LastPass Gets the Green Light from Security Now!’s Steve Gibson

From the beginning we’ve touted LastPass as ‘secure password and data management.’ We’ve insisted that only you have access to your LastPass data, since only you hold the key that can decrypt your data. We’ve upheld that we employ localized, government-level encryption (256-bit AES implemented in C++ and JavaScript) with one-way salted hashes to give you complete security as you sync your passwords through the cloud.

But – what does that mean?
Well, it means that we developed the LastPass password manager so that the following three points hold true:
1. All encryption and decryption happens on your computer.

When you create your LastPass account, an encryption key is created on your computer (your Master Password, or MP, and email go through a complex, irreversible process known as hashing to form your encryption key). Any sensitive data you then save to your account is ‘locked up’ by the encryption key while still on your computer, then sent in encrypted form to LastPass’ server.
2. The sensitive data that is harbored on our servers is always encrypted before it’s sent to us, so all we receive is gibberish.
Since the encryption key is locally created each time you submit your MP and email, all that we store and have access to on our servers is your encrypted data. Without your unique encryption key, your sensitive data is meaningless gibberish. Even if someone were to mandate that we provide a copy of our database, the data would still be unreadable without your encryption key.
3. We never receive the key to decrypt that data.
The unique encryption key formed from the hashing of your email and MP is never sent to our servers. We never, for any reason, would ask you for your MP, so the key remains safely with you.

Not satisfied?

Well, don’t just take our word for it: industry expert Steve Gibson recently reviewed us on his Security Now! podcast. After an hour-long, in-depth analysis of what LastPass is, how it works, and what it can do, Steve applauded our security measures and gave us his seal of approval.
“This thing is secure every way you can imagine. And it’s simple,” Steve says at one point. “I’ve completely switched my entire solution for managing passwords, after spending days researching it and testing it and playing with it, over to LastPass.”
He goes on to declare that we’ve “really nailed it. I mean, I don’t see a single problem with this.”
Thanks Steve! We’ve tried to cover every security angle we can think of – and we continue to add improvements based on user feedback.
There’s also a follow-up episode where a few questions from listeners regarding LastPass are addressed in detail.
We’ve embedded the video below so you can listen to the discussion of LastPass, starting around the 50th minute.

45 Comments

  • Anonymous says:

    Hey everybody, I’m starting a new business called LastWallet. It has a big lock and key on it.. YOU control the key. Just stuff all of your money in it and I’LL hold it for you. It’s a very strong wallet. I make them out of unobtainium and glue the locks in with superglue AND locktite. Oh, BTW .. you cannot use my wallets unless you let me hold them. I MUST HOLD THE WALLETS. But it’s really secure.

  • wizardprang says:

    The question is not whether Steve Gibson is right about everything – none of us are.

    Most security Now podcasts start with an errata section where he corrects misunderstandings and errors.

    For those who are concerned about your passwords being send out unencrypted it’s not hard to analyze the traffic being sent out of your computer. I’m pretty sure that SG did something like that; I don’t believe that he simply recycled LastPass’s press releases as you suggest.

  • Anonymous says:

    This is Steve Gibson we are talking about. Yes, he does a great service by trying to teach security concepts in layman’s terms, but he really isn’t a security expert. He is not respected in the security industry, and he gets things wrong all the time. He is not qualified to certify the security of a product. He simply just repeated what LastPass told him they do. It is still a great product, and I use it all the time. I am not worried about it. But if you really want to know if it’s safe and acts the way it is supposed to, we still need to wait until it is verified by an independent and qualified 3rd party. Even if it was built with the best of intentions, it could still have unexpected memory leaks and improperly deployed encryption that create holes allowing hackers to steal all of your passwords. For example, look at WEP and WPA. WEP is rarely used anymore because it is vulnerable to hacks. It actually isn’t because the encryption algorithm was flawed, but because it was implemented incorrectly. Getting these things correct is more difficult than it sounds, even if you are starting with trusted tools and resources.

  • Anonymous says:

    Steve Gibson rocks and LastPass is the BEST! I am a security freak and this certainly covers all bases.

  • Chrome problems with recent builds can be attributed to this google bug.
    http://crbug.com/52096

    Hopefully they will fix soon.

  • Anonymous says:

    lastpass stopped work in portable chrome!
    not even go to the site!