What makes LastPass so secure?

I can't simply understand how using LastPass is secure. All an attacker need to do is to compromise the single LastPass account and then he has also compromised all other websites.

What's so good about that compared to the traditional approach to have separate accounts per site?

Is it really better to have one strong master password, strong site-specific passwords that can be accessed via the master password than having weaker passwords, but different on all websites?


Aside from allowing you to create unique, complex passwords for each site, we also offer free second factor authentication: Grid. So your username and password are not enough to access your data when Grid is used.

In addition, your passwords are not stored in Firefox's or IE's password managers which are generally insecure (just run our installer and watch how we can pull all of the passwords).

As for storing in the cloud, everything is encrypted locally before it is sent to the server and your key is never sent to us. You can read more about how we keep you safe on the technology page on our website.


I don't consider LastPass particularly safe (like anything that is stored 'in the cloud'), I much prefer a local solution (for example, KeePass). The convenience of having online access to login information comes at an unacceptable price (at least for paranoid old me).


What makes it secure is simply that they cannot tell anyone what your passwords are, even with a gun to their head. Even when using the web interface, your passwords are encrypted locally before being transmitted.

Yes, it is true that it provides a "single point of failure" unless Grid is used. However, you could have a ridiculously strong master password - who cares if you have to type a 100 character password if you only do it once a day? And because it saves your "sub passwords", you can have them a lot stronger than you normally might.

Another advantage is that most people won't have different passwords for every website (or will have a pattern), and LastPass lets you ditch this. So whereas before every single site you were on was a potential entry point to all other sites you were on, now only your LastPass account is. Cracking any "sub password" yields no extra information to an attacker.

This is useful because you have no idea whether sites you are on are encrypting your password, or salting it. I could name a website with 11 million users that stores passwords unencrypted in their database.

Finally, LastPass offers features like one time passwords for accessing your passwords in untrustworthy locations, which keeps your account secure from even the most advanced keyloggers.


Just had a quick look at their site - I think your points are correct... If someone cracks your password there, they have all your passwords - it simply bundles a few features from a few programs in to one program.

From looking there, there is nothing that makes me think it is "more secure" than having separate passwords for different sites - as you will be anyway... Last pass simply makes it easer to manage.