LastPass says they never receive my Master Password. Don’t I send it to the LastPass servers when I log in?
No, when you login to LastPass, two things are generated from your Master Password using our code discussed previously before anything is sent to the server: the password hash and the decryption key. This is all done locally.
- The password hash is sent to our servers to verify you. Once verified, we send back your encrypted Vault. We are only sent your hash, not your Master Password.
- The decryption key, which NEVER leaves your computer, is then used to decrypt your Vault once it comes back
How is my Vault encrypted?
LastPass encrypts your Vault before it goes to the server using
256-bit AES encryption. Since the Vault is already encrypted before it leaves your computer and reaches the LastPass server, not even LastPass employees can see your sensitive data!
What is a one-way salted hash?
Lets break it down.
- A one-way function is one that cannot be reversed. To oversimplfy this idea, take a look at this equation: x + y = 1. We know the result "1" but there's no way to tell what x or y is. (This is not really what a one-way function looks like, for a real example check out this article)
- A hash is a representation of your Master Password.
- The process of salting will add extra data to the hash--making the hash even more complicated. We use the username to salt the Master Password and then some.
We enter the Username and Master Password into one way functions to create a salted hash. Since the function is one-way, even if someone were to get a hold of the salted hash, they would not obtain the Master Password.
What are PBKDF2-SHA256 rounds?
This is used to make the salted hash (result from above) even more complicated for an attacker. It increases the number of iterations it takes in order for someone to guess the password. Put this together with the one-way salted hash and we get an equation that looks something like:
hash(master password + username)^iterations = password hash
*This is a very oversimplified version. We actually end up hashing the password iterations multiple times during this process.
A one-way salted hash derived from a strong Master Password with a high number of iterations makes it virtually impossible for a
brute force attack.
I know. I'm not going to go into the details, but at least 70 t0 80 of them are important and unique (used lastpass password generator). The rest, I really don't care about. But still, remembering even 20 odd complex passwords is gonna be near impossible. With age, I guess it would be even more difficult.
