What encryption is being used?

AES utilizing 256-bit keys as well as PBKDF2: https://helpdesk.lastpass.com/account-settings/general/password-iterations-pbkdf2/

AES-256 is accepted by the US Government for protecting top secret data. AES is implemented in JavaScript for the LastPass.com website, and in C++ for speed in the Internet Explorer and Firefox plug-ins.

This is important because your sensitive data is always encrypted and decrypted locally on your computer before being synchronized. Your master password never leaves your computer and your key never leaves your computer. No one at LastPass (or anywhere else) can decrypt your data without you giving up your password (we will never ask you for it).

The client-side PBKDF2 yeilds the key that is used by AES256. That does not get sent to us during logins, instead we do an additional round of hashing and that hash is what is sent to us for verification. It's a one-way hash, though, so again we cannot get the key from it nor can we decrypt the data on our end. When you login, that hash is what's sent to verify if you can download your encrypted data.

Still Having Trouble?
Look for answers in our vibrant customer-to-customer community help forums.
Forums
View your account information and view the status of previously submitted support tickets.
View Tickets
Submit a support ticket and we'll get back to you as soon as we can!
New Ticket

Please review these answers to your question:

Still Having Trouble?
Look for answers in our vibrant customer-to-customer community help forums.
Forums
View your account information and view the status of previously submitted support tickets.
View Tickets
Submit a support ticket and we'll get back to you as soon as we can!
New Ticket

Browse through our FAQs: