Da questo thread di supporto sul sito web LastPass:
LastPass says they never receive my Master Password. Don’t I send it to the LastPass servers when I log in?
No, when you login to LastPass, two things are generated from your Master Password using our code discussed previously before anything is sent to the server: the password hash and the decryption key. This is all done locally.
- The password hash is sent to our servers to verify you. Once verified, we send back your encrypted Vault. We are only sent your hash, not your Master Password.
- The decryption key, which NEVER leaves your computer, is then used to decrypt your Vault once it comes back.
Quindi per rispondere alle tue domande:
How does LastPass know that my password is correct?
LastPass ha solo accesso al tuo vault in forma crittografata; non possono leggerlo senza conoscere la chiave. Al momento del login, il client invia solo l'hash della tua password e LastPass lo confronta semplicemente con l'hash della password che possiedono.
How does LastPass decrypt my passwords on a new device?
La chiave di decrittografia è una funzione della tua password. Di conseguenza, lo stesso input (la tua password) produrrà sempre lo stesso output (hash + la chiave di decodifica). Questo è tutto ciò che il tuo nuovo dispositivo deve sapere per decodificare il tuo vault.
Is it really secure?
La risposta a questo dipende da quanto ti fidi di LastPass.
Se funziona esattamente come dicono, allora una password sufficientemente solida dovrebbe essere relativamente sicura.
Se al punto qualsiasi ottengono l'accesso alla tua password (che sia intenzionale o accidentale), dovresti probabilmente considerarla compromessa e non solo cambiare la password di LastPass, ma la password per ogni account che hai nel tuo vault.
What if I forget my Master Password?
Se si dimentica la password, si perde l'accesso al proprio vault. LastPass non può inviarlo o ripristinarlo. .
Per gli utenti che sono disposti a scambiare parte della loro sicurezza LastPass in cambio di una "rete di sicurezza", LastPass ti consente di produrre e utilizzare One-Time-Passwords , e puoi anche abilitare Accesso di emergenza per fornire l'accesso al tuo account da utenti specificati.
LastPass Help Desk - One Time Password
One Time Passwords
If you are using an untrusted public computer and need to access your LastPass data but are hesitant to do so because of potential keyloggers, LastPass provides One Time Passwords (OTPs) as one option for securely accessing your account.
While using a trusted computer, go to https://lastpass.com/otp.php to create a list of random passwords that can be used only once to log into LastPass. You must be logged into the plugin to manage your OTPs. From this page, you will be given the option to Add a New One Time password, Clear All OTPs, or Print your OTPs.
Each time you generate a new OTP, it will be added to your list. These passwords can be printed or carried with you on a portable storage device. You can then revisit the above page to login using this password and you can be certain that, even if captured, the password will not allow access into your account in subsequent attempts because it expires after you login with it once.
You can even use OTPs with another form of multi-factor authentication (Yubikey, Google Authenticator, Sesame or GRID), to be even more secure when you are not using a trusted computer.
Help Desk LastPass - Accesso di emergenza
Emergency Access
Do you worry about your family, friends, partner, or spouse having access to important accounts should something happen to you? Do you want an easy way to give them the passwords and logins they’d need to manage accounts on your behalf? Prepare for the unexpected and ensure your loved ones don’t get locked out of important accounts, like paying bills or the mortgage, and that they can manage your digital legacy.
With the Emergency Access feature, you can give trusted family and friends access to your LastPass account in the event of an emergency or crisis. Your designated Emergency Access contact(s) can request access to your account and securely receive the passwords and notes without knowing your Master Password. You decide how much time should pass before they’re given access once they request it, and you can decline access if it’s requested unnecessarily.
Emergency Access can also be used as an alternative account recovery feature, if you worry about ever forgetting your master password and want to ensure you have a backup way of recovering your vault.
Please note: the person you share access with will need their own LastPass account as well.