But Steve's explanation is just not satisfying to me.
So as I understand it they do a SHA256(SHA256(email+password)) plus some salt in there somewhere if I remember correctly. So this is how I think it works
1) user creates an account locally email and password are hashed
2) email and password are hashed again
3) encrypted database of all passwords are sent to lastpass servers along with the double hash
4) When the user wants to authenticate the double hash is sent to lastpass to verify with the hash they have
My questions (SO FAR, im sure I'll have more) are:
1) I still don't see why they hash this twice.
2) So what is to stop an attacker from listening to the port, grabbing the hash and using that to login to lastpass?
3) Steve mentions something about adding a random 256 character string somewhere on the server end, I can only guess this is still some form of salt but I still can't connect all the dots here.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum