https://lastpass.com/privacy.php Wrote:Your privacy is critically important to us. LastPass has a few guiding principles:
* We don't allow you to send us critically important information like your password; instead your LastPass master password is used locally to encrypt the important data that's sent to us.
https://lastpass.com/ Wrote:IMPROVE SECURITY
Passwords are locally encrypted and stored on your PC or Mac. Only your LastPass password can unlock your data and only YOU have it.
https://lastpass.com/faq.php#stolen Wrote:What if someone steals your servers?
Your data is encrypted with your key that LastPass doesn't have, so it can't be taken. The only piece of information that we have (and it's server side encrypted), is your password hint and email address.
https://lastpass.com/faq.php#aes Wrote:What encryption is being used?
AES utilizing 256-bit keys. AES-256 is accepted by the US Government for protecting TOP SECRET data. AES is implemented in JavaScript for the LastPass.com website, and in C++ for speed in the Internet Explorer and Firefox plug-ins. This is important because your data is always encrypted and decrypted locally on your computer. Your password never leaves your computer and your key never leaves your computer. No one at LastPass (or anywhere else) can decrypt your data without you giving up your password (we will never ask you for it). Your key is created by taking a SHA-256 hash of your password. When you login, we make a hash of your username concatenated with your password, and that hash is what's sent to verify if you can download your encrypted data.
https://lastpass.com/faq.php#safer Wrote:If someone steals my LastPass master password, then can't they steal my identity?
This is the same risk you have with your email account: it's simple to use the forgot password link on websites. It's also much more difficult for a hacker to obtain your LastPass master password because unlike email, with LastPass your LastPass password never leaves the PC you're using.
https://lastpass.com/faq.php#salt Wrote:Do you use a salted hash for login purposes?
Yes, we first do a 'salt' of your LastPass password with your username on the client side (on your computer, LastPass never gets your password), then server side we pull a second 256 bit random hex-hash salt from the database, use that to make a salted hash which is compared to what's stored in the database. This is beyond overkill but we want to store nothing that can even theoretically be used to do a dictionary attack against password hashes if we were somehow compromised. We hope having nothing of value makes us less of a target, and that by taking every conceivable caution we can think of makes you more safe.
I know all too well that everybody makes mistakes and I knew this before I discovered the flaw in your login on the site (this is why I'm so adamant about you addressing the "trust issue" in your app, as I have posted about before). I do not blame you guys in any way for this as it was clearly a mistake... however the one thing you need most from your users if you are to be successful is
trust.
You gain trust in times like these when you have a choice to let important issues go by unnoticed or admit the mistake and scream it from the rooftops so that every single one of your users knows about it. Maybe some users will see this as a bad thing, however I have a feeling that the vast majority of your users (the ones who's associates turn to in regard to security issues/products/services) are pretty clued in and would realise that mistakes happen and it's
VERY important to have a security company that tells you when they fuck up (and addresses issues properly) so that you can do whatever you need to in order to address things on your side.
*crosses fingers and hopes you get what he's saying*