LastPass Gets the Green Light from Security Now!’s Steve Gibson

From the beginning we’ve touted LastPass as ‘secure password and data management.’ We’ve insisted that only you have access to your LastPass data, since only you hold the key that can decrypt your data. We’ve upheld that we employ localized, government-level encryption (256-bit AES implemented in C++ and JavaScript) with one-way salted hashes to give you complete security as you sync your passwords through the cloud.

But – what does that mean?
Well, it means that we developed the LastPass password manager so that the following three points hold true:
1. All encryption and decryption happens on your computer.

When you create your LastPass account, an encryption key is created on your computer (your Master Password, or MP, and email go through a complex, irreversible process known as hashing to form your encryption key). Any sensitive data you then save to your account is ‘locked up’ by the encryption key while still on your computer, then sent in encrypted form to LastPass’ server.
2. The sensitive data that is harbored on our servers is always encrypted before it’s sent to us, so all we receive is gibberish.
Since the encryption key is locally created each time you submit your MP and email, all that we store and have access to on our servers is your encrypted data. Without your unique encryption key, your sensitive data is meaningless gibberish. Even if someone were to mandate that we provide a copy of our database, the data would still be unreadable without your encryption key.
3. We never receive the key to decrypt that data.
The unique encryption key formed from the hashing of your email and MP is never sent to our servers. We never, for any reason, would ask you for your MP, so the key remains safely with you.

Not satisfied?

Well, don’t just take our word for it: industry expert Steve Gibson recently reviewed us on his Security Now! podcast. After an hour-long, in-depth analysis of what LastPass is, how it works, and what it can do, Steve applauded our security measures and gave us his seal of approval.
“This thing is secure every way you can imagine. And it’s simple,” Steve says at one point. “I’ve completely switched my entire solution for managing passwords, after spending days researching it and testing it and playing with it, over to LastPass.”
He goes on to declare that we’ve “really nailed it. I mean, I don’t see a single problem with this.”
Thanks Steve! We’ve tried to cover every security angle we can think of – and we continue to add improvements based on user feedback.
There’s also a follow-up episode where a few questions from listeners regarding LastPass are addressed in detail.
We’ve embedded the video below so you can listen to the discussion of LastPass, starting around the 50th minute.

45 Comments

  • Hans Nijssen says:

    It,s a great tool.

  • Anonymous says:

    It’s good to see this affirmation of LastPass security. All the same, I would like to see an in-depth and thorough report from a recognized industry body confirming the robustness of the various security features.

  • Anonymous says:

    Tekzilla (Revision 3) mentioned Lastpass in last Thursday’s weekly ep (23rd Sept) and are supposed to be doing a review in Next Thursday’s. Don’t suppose they will do a full security investigation though. Like Patrick I am used an encrypted text file! Tried Roboform a while back but it crashed and I couldn’t use it on W764 will have to give this one some thought, but it sounds ok.

  • Anonymous says:

    I totally agree with the above comment. LastPass would be a very interesting target, and a black hat competition would be the best place to find someone with the skills to crack it, and the decency to report their findings.

  • Anonymous says:

    Further to the discussion above, maybe they could do a hacking competition at a black hat event to test the security.

    Steve Gibson is a windows man, I’d like to see someone from the linux community test it.

    Great product though, I’m using it

  • Good luck to your new endeavor with LastWallet! But please be sure that you offer it for free for everyone to use. Also be sure that if your superglue fails, that my money isn’t at risk, and that if you or someone else happens to take my wallet and disappear that I won’t have lost any money. Lastly, please have other people verify that your wallet is really as good as you say it is. Make sure it works well and that it solves a problem that nearly every Internet user faces today. If your product (and the people behind your product) are half as good as that other product LastPass, then I’m sure it will gain support and do incredibly well.