LastPass advertises that they do local encryption of passwords before they are transferred and stored on their website. However, when I log in with my past password, I can access all my passwords in clear text there. Doesn’t this imply that they also have access to all my passwords? How can I verify that they do not have access to my passwords?
All encryption/decryption occurs on your computer, not on our servers. This means that your sensitive data does not travel over the Internet and it never touches our servers, only the encrypted data does.
Your encryption key is created from your email address and Master Password. Your Master Password is never sent to LastPass, only a one-way hash of your password when authenticating, which means that the components that make up your key remain local. This is why it is very important to remember your LastPass Master Password; we do not know it and without it your encrypted data is meaningless. LastPass also offers advanced security options that let you add more layers of protection.
In other words, your computer encrypts your passwords with your email and master password and sends that data to Lastpass. When you authenticate with your master password at Lastpass.com, Lastpass.com returns all your encrypted passwords, which are decrypted locally on your computer with your email and master password. Every communication happens over SSL, so anything intercepted is doubly useless (since everything is encrypted with not just the SSL keys but with your email and master password).
The best way to ensure this is to set up a script to monitor network activity and see if anything that is decrypted (including the master password) goes to lastpass.com. Based on what I’ve seen on forums, it seems other users have done this and found nothing suspicious.