HOW WE DO IT
Your Security Is Our Priority
On Windows, LastPass helps find insecure passwords stored on your computer so you can store them securely in LastPass and remove the easy access by malicious software. LastPass uses <a href="http://en.wikipedia.org/wiki/Secure_Sockets_Layer" target="_blank">SSL</a> exclusively for data transfer even though the vast majority of data you're sending is already <a href="http://en.wikipedia.org/wiki/Encryption" target="_blank">encrypted</a> with <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard" target="_blank">256-bit AES</a> and unusable to both LastPass and any party listening in to the network traffic -- the amount of data is trivial so the extra encryption doesn't hurt. Our policy of never receiving private data that you haven't already locked down with your LastPass master password (which we never receive and will never ask for) radically reduces attack vectors. We use firewalls and best practices to protect the servers and service, but our best line of defense is simply not having access to data even if someone got in. If LastPass can't access it, hackers can't either.A large number of <a href='https://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/'>PBKDF2-SHA256</a> rounds are utilized to create your key, with the ability to increase the number of rounds over time to render brute forcing your master password impossible.
Sharing Accounts With Friends
LastPass uses <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" target="_blank">public key cryptography</a> specifically <a href="http://en.wikipedia.org/wiki/RSA_%28algorithm%29" target="_blank">RSA</a> from <a href="http://www.cryptopp.com/" target="_blank">Crypto++</a> and <a href="http://www-cs-students.stanford.edu/~tjw/jsbn/" target="_blank">jsbn</a> to allow you to share your accounts with trusted parties, without ever sharing it with LastPass. We should still remind you to first use our Generate Password feature to create a unique password for the account before sharing it: once shared it's possible for the person you share it with to obtain the password.
LastPass uses <a href="http://www.parosproxy.org/" target="_blank">Paros</a> to help verify it hasn't made common mistakes that could result in a XSS or SQL Injection attack, and <a href="http://funkload.nuxeo.org/" target="_blank">Funkload</a> to verify performance and create functional tests that are run by <a href="http://www.nagios.org/" target="_blank">Nagios</a>. <a href="http://msdn.microsoft.com/en-us/library/ms220948.aspx" target="_blank">Microsoft's Application Verifier</a> and other tools are used to help identify common problems in the IE add-on. Mozilla also has a number of tools for the Firefox add-on. We also ask when you install if the application can send error reports (without identifying information in them) to LastPass which helps us continually improve.
All changes to the code base result in an email to the technical staff to review for security, privacy and compliance to company policies.
apticron is used to ensure we keep our packages up to date. unattended-upgrades is also utilized.