Security is the foundation of what we do here at LastPass. We built our service to ensure that your data is protected and private, from us and from anyone else. Here are a few ways we achieve that:

Local-only encryption of sensitive data

All encryption and decryption occurs locally on the user’s device, not on our servers. This means that your sensitive data does not travel over the Internet and never touches our servers. Your data is only transmitted to LastPass once it is encrypted. We don’t have access to your sensitive data, nor could anyone who potentially abuses our systems get access to it. We have zero knowledge of your confidential information, including your master password. For this reason, LastPass Support does not have the ability to reset your master password if it is ever lost or forgotten.

Strong encryption & hashing

We use the same encryption algorithm (AES-256) that the U.S. Government uses for top-secret data. Your encrypted data is meaningless to us and to everyone else without the encryption keys (derived from your email address and master password). Because your encryption keys are never shared with LastPass, we can’t decrypt your data, we can only store your encrypted data for you to access next time you log in.

Only you know the key to decrypt your data

Your encryption keys are created from your users’ email addresses and master passwords. The master passwords are never sent to LastPass. An authentication hash is what LastPass uses to verify that the user is entering the correct master password. The components that make up the encryption key and authentication hash are never sent to LastPass, and remain local to the user. If someone were to gain access to the encrypted data, it would be meaningless to them because they don’t have the master password. LastPass also offers configurable policies that let you add more layers of protection.

Control your policies

We know that one size does not fit all when balancing security and ease of use. That’s why we allow you to define your preferences by providing a range of configurable policies. This gives you more control over how your team can use LastPass and what kind of access they can have to the data you’re storing in it. You can set policies to:

• Restrict or enforce the use of certain features
• Limit access to certain locations or devices
• Add Multifactor Authentication for extra protection

We strongly encourage you to review the available policies prior to rolling out LastPass across your users.

Generate unique, strong passwords

No more using the same password for all sites. No more writing down passwords on little pieces of paper. No more emailing yourself when you forget your password. With the LastPass password generator, users can create strong passwords for each site and automatically save them to their individual vault. With LastPass, your data will be safer online than ever before, without the hassle of remembering unique passwords. Employees will be able to use passwords that are long, strong, and random – while actually making it easier for them to get their work done.