• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Can someone explain to me how lastpass (auth/hashing)

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware

View previous topic :: View next topic  
Author Message
morris.570@osu.edu
Just Arrived
Just Arrived


Joined: 18 Dec 2010
Posts: 0


Offline

PostPosted: Sat Dec 18, 2010 7:42 pm    Post subject: Can someone explain to me how lastpass (auth/hashing) Reply with quote

VERY beginner security question here...

I am using lastpass: http://lastpass.com/ and there is a blog post that explains how it works (kinda):

http://blog.tinisles.com/2010/01/should-you-trust-lastpass-com/

and also Steve Gibson on 'Security Now' tries to explain it here:

http://www.grc.com/sn/sn-256.htm

But Steve's explanation is just not satisfying to me.

So as I understand it they do a SHA256(SHA256(email+password)) plus some salt in there somewhere if I remember correctly. So this is how I think it works

1) user creates an account locally email and password are hashed
2) email and password are hashed again
3) encrypted database of all passwords are sent to lastpass servers along with the double hash
4) When the user wants to authenticate the double hash is sent to lastpass to verify with the hash they have

My questions (SO FAR, im sure I'll have more) are:

1) I still don't see why they hash this twice.
2) So what is to stop an attacker from listening to the port, grabbing the hash and using that to login to lastpass?
3) Steve mentions something about adding a random 256 character string somewhere on the server end, I can only guess this is still some form of salt but I still can't connect all the dots here.

Thanks for any help.
jack
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register