2

I am a web developer, not a security expert, but I know a little bit about security because I need it as a web developer.

According to LastPass,

LastPass encrypts your Vault before it goes to the server using 256-bit AES encryption. Since the Vault is already encrypted before it leaves your computer and reaches the LastPass server, not even LastPass employees can see your sensitive data!

As I understand it simply means that LastPass employees cannot see password by using any method. So how we can find our passwords which are saved on their servers (encrypted password)? I mean if their program can show passwords for us, why employees can't use the same method to decrypt our passwords which are stored in their servers?

Or do I misunderstand some point?

schroeder
  • 123,438
  • 55
  • 284
  • 319
I am the Most Stupid Person
  • 623
  • 1
  • 5
  • 14

1 Answers1

6

The decryption happens on your device, using the password you enter when starting the program, or a stored version of this, if you've selected "remember me" or are using biometric authentication. The password isn't sent to their servers, so the employees don't have access to it.

In more detail: the master password is used to generate an encryption key, which is then used on the client device to encrypt passwords. When you log into a new device, the password you've entered is used to generate the same encryption key, which, since symmetric encryption is used, also allows for decryption. This effectively means that the master password is the key for all the other data stored.

If you change your master password, the client side code re-encrypts all your passwords with the new key generated from this. This can take a while if you have a lot of passwords stored.

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • How decryption happens on my device? How my device know how to decrypt the password? Assume I save my fb password. My password is `yhtrsgsg`. It may saved on lastpass server like `hdyd67^*&678sd8sdshdbshdgshd87678767sdhhhsg%4`. Then how my device know decript '`hdyd67^*&678sd8sdshdbshdgshd87678767sdhhhsg%4`.` to `yhtrsgsg`? I mean there should be a logic... How my device know that logic? – I am the Most Stupid Person Nov 30 '17 at 10:45
  • you need to read the Lastpass documents: https://www.lastpass.com/how-it-works "You’ll create an account with an email address and a strong master password to locally-generate a unique encryption key." and "Local-only encryption. Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass." – schroeder Nov 30 '17 at 10:46
  • 1
    @IamtheMostStupidPerson Because you've logged in (entering your password). The password is (effectively) used as the decryption key. – Matthew Nov 30 '17 at 10:59
  • @Matthew Thanks for the update. I think now I got how this happen. So if we change our master password, Lastpass will update our all password (I mean as new encrpted password) too in their server... Am I correct? – I am the Most Stupid Person Nov 30 '17 at 11:09
  • @IamtheMostStupidPerson yes correct. That is what he wrote in is answer – Nico Nov 30 '17 at 11:53