Lastpass delete account download#
Presumably, when a user connects and requests download of a recovery blob, the LastPass server sends it back and then destroys it on its side. What they mean is that the server will refuse to send back a given recovery blob to the user more than once. There is nothing intrinsically "one-time" in what I described. I cannot vouch for what LastPass actually does.Ī point to make, however, is about "one-time". What I describe above is a plausible implementation.
Lastpass delete account password#
At no point does LastPass learn K or the master password or any of the "one-time recovery passwords". The recovery blob is then sent to LastPass's servers for storage. When the user wants to prepare his browser for a potential subsequent recovery, he makes his browser generate a new random K r, store it in the browser entrails, and compute the recovery blob (the user types his master password, the browser recomputes K and does the encryption with K r). If one "recovery blob" can be stored, several recovery blobs can be stored as well. This matches the idea that the one-time recovery password is browser-specific. Generating a recovery blob requires knowledge of K, so it must have happened on the client system, since LastPass does not know the K or the master password. With such a system, the vault can expanded with a "recovery blob" which is E K r(K). The "one-time recovery password stored in the browser" would be that K r (they call it "password" but the user does not type it, so it can be a fat sequence of random bytes, something usually known as a "key"). However, the same key K could also be stored on the server, this time encrypted with a recovery key K r, allowing reconstruction of K by whoever knows K r. Normally, K is rebuild on the local computer by recomputing it from the master password. LastPass stores, on the server, a "vault" which is a collection of data, encrypted with a key derived from the "master password".
I contacted LastPass and they pointed me to an explanation here: If the encryption key for my data never leaves my computer, I cannot understand how any password besides my master password could allow access to my password vault unless there's something LastPass isn't telling us and the local Javascript encryption is all smoke and mirrors. And, how can they enable or disable the OTPs unless they're stored somehow server-side? It just all smells really fishy. There's no room in this scenario for multiple passwords, unless the data is encrypted multiple times. I thought LastPass derived the encryption key from your master password using a variant of PBKDF2 and then encrypted your data with this encryption key locally with AES. My question is, how can you have more than one password? More great LastPass Enterprise updates are on the way.The LastPass password manager stores One Time Recovery Passwords locally in each browser you use the plugin with: Any updates you make to the sub-folder will automatically be pushed back to your personal account. However, you can still login separately to your personal account, and those Enterprise policies will not be transferred over, nor will the login activity for the sub-folder or your personal account be reported to the Enterprise Admin. Whatever company policies have been created by your organization for LastPass Enterprise will be applied to that sub-folder when you are logged in via your Enterprise account. And voila! Your personal LastPass account will now appear as a sub-folder in the vault of your Enterprise account, and you will be able to view, edit, and login to your personal sites as usual. When prompted, you can then login with your personal account. Once you’re logged in, you can click on the “Link Personal Account” link on the left-hand Actions menu: Just login to with your Enterprise account. Getting set up with Linked Accounts is easy. Our new option to “Link Personal Account” allows you to integrate your personal account with your Enterprise account, without mixing your personal data with your business data. And that’s where Linked Accounts comes in! However, you also don’t like the idea of managing two different LastPass accounts.
But once you convince your company to give LastPass a go, you may run into the issue of keeping your current, personal account separate from your newly-created Enterprise account.