Have questions about LastPass, or having problems using it? Ask for help here!
Moderators: admin, anatoly_LP, chantieLP, Israel, JoeSiegrist, robyn
Please help me understand how LastPass works. This latest adventure has me asking a few questions.
My understanding is that LastPass encrypts/decrypts the blob using a combination of our username and password. I assume they are hashed with a salt.
Is this done on the client or the server or both?
So, is this correct about needing to ID a blob, also is the blob sent encrypted to the client when a plug-in is used?
So, another question is, is the username and password sent to the server from the plug-in or is the hash? It seems to me it could be either since LastPass works offline as well, thus the password needs to be hashed on the client.
Hope I made some sense here.
- Posts: 817
- Joined: Sun Feb 13, 2011 5:41 pm
Lastpass never sees your password, or anything from which your password could be derived without brute force. If they were sufficiently owned someone could presumably change the website to take your password, but given that they detected such a small intrusion let's hope they would have no trouble detecting the significantly larger intrusion required to do that.
To authenticate against lastpass, you send a one way hash of your master password (and a few other things I don't remember). Since it's a one way hash lastpass can't derive your password without brute force, but with brute force and a bad enough password someone could just keep hashing things until they found a match, which was the whole cause for concern about these hashes getting out.
They had a good page about this somewhere, or maybe it was a video, either way I can't seem to dig it up.
- Posts: 180
- Joined: Fri Nov 26, 2010 9:40 pm
Return to General Support & Troubleshooting
Who is online
Users browsing this forum: john37 and 65 guests