LastPass says this means:
1. All encryption and decryption happens on your computer.I also do two other things to make it safe: I use a long, tough passphrase AND I use two-factor authentication with a physical YubiKey.
When you create your LastPass account, an encryption key is created on your computer (your Master Password, or MP, and email go through a complex, irreversible process known as hashing to form your encryption key). Any sensitive data you then save to your account is ‘locked up’ by the encryption key while still on your computer, then sent in encrypted form to LastPass’ server.2. The sensitive data that is harbored on our servers is always encrypted before it’s sent to us, so all we receive is gibberish.
Since the encryption key is locally created each time you submit your MP and email, all that we store and have access to on our servers is your encrypted data. Without your unique encryption key, your sensitive data is meaningless gibberish. Even if someone were to mandate that we provide a copy of our database, the data would still be unreadable without your encryption key.3. We never receive the key to decrypt that data.
Nothing new with asymmetric methods. Oddly, the short but randomized salt is typically clear. But that’s okay. It’s meant to make your ordinary password that much more special...
The prob with LastPass is the single point of entry that inevitably grants access to the other keys. Also, the browser hooks are weird. How do you know LastPass isn’t being impersonated, and your prompted for your special secret?
Whatever the best method is, it should have enough entropy to stall systematic attacks — long enough to be detected by systematic counter measures. And today’s best-practices likely suffice. No doubt these “shocking” attacks involve antiquated security practices.
Fascinating stuff.
That’s exactly how it should be done. There is no reason for the site to actually have the passwords. There is a Keepass for Android, and I’ve thought about using it, but I just don’t trust the device enough. Keeping the two devices in sync would be a pain anyway. One of the things I like about using a password manager is that it makes really excellent passwords. They are 20 character random ascii. They won’t be cracked. I have no idea what the passwords are to the vast majority of websites I go to, especially if I’d ever use a credit card on them.