Thanks for the fast answer!
I have already used both Tamper Data and Live HTTP Headers to check the data exchanged between the FF browser and your servers...
And I do confirm that the password itself is not passed, but instead an hash ...
The hash is passed during login in :
And from what I have seen the hash is always equal, what makes sense since I haven't change the master password or email...
So, you must have my hash stored and validate my login comparing with the stored hash instead of the master password... Correct?
Now, my questions are:
1) What is used to encrypt my logins/passwords locally before sending? The master password or the previous hash?
It seems logically that the master password will be the only secure option, but just asking....
2) Taking into consideration the previous question is there a way I can replicate myself the local encryption method, so I can check that it's really my master password that it's being used?
I mean, I see in "tamper data" and "live http headers" some encrypted data traveling to your servers when I store passwords, but I have no way to verify that it was encrypted with my master password or with some string you guys know about.
If you are using standard algorithms and encryption methods, I must be able to run an independent encryption program pass it the same data (master password + data) that lastpass is using and in the end get the same encrypted string...
Can you help on this testing procedure? It would be a plus in terms of security verification.
Don't get me wrong, but this type of verifications can only help prove what you have been saying for a long time.
I do believe you have a great product in terms of security, but I'm paranoid so I do have to verify it
On the other side, some people use roboform without much concern just because it's client side only, without ever confirming if it communicates to the server passing sensitive information... But that's another story, my concern is with lastpass, because it's the one I want to use.