Trust Center
Black Friday: Biggest Sale of the Year. Save up to 50% off LastPass

SECURITY

An Encryption Model that Prioritizes your Security

Data protection relies on a strong encryption model. Even as your solution provider, LastPass has zero knowledge of your unencrypted Master Password, and hackers don't either.

icon_access-to-you-svg

Accessible only to you

LastPass uses industry-standard encryption and hashing with salting so that you, and only you, can login to your vault.

icon_data-useless-to-hackers-svg

Make your data useless to hackers

Your vault data is protected using AES-256 encryption and 600,000 rounds of PBKDF2-SHA-256 hashing plus salting.

icon_encrypted-on-your-device-svg

Only decrypted on your device

You are the only person who can decrypt your vault. Only your plaintext Master Password – which is not stored on our servers – will unlock your vault.

How our zero-knowledge encryption works

Zero-knowledge encryption is a method, including industry-standard algorithms, on which LastPass is built. Simply put, it means the only person who uses or knows your Master Password is you. This method applies encryption and hashing with salting to generate an encryption key used to encrypt (or decrypt) your vault, where your passwords are stored.

illustration_8col_zero-knowledge-trust-center-svg

Zero-knowledge encryption works by separating your unencrypted data from our servers. Think of it as the client (local) vs. the server:

  • The client is you, particularly the devices you use to access LastPass.
  • The server is LastPass, specifically our servers, which are stored in the cloud.

Two things happen to your Master Password. LastPass uses PBKDF2-SHA256 with 600,000 iterations to derive an encryption key. Then we perform one more iteration and use this as a separate authentication construct. Once authentication is successful and the vault is retrieved, we use AES 256 bit with the encryption key to decrypt (and encrypt) your vault.

The authentication hash appropriately authenticates by ensuring your plaintext Master Password matches the derived authentication hash stored on the server.

By going through such encryption and hashing methods, your Master Password and sensitive vault data are unknown to anyone but you. All these measures protect you against server-side attacks.


Encryption terminology 101

  • Encryption
    A two-way function that converts plaintext (like your Master Password) to unreadable text. LastPass encrypts your vault data to protect it from bad actors.
  • Hashing
    A one-way function that converts data – like your plaintext Master Password – to a unique, unreadable output called a hash. The hash is stored server side for authentication purposes.
  • Salting
    Salting takes one input, like your Master Password or an authentication hash, and makes it more unique and even harder to match. Salt values are different for every user and input.

Learn how LastPass protects your data

icon-s-light_illustrative_trust-center-svg

Trust Center

Your single source for the latest security, privacy, compliance, and system performance information.

Visit Trust Center
iconslightillustrativeeducation2svg

Cybersecurity terminology

Learn the basics of cybersecurity education and terms so you can prevent and respond to security incidents.

Read the article

Technical white paper

Read about how we built the LastPass service to ensure that your data is protected and private.

Read the white paper
icon-s-light_illustrative_security-shield-svg

Security

Safeguarding your data is what we do, with proactive security and reliability as cornerstones of our mission.

Learn more about security

Stringent security meets global compliance. You get that and more with LastPass.

Free 14-day LastPass Business trial. No credit card required.