https://lastpass.com/privacy.php Wrote:Your privacy is critically important to us. LastPass has a few guiding principles:
* We don't allow you to send us critically important information like your password; instead your LastPass master password is used locally to encrypt the important data that's sent to us.
https://lastpass.com/ Wrote:IMPROVE SECURITY
Passwords are locally encrypted and stored on your PC or Mac. Only your LastPass password can unlock your data and only YOU have it.
https://lastpass.com/faq.php#stolen Wrote:What if someone steals your servers?
Your data is encrypted with your key that LastPass doesn't have, so it can't be taken. The only piece of information that we have (and it's server side encrypted), is your password hint and email address.
https://lastpass.com/faq.php#aes Wrote:What encryption is being used?
https://lastpass.com/faq.php#safer Wrote:If someone steals my LastPass master password, then can't they steal my identity?
This is the same risk you have with your email account: it's simple to use the forgot password link on websites. It's also much more difficult for a hacker to obtain your LastPass master password because unlike email, with LastPass your LastPass password never leaves the PC you're using.
https://lastpass.com/faq.php#salt Wrote:Do you use a salted hash for login purposes?
Yes, we first do a 'salt' of your LastPass password with your username on the client side (on your computer, LastPass never gets your password), then server side we pull a second 256 bit random hex-hash salt from the database, use that to make a salted hash which is compared to what's stored in the database. This is beyond overkill but we want to store nothing that can even theoretically be used to do a dictionary attack against password hashes if we were somehow compromised. We hope having nothing of value makes us less of a target, and that by taking every conceivable caution we can think of makes you more safe.
I know all too well that everybody makes mistakes and I knew this before I discovered the flaw in your login on the site (this is why I'm so adamant about you addressing the "trust issue" in your app, as I have posted about before). I do not blame you guys in any way for this as it was clearly a mistake... however the one thing you need most from your users if you are to be successful is trust
You gain trust in times like these when you have a choice to let important issues go by unnoticed or admit the mistake and scream it from the rooftops so that every single one of your users knows about it. Maybe some users will see this as a bad thing, however I have a feeling that the vast majority of your users (the ones who's associates turn to in regard to security issues/products/services) are pretty clued in and would realise that mistakes happen and it's VERY
important to have a security company that tells you when they fuck up (and addresses issues properly) so that you can do whatever you need to in order to address things on your side.
*crosses fingers and hopes you get what he's saying*