LastPass advertises that they do local encryption of passwords before they are transferred and stored on their website. However, when I log in with my past password, I can access all my passwords in clear text there. Doesn't this imply that they also have access to all my passwords? How can I verify that they do not have access to my passwords?
Encryption – How LastPass Stores Your Passwords Securely
encryptionlastpasspasswords
Related Topic
- How should I configure CrashPlan if I want to make sure Code 42 cannot access the data
- Google-chrome – What happens when I browse items in the Lastpass vault on Chrome while running other extensions that can “Access all your data on all websites”
- LastPass – Use and Update Passwords for Multiple Sites
- Twitter – Log out of Twitter account on another device
Best Answer
Source: http://lastpass.com/help.php?topic=whysafe&nw=1&fromwebsite=1
In other words, your computer encrypts your passwords with your email and master password and sends that data to Lastpass. When you authenticate with your master password at Lastpass.com, Lastpass.com returns all your encrypted passwords, which are decrypted locally on your computer with your email and master password. Every communication happens over SSL, so anything intercepted is doubly useless (since everything is encrypted with not just the SSL keys but with your email and master password).
The best way to ensure this is to set up a script to monitor network activity and see if anything that is decrypted (including the master password) goes to lastpass.com. Based on what I've seen on forums, it seems other users have done this and found nothing suspicious.