“Understanding the LastPass architecture is the key to understanding why it's safe to trust them, why I trust them, and why I've completely switched my entire solution for managing passwords over to LastPass.”
This detailed review of our controls and processes is a “gold standard” for confirming the security and reliability of LastPass.
We engage trusted, world-class, third-party security firms to conduct routine audits and testing of the LastPass service and infrastructure.
Sensitive data is encrypted at the device level with AES-256 before syncing with TLS to protect from man-in-the-middle attacks.
Our bug bounty program incentivizes responsible disclosure and improvements to our service from top security researchers. Learn More
LastPass operates out of multiple, geo-distributed facilities that can handle all customer traffic for redundancy.
Our team reacts swiftly to reports of bugs or vulnerabilities and communicates transparently with our community.
LastPass does not send or store the master password. We believe that if LastPass can’t access your data neither can hackers.
Encryption happens exclusively at the device level before syncing to LastPass for safe storage, so only users can decrypt their data.
This algorithm is widely accepted as impenetrable – it’s the same encryption type utilized by banks and the military.
We strengthen the master password and encryption key against large-scale, brute-force attacks by slowing down guesses.
Add extra security by requiring a second login verification step with LastPass Authenticator or other top multi-factor services.
The admin dashboard gives visibility into password hygiene and over 100 configurable policies to improve security.
Scan passwords in the vault to identify and replace any weak, reused, compromised, and old passwords.
LastPass will only fill in passwords on the sites you’ve saved and have trusted.