Secondo le domande frequenti di LastPass, i dipendenti di LastPass non possono vedere né decrittografare le password memorizzate.
LastPass encrypts your Vault before it goes to the server using 256-bit AES encryption. Since the Vault is already encrypted before it leaves your computer and reaches the LastPass server, not even LastPass employees can see your sensitive data!
Tuttavia, esiste un'opzione per utilizzare il recupero di SMS in caso di perdita della password principale.
One method of gaining access to your account after you forget your Master Password is to use SMS recovery to reset the password. This method, however, requires that you enable SMS account recovery in LastPass before you forget your Master Password. If you have already enabled SMS recovery for Master Password retrieval, do the following:
- Navigate to https://lastpass.com/recover.php, enter your email address, then click Continue.
- The system texts your phone a numeric code. Enter this code into your browser, and click Verify.
- Click Press to Recover Account.
- If Multifactor Authentication is enabled, authenticate yourself, but you must type the authentication numbers in your web browser for this step.
- When the next window appears advising that Account Recovery has been detected and that you must immediately change your password, click OK to proceed.
- Enter a new Master Password and a password hint (optional), then click Confirm.
- When prompted with a message that your password has changed and advising you to log out manually (if you are not automatically logged out), click OK to proceed.
- Once you have been logged off of LastPass, you can log back in again using your new Master Password.
Questo suggerisce che le password memorizzate siano decifrate senza conoscere la password principale originale e le re-cifrano con la nuova password principale. Succede tutto sul lato server.
Per me, sembra che i dipendenti LastPass possano abusare di questo metodo per decrittografare le password degli utenti.
Ho corretto o mi manca qualcosa?