastPass Migration Script does not ingest OTP secrets.

Ideally OTP secrets present in the LastPass export would be imported as part of their item.

Hello 👋
I adapt the script from remove_imported_prefix.py for the french version.

You can find bellow the code.

# French version for 1Password renaming.
import subprocess
import json
import sys


# Check CLI version
def checkCLIVersion():
    r = subprocess.run(["op", "--version", "--format=json"], capture_output=True)
    major, minor = r.stdout.decode("utf-8").rstrip().split(".", 2)[:2]
    if not major == 2 and not int(minor) >= 25:
        sys.exit(
            "❌ You must be using version 2.25 or greater of the 1Password CLI. Please visit https://developer.1password.com/docs/cli/get-started to download the lastest version."
        )


def getVaults():
    try:
        return subprocess.run(
            ["op", "vault", "list", "--permission=manage_vault", "--format=json"],
            check=True,
            capture_output=True,
        ).stdout
    except Exception as err:
        print(
            f"Encountered an error getting the list of vaults you have access to: ", err
        )
        return


def main():
    checkCLIVersion()
    vaultList = json.loads(getVaults())
    print(
        "Removing 'Importé' suffix from all imported vaults in your 1Password account.\n\n"
    )
    for vault in vaultList:
        vaultID = vault["id"]
        vaultName = vault["name"]
        if vaultName.endswith(" importé"):
            trimmedName = vaultName.removesuffix(" importé")
            try:
                subprocess.run(
                    ["op", "vault", "edit", vaultID, f"--name={trimmedName}"],
                    check=True,
                    capture_output=True,
                )
                print(f'\t Changed "{vaultName}" => "{trimmedName}"')
            except Exception as err:
                print(f"Encountered an error renaming {vaultName}: ", err)
                continue


main()

Best

Update README in the Reporting subdirectory with documentation for the script added in #49

When running the main.py script without any options, all of the passwords being imported are printed to console. This shouldn't be the default functionality. Not printing that field should be the default unless a switch is invoked to provide that level of detail.

With CLI 2.25 released, the functionality lost in 2.22 that many scripts relied upon has returned and the warnings are no longer required.

In Windows environments, getMyUUID() catches an error on every run of the script, even after recently signing in. The response from the subprocess.run implementation of 1Password CLI seems to include a non-zero return code in every case, so the script exits here:

I've not yet been able to work out why this is an issue for Windows, but it's easily reproduced. The error message consistently includes account not signed in.

Test, disregard

Starting an issue to track requests for rules to be added to the 1Password x Sentinel integration.

• Changes to SSO configurations for 1Password
• Changes to firewall rules
• Users were added to owner, security or admin groups
• User's account MFA was changed n-times in [time].
• Multiple MFA methods for a user's 1Password account were added in [time]
• IP changed more than n-times while 1Password session is open.
• Service account was added or given access to data
• Changes to permissions on vaults (generally or specific)
• Ability to define specific vaults that trigger alerts if user gives themselves access (e.g. AWS, Azure, root accounts)
• Ability to define specific vaults that trigger alerts if user accesses item (e.g. AWS, Azure, root accounts)

I used to use LastPass a long time ago, and hence was possibly impacted by the recent breach. Of the 1000+ logins stored in my 1password vaults, I'm not 100% sure which passwords have changed and which have not since the breach occurred, and so the reasonable thing to do is to audit and change them all.

I'd like to write a script that uses op to handle some of this, but there are some missing pieces. In particular I'd want to hit the following requirements with this script:

1. It should be easy to do this in a reasonable order (e.g. by last change time).
2. It should be easy to open the site to the correct url to login and change the password
3. It should be easy to stop and continue the process later
4. User interaction should be minimal
5. Password change process should be safe (does not lock out) and secure (does not leak info)

Support Open and Fill from the cli.

The 1Password app / browser extension supports an Open and Fill URL. It would be convenient if the op item command supported an op item open subcommand and/or an op item get --open-and-fill-url parameter. I'm not sure if the username and password are encoded in the url, or if just the instruction on which item to use for login is encoded. If the former, then it's likely this would not be secure enough (as it would effectively leak the password into the command line parameters of the call to open the browser). Right now the workaround for this is to Cmd+click the website from the console for each site I'm processing and then manually find the sign-in link and fill my login info from 1password.

Support getting a password change URL from the cli

It would be nice to programmatically expose the password change urls (e.g. https://github.com/1Password/password-manager-resources#change-password-urls) via the onepassword tool. (This could be worked around by perhaps including that repo in the script). Right now, this involves finding the specific password change url per site (manually navigating the generally random profile/setting/security menus to get there).

