How our zero-knowledge encryption works
Zero-knowledge encryption is a method, including industry-standard algorithms, on which LastPass is built. Simply put, it means the only person who uses or knows your Master Password is you. This method applies encryption and hashing with salting to generate an encryption key used to encrypt (or decrypt) your vault, where your passwords are stored.
Zero-knowledge encryption works by separating your unencrypted data from our servers. Think of it as the client (local) vs. the server:
- The client is you, particularly the devices you use to access LastPass.
- The server is LastPass, specifically our servers, which are stored in the cloud.
LastPass uses 256-bit AES encryption/decryption and PBKDF2 derivation function with a secure hash (SHA256), with salting, to transform your Master Password into an encryption key, and then into an authentication hash.
The authentication hash appropriately authenticates by ensuring your plaintext Master Password matches the derived authentication hash stored on the server.
By going through such encryption and hashing methods, your Master Password and sensitive vault data are unknown to anyone but you. All these measures protect you against server-side attacks.
Encryption terminology 101
A two-way function that converts plaintext (like your Master Password) to unreadable text. LastPass encrypts your vault data to protect it from bad actors.
A one-way function that converts data – like your plaintext Master Password – to a unique, unreadable output called a hash. The hash is stored server side for authentication purposes.
Salting takes one input, like your Master Password or an authentication hash, and makes it more unique and even harder to match. Salt values are different for every user and input.