What makes LastPass secure?
The security of your sensitive data is our top priority. Below are some of the ways LastPass keeps your information safe and secure.
Your master password is never sent to LastPass.
When you log in to LastPass using your master password, both the password hash and decryption key are generated locally.
- The password hash is sent to our servers to verify you. Once verified, LastPass grants you the ability to access your vault. This means that only your password hash is sent to LastPass, not your master password.
- The decryption key never leaves your computer and is used to decrypt your vault locally once you have been verified.
Your sensitive data is encrypted.
We use 256-bit AES encryption to protect the contents of your LastPass vault. Since your vault is already encrypted before it reaches the LastPass server, your vault contents cannot be accessed, even by a LastPass representative.
LastPass uses a one-way salted hash.
A one-way function is one that cannot be reversed.
A hash is a representation of your master password.
The process of salting adds extra data to the hash in order to add complexity. LastPass uses the username to salt the master password.
In other words, LastPass enters the username and master password into one-way functions to create a salted hash. Since the function cannot be reversed, even if the salted hash was compromised, the attacker would still be unable to obtain the master password.
LastPass uses PBKDF2-SHA256 rounds.
This feature makes the salted hash even more complicated for an attacker because it increases the number of iterations it takes in order for a password to be accurately guessed. Using a one-way salted hash with a high number of iterations, along with making sure your master password is long and complex, provides the greatest potential for preventing your sensitive dating from being compromised. Learn more about password iterations.