Support sorting results by updated date

The op item list command doesn't support sorting, and the op item get command doesn't support getting the updated_at field of an item. It's possible to do this using jq as a workaround E.g.:

op item list --format=json | \
    jq 'map({id, title, updated_at, category, website:.urls[]?.href}) | map(select(.category == "LOGIN")) | sort_by(.updated_at, .title)[0]'

This gets all the items, sorted by updated_at and title (I have a lot of items that share an update time, so this is useful), showing the id, updated time, item type, and websites. This probably needs to filter by category "LOGIN" as well

Password change URLs take some finding

The browser plugin could fairly easily detect and collect password change URLs from user interactions. (i.e. whenever a user changes a password and is prompted with a new secure password, record this, check for a /.well-known/change-password URL on the site and submit the URL to be entered into https://github.com/1Password/password-manager-resources/blob/main/quirks/change-password-URLs.json if this doesn't already exist. Likely this needs to ensure that no private info is leaked in the URL, so hash the URL until there are multiple submissions with different users before submitting the real url.

What else would work

Building this into the app / browser plugin. There needs to be some sort of gamified restartable change password process that helps users audit and update their passwords when things like this happens. Perhaps build this process into the watchtower functionality?

I apologize for hopping right in and quite informally, but I'm actually very confident many 1Password users other than myself have been seeking a method of deduplicating (imported, mostly) items in their vaults because I have spent significant amount of time searching the web - including 1Password's own official community platforms - for a way to reliably achieve this post-the tools deprecation/removal(?) of the native deduplication tool from the macOS client in recent versions.

If it'd be helpful, I can go back through that browsing history and actually cite some Stack Overflow/forum links.

I know that I, personally, am seeking the most discriminating sort of deduplication - as in, it'd still be very helpful if provided methods only worked with precisely identical matches.

Thank you! If there's a more appropriate place for me to share this request, please do let me know.

Problem

Service accounts require a --vault flag if it has access to more than one vault. As a result, unexpected issues occur when attempting to use replace-http-with-https.sh.

Expected behavior

The "http" in the "website" field within a 1Password login item is replaced with "https".

Actual Behavior

[ERROR] <date> <time> a vault query must be provided when this command is called by a service account. Please specify one either through the --vault flag or through piped input

"website" value for all relevant items are erased:

Environment

CLI 2.20
Ubuntu 20.04.2 ARM64

Suggestion

Add a '--vault' flag to each op item call in the script:

#!/usr/bin/env bash
#########################################################
# REPLACE HTTP WITH HTTPS 
#########################################################
# This script will replace "http" with "https" for the 
# website field of all Login items in the specified vault 

#Provide a vault UUID or vault name
vaultUUID=""

# add new url to each item
for item in $(op item list --vault $vaultUUID --categories Login --format json | jq --raw-output '.[].id')
do
	oldURL=$(op item get $item --vault $vaultUUID --format=json | jq --raw-output '.urls[].href')
	newURL=$(echo $oldURL | sed 's/^http:\/\//https:\/\//g')
	op item edit $item --vault $vaultUUID website=$newURL
done

Problem

1. Script fails to import some items after certain point - likely special characters in extra field. Likely related to #21
2. unable to build a list of item categories error from op during import. Customer experienced that error and was then unable to log into 1Password, perhaps due to rate limiting.

Expected behaviour

Import script should import all items that are not secure notes.

Actual Behaviour

The script fails to import all exported data.

Additional details

Report from customer:

the script lastpass-vault-item-import.py worked for my export (13 items), but ran into issues when trying to import the export.csv from [other] account (460 items, most of which are shared folder lastpass credentials). It seems to have processed some of the export file, but then produced the below message 223 times:

[ERROR] 2023/01/11 01:08:29 Unable to build a list of item categories.

I'm going to venture to guess that it ran into issues with the "extra" column data which has some special characters in some of our shared secrets.

Interestingly while the error message was being thrown at me in the terminal, I was unable to login to the 1password portal and it returned an httpd status code 429 (too many requests). So the python script seems to have hammered on the API and gotten itself blocked/rate limited.
Now that the errors have stopped, when I login to the portal and check "all items" I'm seeing 114 items. So it imported something, but not everything. And it didn't create any vaults. :-(

and

I did now see that it created a vault called "0" and tagged the secrets with "0" and there are 100 items in that vault. Is that the expected behavior?

This is probably several, distinct, issues.

CLI v2.25 has been released and introduces the --permissions flag, returning functionality lost in v.2.22^.

• Test the new flag to ensure behaviour is expected.
• identify all scripts that depended on the v2.21 functionality
• update those scripts.