How is LastPass safe?
Your security and privacy are our top priority. It’s the foundation of everything we do here at LastPass. And it’s our mission to help you make strong security practices the norm for your users, with a toolset that makes it easy to protect and manage your team or enterprise. That’s why we’ve taken every step possible to ensure that your data is safely stored and synced with LastPass.
When it comes to LastPass, there are three key aspects of your security, each of which are important to keep your data – and your business – safe. When the whole team is on board and actively using LastPass to its full potential, you can be confident in your security.
How we protect the LastPass service and your data
Security is the foundation of what we do here at LastPass. We built our service to ensure that your data is protected and private, from us and from anyone else. Here are a few ways we achieve that:
Local-only encryption of sensitive data
All encryption and decryption occurs locally on the user’s device, not on our servers. This means that your sensitive data does not travel over the Internet and never touches our servers. Your data is only transmitted to LastPass once it is encrypted. We don’t have access to your sensitive data, nor could anyone who potentially abuses our systems get access to it. We have zero knowledge of your confidential information, including your Master Password. For this reason, LastPass Customer Care does not have the ability to reset your Master Password if it is ever lost or forgotten. For more information, please see How is LastPass safe? and Since my LastPass Vault is encrypted with my Master Password, why can my One Time Passwords decrypt it?
Strong encryption & hashing
We use the same encryption algorithm (AES-256) that the U.S. Government uses for top-secret data. Your encrypted data is meaningless to us and to everyone else without the encryption keys (derived from your email address and master password). Because your encryption keys are never shared with LastPass, we can’t decrypt your data, we can only store your encrypted data for you to access next time you log in.
Only you know the key to decrypt your data
Your encryption keys are created from your users’ email addresses and Master Passwords. The Master Passwords are never sent to LastPass. An authentication hash is what LastPass uses to verify that the user is entering the correct Master Password. The components that make up the encryption key and authentication hash are never sent to LastPass, and remain local to the user. If someone were to gain access to the encrypted data, it would be meaningless to them because they don’t have the Master Password. LastPass also offers configurable policies that let you add more layers of protection.
How you as an admin protect your users and business
Control your policies
We know that one size does not fit all when balancing security and ease of use. That’s why we allow you to define your preferences by providing a range of configurable policies. This gives you more control over how your team can use LastPass and what kind of access they can have to the data you’re storing in it. You can set policies to:
- Restrict or enforce the use of certain features
- Limit access to certain locations or devices
- Add Multifactor Authentication for extra protection
We strongly encourage you to review the available policies prior to rolling out LastPass across your users.
How your users protect their passwords and accounts
Generate unique, strong passwords
No more using the same password for all sites. No more writing down passwords on little pieces of paper. No more emailing yourself when you forget your password. With the LastPass password generator, users can create strong passwords for each site and automatically save them to their individual Vault. With LastPass, your data will be safer online than ever before, without the hassle of remembering unique passwords. Employees will be able to use passwords that are long, strong, and random – while actually making it easier for them to get their work done.
Learn more about protecting yourself from phishing scams.