LastPass and the NSA Controversy

By September 10, 2013 Security News 132 Comments

With news that the United States National Security Agency has deliberately inserted weaknesses into security products and attempted to modify NIST standards, questions have been raised about how these actions affect LastPass and our customers. We want to directly address whether LastPass has been or could be weakened, and whether our users’ data remains secure.

In short, we have not weakened our product or introduced a backdoor, and haven’t been asked to do so. If we were forced by law to take these actions, we’d fight it. If we were unable to successfully fight it, we would consider shutting down the service. We will not break our commitment to our customers.

Although we are not currently in the position of having to consider closing the service, it is important to note that if LastPass had to be shut down, our users would be able to export their data or continue using LastPass in “offline” mode, although online login and syncing would no longer be possible.

We have consistently reiterated that LastPass cannot share what we cannot access. Sensitive user data is encrypted and decrypted locally with a key that is never shared with LastPass. As always, we encourage our users to create a strong master password to better protect themselves from brute-force attacks. Given our technology and lack of access to stored user data, it is more efficient for the NSA or others to try to circumnavigate LastPass and find other ways to obtain user information.

Ultimately, when you use an online service you’re trusting the people behind that service to have your best interests at heart and to fight on your behalf. We have built a tradition of being open and honest with our community, and continue to put the security and privacy of our customers first. We will continue to monitor the situation and change course as needed, with updates to our community when necessary.

Thank you to our community for your ongoing use and support of LastPass.


  • Matthias says:

    Reading all the concerns about LastPass not disclosing all of their code and being a company under US legislation (with all the potential consequences) it seems that there now is serious alternative available where instead of complaining you may act and prove how much concerned you really are.

    Mitrio, which up to recently just has been a start-up company offering a service similar to LastPass, has released their entire source code (server and clients) under the GPL license on the end of July 2014.

    As it seems they decided to close their business down and move on to work on different projects at Twitter instead. Read their announcement at and EFF’s announcement at

    So if you you are truly concerned about LastPass’ legal situation and their refusal to disclose the full source code, but would like to continue to use a similar service, based on an fully disclosed code base that can be hosted by yourself or someone you fully trust, here is your chance to act.

    Join this open source project and help the mitrio community to audit the code, streamline server installation and maintenance as well as adjusting client configuration to an extent that will make it possible for average sysadmins and users to switch over to mitrio.

  • Anonymous says:

    If Lastpass would have received a NSL, they would be unable to talk about it. The only chance is moving to a country where freedon of speech exists.

  • Sally Oh says:

    I would love to see an update to this. Lots of new information in the past few months. I would like to know if you’ve received any security letters in the past few months. Thank you.

  • Anonymous says:

    Well, there are companies that act as independent neutral third parties, providing auditing, verification etc. services. LastPass could ask a few such companies from abroad (not so easily influencable by NSA) to perform an yearly audit of their software and live systems and give a verdict of whether they think LastPass does what it claims. Of course it’s easy to just switch to a “clean” version for auditing and back to “backdoored” afterwards, if that’s the case. Furthermore, LastPass could allow such a third party to supervise their operations continually, making surprise checks of anything, etc. etc.