LastPass Gets the Green Light from Security Now!’s Steve Gibson

From the beginning we’ve touted LastPass as ‘secure password and data management.’ We’ve insisted that only you have access to your LastPass data, since only you hold the key that can decrypt your data. We’ve upheld that we employ localized, government-level encryption (256-bit AES implemented in C++ and JavaScript) with one-way salted hashes to give you complete security as you sync your passwords through the cloud.

But – what does that mean?
Well, it means that we developed the LastPass password manager so that the following three points hold true:
1. All encryption and decryption happens on your computer.

When you create your LastPass account, an encryption key is created on your computer (your Master Password, or MP, and email go through a complex, irreversible process known as hashing to form your encryption key). Any sensitive data you then save to your account is ‘locked up’ by the encryption key while still on your computer, then sent in encrypted form to LastPass’ server.
2. The sensitive data that is harbored on our servers is always encrypted before it’s sent to us, so all we receive is gibberish.
Since the encryption key is locally created each time you submit your MP and email, all that we store and have access to on our servers is your encrypted data. Without your unique encryption key, your sensitive data is meaningless gibberish. Even if someone were to mandate that we provide a copy of our database, the data would still be unreadable without your encryption key.
3. We never receive the key to decrypt that data.
The unique encryption key formed from the hashing of your email and MP is never sent to our servers. We never, for any reason, would ask you for your MP, so the key remains safely with you.

Not satisfied?

Well, don’t just take our word for it: industry expert Steve Gibson recently reviewed us on his Security Now! podcast. After an hour-long, in-depth analysis of what LastPass is, how it works, and what it can do, Steve applauded our security measures and gave us his seal of approval.
“This thing is secure every way you can imagine. And it’s simple,” Steve says at one point. “I’ve completely switched my entire solution for managing passwords, after spending days researching it and testing it and playing with it, over to LastPass.”
He goes on to declare that we’ve “really nailed it. I mean, I don’t see a single problem with this.”
Thanks Steve! We’ve tried to cover every security angle we can think of – and we continue to add improvements based on user feedback.
There’s also a follow-up episode where a few questions from listeners regarding LastPass are addressed in detail.
We’ve embedded the video below so you can listen to the discussion of LastPass, starting around the 50th minute.


  • Anonymous says:

    Lastpass deserves an at-a-boy for volunterily exposing a cross site scripting vulnerability that potentially could have allowed someone to download a copy of my encrypted file of hashed password codes. Oh my… Maybe I’m crazy but that’s not even a small security problem.

  • I REALLY think LastPass MUST make public an audit report from a 3rd party or independent researcher, as a matter of some urgency.

    Issues like the one noted at are very serious for a tool like this.

    In addition to the auditor selection, what they do is important. I’ve spent a LOT of time on the latter question while negotiating with TD Ameritrade regarding what sort of auditing they would get.
    Here’s what I would find acceptable:
    Lastpass must be certified by a 3rd party auditor as having PASSED an audit. The audit should be to the Massachusetts Data Privacy Regulations that by law LastPass has to be in compliance with already (with the minor modifications I’ve listed on my blog). Anything less than a PUBLIC CERTIFICATION that the audit was PASSED isn’t good enough. The auditor needs to be a large enough company that its certification means something. (Passing an audit means the auditor can write an unqualified opinion letter.) See my blog post, “Audit”, here: