The reason I trust my passwords in LastPass is because of the security of the system. LastPass is about as secure as you can get for keeping your passwords safe. The reason is how the lengths they go to to ensure your personal information remains as secure as possible.
In order to see why I trust LastPass, it is important to understand how your passwords are secured within the service. Let me try to explain the security process of LastPass as best as I can.
For those that have used LastPass you know that you are required to log in using two pieces of information: your email address and your master password. These two pieces of information is the key to the whole security process, and without one of the pieces, it is impossible for anyone – including LastPass – to gain access to your passwords and other information.
Hashing
Before I continue let me first quickly explain a concept that will appear a few times in this post. This concept is hashing. For those that are unfamiliar with hashing it is a one-way function that can take any type of input, text, binary, etc. and produce a unique fixed-length value of numbers and letters. What I mean by one-way function, is that you can’t take a hash and produce the original information used to create the hash.
A good analogy of a hash is like baking a loaf of bread. The ingredients for the loaf is the data that you want to hash. Once the ingredients are provided, you can then bake the bread, which is like hashing the data. The baked bread is the hash value you obtained from the function. Much like you can’t separated the original ingredients from the bread, you can’t extract the original data from the hash.
Encrypting Your Data
With the concept of hashing out of the way, let’s continue to look at how LastPass keeps your data secure.
When you log into LastPass, the application convert your email address to lowercase – making your email case-insensitive and remove any white space. After this is done, your master password is then added to your email address – unchanged – and than a SHA-256 hash is created, a very secure hashing algorithm. This hash is known as your cryptographic key and is used to both encrypt and decrypt your data.
When LastPass generates your key, you can specify the number of hashing iterations it uses to generate your key. A good number is 5,000, which makes it much harder to guess the email and password that was used to create the hash. The higher the iterations, the better, however, the more iterations that you perform, the longer it can take to generate the has on some devices, such as mobile devices.
The important thing to note here is that LastPass never receives your cryptographic key – it stays on your local computer. This means that the data is encrypted on your local computer and sent to LastPass encrypted. Your data is only decrypted on your local computer as well, as LastPass has no way of decrypting the data because they never have your cryptographic key – the key never leaves your local computer.
Another important thing to remember is that because LastPass never receives your key, they can’t help you recover your data if you forget your master password because they don’t know what your password was when you created it. This may seem bad, but this means that even when they are subpeoned to provide your data to authorities, they can’t do it because they don’t know your cryptographic key to decrypt your data or even your master password. Always remember your master password.
Authentication
We now know how LastPass creates your cryptographic key, and how your data is encrypted on you local computer, the next point is how you are authenticated within the LastPass service.
Since LastPass never gets your key, they need another way of authenticating you on the LastPass service. What LastPass does is they take your key – the first hash created – and then they append your password to your key and create a second hash. This means that in order to get the second hash you would need to create the first hash out of your email and password, and then hash that again with your password. Since a hash is a one-way function, your key is lost in the second hash, so LastPass still won’t know what your key was originally.
LastPass isn’t done with the hashing, though. When you sign up with LastPass, a 256 bit random number is generated and saved with your account. This random number is then added to the second hash that was created and then that value is then hashed. This last hash is then saved with your account, and is what they used to authenticate you. The second hash is never stored with your account, but is generated each time you log in, and is then compared with the third hash (the hash derived from the second hash and the random number) to authenticate you with LastPass.
All of this may seem complex, especially if you are new to hashing. The main item here is that LastPass is about as secure as you can get. Even if someone were to gain access to your data within the LastPass database, they can’t read your data because of the encryption. No one, but you, will be able to decrypt that data because the cryptograhic key is never stored in LastPass’ database.
If you are looking for a method to store your passwords – and other data – safely, you won’t find many password managers that are more secure than LastPass.