Comments on LastPass the last password you'll have to remember.: After Yahoo Email Debacle, Sarah Palin Needs Lastp...

I wanted to give up RoboForm, but LastPass won't f...

2010-03-01T20:54:26.386-05:00

I wanted to give up RoboForm, but LastPass won't fill the username at Amazon.com. That was one of the first sites I tried. If that doesn't work, well I'll wait for RoboForm to get their act together for the Chrome add-on.

Loved LastPass!I'm giving up from Roboform!

2008-09-30T11:09:55.464-04:00

Loved LastPass!
I'm giving up from Roboform!

I had this same question and asked the Lastpass te...

2008-09-26T07:36:58.893-04:00

I had this same question and asked the Lastpass team for a non-jargon explanation and got this from Bob:

Neither your site specific passwords or your Lastpass password ever leaves your computer. Your site-specific passwords are encrypted locally converted from passwords with value into encoded string of characters with no intrinsic value.

For example if your use Lastpass to store your password for Amazon.com and your password for Amazon is "Amazn1" Lastpass converts "amazn1" into an encrypted string: encrypted string that has been encoded: YpCEhki/Bbs3l1eFsRpWSQ==

Lastpass stores this encrypted string. It is completely meaningless to us or anyone else without the key. The key is created from your master Lastpass password. and your log-in Your username+password combination is hashed in 2 ways:
1) To create your password hash that is sent to us for authentication
2) To create your encryption key which is never sent to us

For example your the password hash might look like:
5dff3ab77d45983d9c3005435da0ac
eb13db373ef5cd829dda196da402160aba

This is a one way hash and there is no way for us to get the original string. We also create your key that we use for encrypting/decrypting your data locally. This is never sent to us. It looks similar in structure (same length, character set [0-9, a-f] used) to the hash above, but is different.

When you log into Lastpass from a foreign computer, the user enters his/her Lastpass username and passsword into the website. Both the authentication hash and the encryption key are generated from these. Javascript (running locally on the computer) performs the hashing. Then the computer make a request to our servers to authenticate and pull down their encrypted data. Again, locally (in javascript) we perform the decryption of the data with their key.

Once you log off a foreign computer, Lastpass instructs the browser not to cache the page. Most browsers don't save https pages anyway. But even if the browser did cache the page, it is dynamically generated via javascript, so without the username/password combination to decrypt the data, the data is meaningless.

It sounds like some word play, but overall I think...

2008-09-26T06:19:58.953-04:00

It sounds like some word play, but overall I think for the most part, it's more true in meaning than not.

I think they mean that your encrypted data is on their servers, but it's gibberish and completely meaningless to them without your password...and you're the only person who has that password.

I don't understand when you say, "Lastpass doesn’t...

2008-09-26T05:59:52.154-04:00

I don't understand when you say, "Lastpass doesn’t ... have access to any of my information, it doesn’t get saved onto their servers".
- I get the first part: that you don’t have "access" to any of my information, because it's encrypted and you don't have my Lastpass-login password. That seems to be the real point. However, saying that you don't save my info on your servers seems untrue, since you make my "passwords accessible online, ... from virtually anywhere, anytime" (as your home page says).
- Can you clarify this?