Security is the foundation of what we do here at LastPass. We built our service to ensure that your data is protected and private, from us and from anyone else. Here are a few ways we achieve that:
Local-only encryption of sensitive data
All encryption and decryption occurs locally on the user’s device, not on our servers. This means that your sensitive data does not travel over the internet and never touches our servers. Your data is only transmitted to LastPass once it is encrypted. We don’t have access to your sensitive data, nor could anyone who potentially abuses our systems get access to it. We have zero knowledge of your confidential information, including your master password. For this reason, LastPass Support does not have the ability to reset your master password if it is ever lost or forgotten.
Strong encryption and hashing
We use the same encryption algorithm (AES-256) that the U.S. Government uses for top-secret data. Your encrypted data cannot be deciphered by us and by everyone else without the encryption keys (derived from your email address and master password). Because your encryption keys are never shared with LastPass, we can’t decrypt your data, we can only store your encrypted data for you to access next time you log in.
Only you know the key to decrypt your data
Your encryption keys are created from your users’ email addresses and master passwords. The master passwords are never sent to LastPass. An authentication hash is what LastPass uses to verify that the user is entering the correct master password. The components that make up the encryption key and authentication hash are never sent to LastPass, and remain local to the user. If someone were to gain access to the encrypted data, it would be meaningless to them because they don’t have the master password. LastPass also offers configurable policies that let you add more layers of protection.
