Inside the DNA of Your Master Password

When you begin using LastPass, your first step is to create a master password. You can think of it as one password to rule them all. With a strong master password guarding your entire vault of passwords, you no longer have to keep track of all of them yourself. But what exactly is in the DNA of a master password, and how does it keep your data secure? Here's what you need to know about the master password – arguably, your most important password – and how it protects your business.

What is a master password?

Your master password is the key to all of the passwords and data that are stored in your LastPass vault. As such, it's essential that your master password be as strong as possible. IT teams that administer LastPass business solutions can also implement a wide range of security policies to further strengthen employees' master passwords by default. All of that said, a master password should be:

•  A minimum of 12 characters long (ideally longer)
• Unique from any other password that you use elsewhere
• A complex mix of letters, special characters, and numbers

There are also some things you should avoid when creating a master password in LastPass. Your master password should never:

• Be used as a password for any other website or app. For example, a breach on another website could put your LastPass account – and all the passwords it protects – at risk if you re-used your master password on that website.

• Contain personal information that an attacker might know or could potentially access if any of your online accounts were ever compromised in a data breach. Avoid using birth dates, street addresses, or phone numbers.
• Be shared with anyone, including LastPass employees. Your master password is for you alone. In fact, it's not even for LastPass to know (we'll get to that in a minute).

Once you have created a master password, you don't have to change it very often, if at all. You should only change your master password if you logged onto LastPass from a computer or mobile device that was infected with spyware or malware, if you fell victim to a phishing scam that tricked you into sharing your master password, or if you have reason to believe that attackers gained access to your LastPass account and/or leaked your master password on the dark web. 

The DNA of a master password

The very first time you log into LastPass, it will ask you to enter your email address and create a master password. You can think of these two pieces of information as the DNA of a master password. LastPass then uses this DNA to perform hashing (converts one value to another) and salting, two essential techniques that significantly increase the security of your LastPass account. Here's how it works. Behind the scenes, LastPass uses your master password to generate an encryption key for your vault through a process called derivation. In addition, when you initialize your LastPass account, LastPass will generate a hash of their LastPass Master Password utilizing their email address as the salt value (random string per user). This happens locally, right on your computer or mobile device.  The LastPass application uses 600,000 rounds of PBKDF2-SHA256 hashing to derive your vault’s encryption key. Using this value, LastPass performs another single round of hashing to generate the authentication hash (also known as the “login hash”). The login hash is sent to LastPass, where it undergoes additional rounds of hashing, and the output is then stored and used to authenticate your LastPass account upon future logins. 

How hashing and salting secure your LastPass vault

 When you attempt to log into LastPass, it compares the original output written at setup to the output of the same function when you try to log in a second time. If the output from your login attempt matches what is stored in the LastPass database, then and only then, will you be authenticated and granted access to your vault. If that output doesn't match, say because you may have entered your master password incorrectly, you will not be authenticated, and you won't be able to log into LastPass. It's important to note that throughout all of these background processes, your master password and encryption key are never sent to LastPass' servers. Also, because hashing is a one-way function, LastPass cannot reverse the authentication hash that it receives. This means it's not possible for LastPass to reverse engineer an authentication hash that was created on your behalf.

Best practices keep your master password secure

When you use these best practices with your master password and hashing iterations, which take place at lightning speed behind the scenes when you set up your LastPass account for the first time, it would be very difficult for even the strongest of computers to crack your encrypted vault data. You can also increase the number of rounds of PBKDF2 hashing in your account settings, should you wish. This optional best practice does increase the amount of background work required to create the hash that protects your LastPass vault, and it makes the process of verifying a password take a little longer. However, this step also makes it significantly harder for attackers to successfully execute a brute-force attack on your LastPass account using a given hash. That’s why we leave it up to you to decide what makes you feel secure. 

How a zero-knowledge model protects your master password

As we mentioned earlier, your master password is for you alone. Not even LastPass or its employees have access to it. This is because LastPass is built on the well-known zero-knowledge encryption model: LastPass does not have access to passwords or other sensitive records that are stored in your encrypted vault. Your master password and sensitive vault data are never stored on LastPass' servers in plaintext form. Lastly, the only way to decrypt your LastPass vault locally and gain access to its contents is to correctly enter your master password (and receive the two-factor authentication that you hopefully have on your account as well).

Protect your business with a strong master password

Your master password keeps all of your other passwords secure. As such, it's a critical tool in you and your company's cybersecurity toolbox. And, as we've seen, the DNA of a master password is quite complex. We recommend using these best practices – a long, unique master password and at least 600,000 rounds of hashing – to best protect your account from threats. Get LastPass today.