14

They said:

Private Master Password: The user’s master password, and the keys used to encrypt and decrypt user data, are never sent to LastPass’ servers, and are never accessible by LastPass.

Local-Only Encryption: User data is encrypted and decrypted at the device level. Data stored in the vault is kept secret, even from LastPass.

This raises a few questions:

  • If LastPass doesn't have my password, how does it know that the password I entered is correct?
  • How does LastPass decrypt my passwords on a new device?
  • Is LastPass secure?
  • What if I forget my Master Password?
Joshua Shearer
  • 278
  • 2
  • 6
AsimRazaKhan
  • 259
  • 1
  • 2
  • 7
  • Your password is used to generate the encryption key. They can verify your password by verifying that it correctly decrypts some known data that they've put in your password list. – Neil Smithline Jan 15 '16 at 18:48

2 Answers2

16

From this support thread on the LastPass website:

LastPass says they never receive my Master Password. Don’t I send it to the LastPass servers when I log in?

No, when you login to LastPass, two things are generated from your Master Password using our code discussed previously before anything is sent to the server: the password hash and the decryption key. This is all done locally.

  • The password hash is sent to our servers to verify you. Once verified, we send back your encrypted Vault. We are only sent your hash, not your Master Password.
  • The decryption key, which NEVER leaves your computer, is then used to decrypt your Vault once it comes back.

So to answer your questions:

How does LastPass know that my password is correct?

LastPass only has access to your vault in an encrypted form; they can't read it without knowing the key. When logging in, your client only sends the hash of your password, and LastPass simply compares it to the password hash they possess.

How does LastPass decrypt my passwords on a new device?

The decryption key is a function of your password. As a result, the same input (your password) will always produce the same output (hash + the decryption key). That's all your new device needs to know in order to decrypt your vault.

Is it really secure?

The answer to this depends on how much you trust LastPass.

If it works exactly the way they say it does, then a sufficiently strong password should be relatively secure.

If at any point they obtain access to your password (whether it be intentional or accidental), you should probably consider it to be compromised, and should not only change your LastPass password, but the password for every account you have in your vault.

What if I forget my Master Password?

If you forget your password, you lose access to your vault. LastPass can't send it to you or reset it..

For users who are willing to trade away some of their LastPass security in exchange for a "safety net", LastPass allows you to produce and use One-Time-Passwords, and you can even enable Emergency Access to provide access to your account from specified users.

LastPass Help Desk - One Time Passwords

One Time Passwords

If you are using an untrusted public computer and need to access your LastPass data but are hesitant to do so because of potential keyloggers, LastPass provides One Time Passwords (OTPs) as one option for securely accessing your account.

While using a trusted computer, go to https://lastpass.com/otp.php to create a list of random passwords that can be used only once to log into LastPass. You must be logged into the plugin to manage your OTPs. From this page, you will be given the option to Add a New One Time password, Clear All OTPs, or Print your OTPs.

Each time you generate a new OTP, it will be added to your list. These passwords can be printed or carried with you on a portable storage device. You can then revisit the above page to login using this password and you can be certain that, even if captured, the password will not allow access into your account in subsequent attempts because it expires after you login with it once.

You can even use OTPs with another form of multi-factor authentication (Yubikey, Google Authenticator, Sesame or GRID), to be even more secure when you are not using a trusted computer.

LastPass Help Desk - Emergency Access

Emergency Access

Do you worry about your family, friends, partner, or spouse having access to important accounts should something happen to you? Do you want an easy way to give them the passwords and logins they’d need to manage accounts on your behalf? Prepare for the unexpected and ensure your loved ones don’t get locked out of important accounts, like paying bills or the mortgage, and that they can manage your digital legacy.

With the Emergency Access feature, you can give trusted family and friends access to your LastPass account in the event of an emergency or crisis. Your designated Emergency Access contact(s) can request access to your account and securely receive the passwords and notes without knowing your Master Password. You decide how much time should pass before they’re given access once they request it, and you can decline access if it’s requested unnecessarily.

Emergency Access can also be used as an alternative account recovery feature, if you worry about ever forgetting your master password and want to ensure you have a backup way of recovering your vault.

Please note: the person you share access with will need their own LastPass account as well.

Joshua Shearer
  • 278
  • 2
  • 6
2

It might be worth checking out Public and Private key Cryptography(asymmetric).

I speculate, they could use asymmetric cryptography. When a you register a new device, create a keypair on said device send the public key to the old device, encrypt the original private key with the public key of the new device, send it to their servers and then to your new device and decrypt the original private key locally on the new device using the new private key and then delete the new private key leaving only the original private on both devices.

You can then use one master pass word to unlock the rest of your accounts password. All the technicalness is hidden beneath the layers, so all the user needs to known is one password.

This means your secure private key passes though their servers but is obfuscated.

Then you must ask what encryption do they use? I doubt they'll tell you as a security precaution. Do you trust the particular encryption? Who are you preventing from decrypting, someone think commercial computer power or a government with large computing power. As weak encryption can be beaten by normal users etc.

But thats only speculation.

What I means is its technically possible for a service like that to be secure providing they use strong enough encryption but whether the company adheres to this is another question.

The real question in security is: are your devices secure or are you secure. People are the weakest link the security chain.

If you forget you master password, you've lost everything. The temptation is to write it down, but that is one of the reasons people are the weakest security link.

My password solution of late has been Yubico key.

Snewedon
  • 185
  • 7