Can someone explain to me how lastpass (auth/hashing)

Networking/Security Forums -> Cryptographic Software and Hardware

Author: morris.570@osu.edu PostPosted: Sat Dec 18, 2010 7:42 pm    Post subject: Can someone explain to me how lastpass (auth/hashing)
    ----
VERY beginner security question here...

I am using lastpass: http://lastpass.com/ and there is a blog post that explains how it works (kinda):

http://blog.tinisles.com/2010/01/should-you-trust-lastpass-com/

and also Steve Gibson on 'Security Now' tries to explain it here:

http://www.grc.com/sn/sn-256.htm

But Steve's explanation is just not satisfying to me.

So as I understand it they do a SHA256(SHA256(email+password)) plus some salt in there somewhere if I remember correctly. So this is how I think it works

1) user creates an account locally email and password are hashed
2) email and password are hashed again
3) encrypted database of all passwords are sent to lastpass servers along with the double hash
4) When the user wants to authenticate the double hash is sent to lastpass to verify with the hash they have

My questions (SO FAR, im sure I'll have more) are:

1) I still don't see why they hash this twice.
2) So what is to stop an attacker from listening to the port, grabbing the hash and using that to login to lastpass?
3) Steve mentions something about adding a random 256 character string somewhere on the server end, I can only guess this is still some form of salt but I still can't connect all the dots here.

Thanks for any help.
jack



Networking/Security Forums -> Cryptographic Software and Hardware


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group