How LastPass Keeps Your Business Safe

Gabor Angyal • PublishedApril 26, 2021

Subscribe & Save 20% off Premium or Families plans

Enter your email

By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.

With a bevy of business password managers on the market, picking the right one may seem like a tough task. With an increase of cybersecurity threats shepherded by the pandemic, you’ll need a password management solution that is built with security and encryption best practices and can handle an ever-evolving threat landscape. The goal of a password manager is to reduce the risk of a data breach and safeguard your business. You want to ensure that any solution you adopt is itself properly secured, and that it gives you the right tools to actually enforce better policies in your organization. With proactive security and reliability as cornerstones of our mission, we’ve designed LastPass to protect what you store at every step, so you can trust it with your sensitive data. For more than 70,000 businesses, LastPass reduces friction for employees while increasing control and visibility with a password management solution that is easy to manage and effortless to use. “Password security is a question that always comes up, so with LastPass, that’s a big tick in that box and we move on. Essentially, it is our product of choice for password management, and I can’t see another solution out there that comes close," relates Jason Muir, IT Operations Manager at MOQdigital. Let’s explore how LastPass is built to keep your business safe.

How do we keep our customers' data secure?

Securing an account begins the moment it’s created. LastPass operates on a zero-knowledge security model that ensures customer data remains protected. When a LastPass user creates their master password, it’s used to generate a unique encryption key. The master password and the encryption key stay local on the user’s device – they are never sent to or shared with LastPass. Without the encryption key, your encrypted vault data is meaningless. We also employ the following best practices, to ensure that customer data remains secure:

End-point encryption: Encryption happens exclusively at the device level before syncing to LastPass for safe storage, so only users can decrypt their data.
256-bit AES encryption: This algorithm is widely accepted as impenetrable – it’s the same encryption type utilized by banks and the military.
TLS for secure data transfer: Even though sensitive data is already encrypted with AES-256, the TLS protocol secures the connection to LastPass to further protect a user’s data.

100,100 rounds of PBKDF2-SHA256 hashing for brute-force attacks: We strengthen the master password and encryption key against large-scale, brute-force attacks by slowing down guesses.
Private master password: We do not send or store the master password at all to ensure that access to sensitive vault data remains secure.
Zero-knowledge model: LastPass Federated Login Services is designed to ensure that the user’s identity provider credentials are not exposed to LastPass and all data stored encrypted on LastPass’ servers.

How do we keep our infrastructure protected?

LastPass also utilizes best practices to protect our infrastructure, including regularly upgrading our systems, as well as utilizing redundant data centers to reduce the risk of downtime or a single-point-of-failure. We employ the following to ensure that our customers can trust our security infrastructure:

Regular audits and pen tests: We engage with trusted, world-class, third-party security firms to conduct routine audits and testing of the LastPass service and infrastructure.
Bug bounty program: Our bug bounty program incentivizes responsible disclosure and improvements to our service from top security researchers.

Transparent incident response: Our team reacts swiftly to reports of bugs or vulnerabilities and communicates transparently with our community.

The importance of multi-factor authentication

LastPass also offers users multi-factor authentication (MFA) on top of account logins and the LastPass vault to provide an extra layer of protection against cyber-criminal attacks. With MFA, users can add extra security by requiring a second or third login step before authorizing a user. Multi-factor authentication requires two or more authentication factors, including something the user knows (master password), in addition to something they have (a code, a key) and/or something they are (a fingerprint). By requiring not only the master password, but also an additional login factor, a user adds another layer of protection against unauthorized access.

The “gold standard” for security and privacy

LastPass has acquired the Service Organization Control 2 (SOC 2) Type 2 compliance, which is a detailed review of our controls and processes. As the “gold standard” for software companies that is widely recognized nationwide across industries, completing and maintaining SOC 2 compliance is just one more way we demonstrate our commitment to security and privacy. With LastPass, businesses can take control of password management, benefitting from a proven security model, secure product architecture and powerful security features. Learn more about how LastPass can help safeguard your data. For more information, be sure to check out these additional resources:

Share this post via: