You’re probably all thinking that LastPass is not as secure as something like 1Password or KeePass, that you sync the file via email, because it’s all stored in the cloud. Well, this post will explain why LastPass is just as secure as the offline alternatives.

How it’s stored

First of all, LastPass can ** NOT ** read your passwords even if they tried. All the passwords, which I assume are stored in some sort of database file like SQLite, which can be easily completely encrypted. The only version of the file ever stored on LastPass servers is the encrypted version, so even if their servers are hacked, which is unlikely, the most any hacker can get is a bunch of gibberish, which can only be cracked with the proper key. So, more or less, if your vault password is secure, you have nothing to fear.

How do they send the data

Ok, it’s all encrypted on their servers, but how is it sent over the internet? While in transit, the data is actually even more secure than it is on the server; it’s encrypted twice. It’s encrypted by the LastPass program itself, and the TLS session, a.k.a. HTTPS. Your computer then decrypts the TLS, and it’s up to your master password to decrypt the file. So, the only decrypted version is on your computer, you know, as if you were using a local password manager :)

Can’t anyone just get the data?

If you know a bit about login systems, you’re probably wondering how LastPass knows its you without receiving the password to hash and compare. Don’t worry about that either, they don’t just check the email and send the data over, although even if they did, the attacker still can’t decrypt it. LastPass hashes the password something like five thousand times before sending it to their servers, so even if a hacker managed to intercept it, which they can’t because the session is TLS encrypted, they can’t get your password.

Weren’t they already hacked?

Yes, they were already “hacked”. Before you panic though, read to the end. According to LifeHacker, and a ton of news sites, LastPass was “hacked” in 2015. However, LastPass stated that they believe the authentication hashes are secure enough to prevent hackers from cracking your passwords, so there was no real threat. Even though there wasn’t a threat, they highly recommended that everyone change their master password just to be on the safe side. So yes, they were “hacked”, but NO passwords were stolen.

Source: LastPass LastPass Blog