LastPass Gets the Green Light from Security Now!’s Steve Gibson

From the beginning we’ve touted LastPass as ‘secure password and data management.’ We’ve insisted that only you have access to your LastPass data, since only you hold the key that can decrypt your data. We’ve upheld that we employ localized, government-level encryption (256-bit AES implemented in C++ and JavaScript) with one-way salted hashes to give you complete security as you sync your passwords through the cloud.

But – what does that mean?
Well, it means that we developed the LastPass password manager so that the following three points hold true:
1. All encryption and decryption happens on your computer.

When you create your LastPass account, an encryption key is created on your computer (your Master Password, or MP, and email go through a complex, irreversible process known as hashing to form your encryption key). Any sensitive data you then save to your account is ‘locked up’ by the encryption key while still on your computer, then sent in encrypted form to LastPass’ server.
2. The sensitive data that is harbored on our servers is always encrypted before it’s sent to us, so all we receive is gibberish.
Since the encryption key is locally created each time you submit your MP and email, all that we store and have access to on our servers is your encrypted data. Without your unique encryption key, your sensitive data is meaningless gibberish. Even if someone were to mandate that we provide a copy of our database, the data would still be unreadable without your encryption key.
3. We never receive the key to decrypt that data.
The unique encryption key formed from the hashing of your email and MP is never sent to our servers. We never, for any reason, would ask you for your MP, so the key remains safely with you.

Not satisfied?

Well, don’t just take our word for it: industry expert Steve Gibson recently reviewed us on his Security Now! podcast. After an hour-long, in-depth analysis of what LastPass is, how it works, and what it can do, Steve applauded our security measures and gave us his seal of approval.
“This thing is secure every way you can imagine. And it’s simple,” Steve says at one point. “I’ve completely switched my entire solution for managing passwords, after spending days researching it and testing it and playing with it, over to LastPass.”
He goes on to declare that we’ve “really nailed it. I mean, I don’t see a single problem with this.”
Thanks Steve! We’ve tried to cover every security angle we can think of – and we continue to add improvements based on user feedback.
There’s also a follow-up episode where a few questions from listeners regarding LastPass are addressed in detail.
We’ve embedded the video below so you can listen to the discussion of LastPass, starting around the 50th minute.

45 Comments

  • amh says:

    Anonymous, this isn’t the time or place, but did you even read this article or watch the review? Your master password is never sent to lastpass.. your passwords aren’t stored online. An aes256-bit encrypted file is synced to your different PCs. Work on your reading comprehension, or just watch the video review of the security measures. This is VERY different than storing your passwords online.

  • Anonymous says:

    Nice try.Will never trust anything stored on line! How on earth do I know my master password is not sent to lastpass???Lastpass is indeed nice,covers all platforms but I do not trust any private company to store my passwords.Will stay with Roboform where all my info is encrypted on my PC.Do not even use their Online version.

  • Anonymous says:

    Are all data fields encrypted or just certain fields?

  • Wes says:

    Looked into LastPass a little more. It seems like a good product, but I don’t like the idea of subscription payments. I only intend to use it with my iPod and home PC, and I already have KeePass set to sync with Dropbox which MyKeePass on the iPod will download from. It took about ten minutes to set up, but it is all automated now with Keepass Triggers and Dropbox automatic syncing.

    • Anonymous says:

      I have no idea why people would use something free for a purpose as important as guarding their most important information. You WANT these people to make money so they can stay in business and further develop the product. Besides, if somebody gives you something for free, you need to ask yourself why that is.

    • Anonymous says:

      Because it’s open source.

    • Anonymous says:

      open source is basically opening it to being cracked. for something like this I’d want it to be closed source. if your know how it works internally, you can break it.

    • Anonymous says:

      1) Open source means many, many interested eyes on the code… it’s not infallible, but it’s not a weakness either
      2) Knowing how it works does not mean you can crack it. Knowing how a lock works does not mean you have a key to open it. The mechanisms of AES are well-documented and understanding how it works gives me confidence in the algorithm.

  • Excellent to hear. I’ve been using last pass for a while now and I always wondering how some of the pros thought of last pass security.

  • Wes says:

    Steve is a funny guy. I still use Spin Rite, too.