How LastPass works?

Have questions about LastPass, or having problems using it? Ask for help here!

Moderators: admin, Israel, anatoly_LP, chantieLP, robyn, JoeSiegrist

How LastPass works?

Postby kilgry » Mon May 09, 2011 9:59 pm

Please help me understand how LastPass works. This latest adventure has me asking a few questions.

My understanding is that LastPass encrypts/decrypts the blob using a combination of our username and password. I assume they are hashed with a salt.
Is this done on the client or the server or both?

I also was at first wondering why our master password hashes were stored on the server. Then I realized that the server needs to know what blob to use (to send to the requesting browser). Thus the password hash must be stored on the server to index the correct blob. Also, you can log into LastPass without a plugin and thus the encryption/decryption needs to be able to happen on the server (I assume it isn't javascript without the plug-in...might be wrong here).
So, is this correct about needing to ID a blob, also is the blob sent encrypted to the client when a plug-in is used?

So, another question is, is the username and password sent to the server from the plug-in or is the hash? It seems to me it could be either since LastPass works offline as well, thus the password needs to be hashed on the client.

Hope I made some sense here.
Posts: 817
Joined: Sun Feb 13, 2011 5:41 pm

Re: How LastPass works?

Postby quotidian » Tue May 10, 2011 12:06 am

Lastpass always decrypts your data on the client. When you log onto the website, it decrypts your data using javascript, otherwise it uses the plugin/client/whatever.

Lastpass never sees your password, or anything from which your password could be derived without brute force. If they were sufficiently owned someone could presumably change the website to take your password, but given that they detected such a small intrusion let's hope they would have no trouble detecting the significantly larger intrusion required to do that.

To authenticate against lastpass, you send a one way hash of your master password (and a few other things I don't remember). Since it's a one way hash lastpass can't derive your password without brute force, but with brute force and a bad enough password someone could just keep hashing things until they found a match, which was the whole cause for concern about these hashes getting out.

They had a good page about this somewhere, or maybe it was a video, either way I can't seem to dig it up.
Posts: 180
Joined: Fri Nov 26, 2010 9:40 pm

Return to General Support & Troubleshooting

Who is online

Users browsing this forum: Google [Bot], Google Feedfetcher and 46 guests