The basics of zero-knowledge encryption
Zero-knowledge encryption is a method, including industry-standard algorithms, on which LastPass is built. It means the only person who uses or knows your Master Password is you. This method applies encryption and hashing with salting to generate an encryption key used to encrypt (or decrypt) your vault, where your passwords are stored.
Your vault is only encrypted or decrypted locally on your device once you have entered your Master Password correctly. Moreover, LastPass does not have access to your unencrypted vault or the passwords stored inside it.
How LastPass protects your Master Password
Encryption
A two-way function that converts plaintext (like your Master Password) to unreadable text. LastPass encrypts your vault data to protect it from bad actors.
Hashing
One-way function that converts data – like your plaintext Master Password – to a unique, unreadable output called a hash. The hash is stored server side for authentication purposes.
Salting a hash
Salting takes one input, like your Master Password or an authentication hash, and makes it more unique – harder to match. Salt values are different for every user and input. Through derivation, your encryption key is derived from your Master Password. This key will always be the same value if your input, your Master Password, has been entered correctly.
Protecting you against server-side attacks
Remember that the zero-knowledge encryption works by separating your unencrypted data from our servers. Think of it as the client vs. the server:
- The client is you, particularly the devices you use to access LastPass.
- The server is LastPass, specifically our servers, which are stored in the cloud.
LastPass uses 256-bit AES encryption/decryption and PBKDF2 derivation function with a secure hash (SHA256), with salting, to transform your Master Password into an encryption key, and then into an authentication hash. The authentication hash appropriately authenticates by ensuring your plaintext Master Password matches the derived authentication hash stored on the server.
Zero-knowledge encryption works by ensuring your Master Password and vault data are not stored on our servers in plaintext form.
If LastPass servers were ever compromised, your vault data would be undecipherable and useless to a hacker. Your Master Password and vault data would remain inaccessible and unknown to everyone but you.