About Password Iterations

To increase the security of your master password, LastPass utilizes a stronger-than-typical version of Password-Based Key Derivation Function (PBKDF2). At its most basic, PBKDF2 is a “password-strengthening algorithm” that makes it difficult for a computer to check that any 1 password is the correct Master Password during a compromising attack.

LastPass utilizes the PBKDF2 function implemented with SHA-256 to turn your Master Password into your encryption key. LastPass performs a customizable number of rounds of the function to create the encryption key, before a single additional round of PBKDF2 is done to create your login hash.

The entire process is conducted client-side. The resulting login hash is what is communicated with LastPass. LastPass uses the hash to verify that you are entering the correct master password when logging in to your account.

LastPass also performs a large number of rounds of PBKDF2 server-side. This implementation of PBKDF2 client-side and server-side ensures that the two pieces of your data- the part that’s stored offline locally and the part that’s stored online on LastPass servers- are thoroughly protected:

By default, the number of password iterations that LastPass uses is 100,100 rounds.

LastPass allows you to customize the number of rounds performed during the client-side encryption process in your Account Settings.