HOW WE DO IT
Your Security Is Our Priority
On Windows, LastPass helps find insecure passwords stored on your computer so you can store them securely in LastPass and remove the easy access by malicious software. LastPass uses SSL exclusively for data transfer even though the vast majority of data you're sending is already encrypted with 256-bit AES and unusable to both LastPass and any party listening in to the network traffic -- the amount of data is trivial so the extra encryption doesn't hurt. Our policy of never receiving private data that you haven't already locked down with your LastPass master password (which we never receive and will never ask for) radically reduces attack vectors. We use firewalls and best practices to protect the servers and service, but our best line of defense is simply not having access to data even if someone got in. If LastPass can't access it, hackers can't either. A large number of PBKDF2-SHA256 rounds are utilized to create your key, with the ability to increase the number of rounds over time to render brute forcing your master password impossible.
Sharing Accounts With Friends
LastPass uses public key cryptography specifically RSA from Crypto++ and jsbn to allow you to share your accounts with trusted parties, without ever sharing it with LastPass. We should still remind you to first use our Generate Password feature to create a unique password for the account before sharing it: once shared it's possible for the person you share it with to obtain the password.
LastPass uses Paros to help verify it hasn't made common mistakes that could result in a XSS or SQL Injection attack, and Funkload to verify performance and create functional tests that are run by Nagios. Microsoft's Application Verifier and other tools are used to help identify common problems in the IE add-on. Mozilla also has a number of tools for the Firefox add-on. We also ask when you install if the application can send error reports (without identifying information in them) to LastPass which helps us continually improve.
All changes to the code base result in an email to the technical staff to review for security, privacy and compliance to company policies.
apticron is used to ensure we keep our packages up to date. unattended-upgrades is also utilized.