How we do it

Your Security Is Our Priority

LastPass is an evolved Host Proof hosted solution, which avoids the stated weakness of vulnerability to XSS as long as you're using the add-on. LastPass strongly believes in using local encryption, and locally created one way salted hashes to provide you with the best of both worlds for your sensitive information: Complete security, while still providing online accessibility and syncing capabilities. We've accomplished this by using 256-bit AES implemented in C++ and JavaScript (for the website) and exclusively encrypting and decrypting on your local PC. No one at LastPass can ever access your sensitive data. We've taken every step we can think of to ensure your security and privacy.


You need to always have access to your data, we've accomplished this in multiple ways, first we have 2 data-centers in production service, second we store your encrypted data on your local PC when you login, so that if can't be reached, you can still login to the add-on and get to your accounts. The website is usable without the add-on installed (the Encryption and Decryption happens in JavaScript which you can see happen on some forms), but we take advantage of faster encryption available in the add-ons if they're available. We also have a mobile site if you're on your phone.


On Windows, LastPass helps find insecure passwords stored on your computer so you can store them securely in LastPass and remove the easy access by malicious software. LastPass uses SSL exclusively for data transfer even though the vast majority of data you're sending is already encrypted with 256-bit AES and unusable to both LastPass and any party listening in to the network traffic -- the amount of data is trivial so the extra encryption doesn't hurt. Our policy of never receiving private data that you haven't already locked down with your LastPass master password (which we never receive and will never ask for) radically reduces attack vectors. We use firewalls and best practices to protect the servers and service, but our best line of defense is simply not having access to data even if someone got in. If LastPass can't access it, hackers can't either. A large number of PBKDF2-SHA256 rounds are utilized to create your key, with the ability to increase the number of rounds over time to render brute forcing your master password impossible.

Sharing Accounts With Friends

LastPass uses public key cryptography specifically RSA from Crypto++ and jsbn to allow you to share your accounts with trusted parties, without ever sharing it with LastPass. We should still remind you to first use our Generate Password feature to create a unique password for the account before sharing it: once shared it's possible for the person you share it with to obtain the password.

Automated Testing

LastPass uses Paros to help verify it hasn't made common mistakes that could result in a XSS or SQL Injection attack, and Funkload to verify performance and create functional tests that are run by Nagios. Microsoft's Application Verifier and other tools are used to help identify common problems in the IE add-on. Mozilla also has a number of tools for the Firefox add-on. We also ask when you install if the application can send error reports (without identifying information in them) to LastPass which helps us continually improve.

Code Reviews

All changes to the code base result in an email to the technical staff to review for security, privacy and compliance to company policies.

Package Management

apticron is used to ensure we keep our packages up to date. unattended-upgrades is also utilized.