Hacker News new | ask | show | jobs
by taberiand 1330 days ago
Are there any technical details of how this works on the backend?

I thought LastPass only kept encrypted user data that only the master password can decrypt. Would this process mean they keep an accessible copy?

I suppose the process could be to encrypt my master password with a public key generated by the spouse account (with the private key stored in their encrypted bundle), that LastPass servers can store and provide on delayed request?
2 comments
jaywalk 1330 days ago
I would imagine it involves something like encrypting your master password (or more likely some other encryption key that won't change) with their master password as if it were anything else they had stored in their account. The difference is that it's blocked by the time delay.
link
taberiand 1330 days ago
I think something like that might be how it's done. I don't think they could use the master password directly (at least I hope not, wouldn't that mean transmission of a master password from the client?), though I suppose they might have a mechanism of generating a consistent key pair just from the master password.

However it works, I think LastPass should have a technical section that describes the mechanism in more detail

link
Thorrez 1330 days ago
LastPass describes how it works at [1].

They also have a technical whitepaper describing a lot of their cryptography including shared folders and recover codes. I found the current version[2] which disables ctrl-f for some reason, and an older version[3] which allows ctrl-f.

[1] https://support.lastpass.com/help/how-is-emergency-access-se...

[2] https://support.lastpass.com/download/lastpass-technical-whi...

[3] https://assets.cdngetgo.com/da/ce/d211c1074dea84e06cad6f2c8b...

link
whatatita 1330 days ago
I believe, when you set this up, they re-encrypt your data with the other user's keys so it's never accessible by Lastpass.
link
taberiand 1330 days ago
I think the problem with that would be the copy would go stale fairly quickly right? I suppose the process could make it so the data set is encrypted with all associated keys everytime it's uploaded from the client
link
selykg 1330 days ago
Shared key.

You have a key, which encrypts a shared key.

Your spouse has a key, which encrypts the same shared key.

Vault is encrypted with the shared key.

Access is controlled separately. But upon successful share, their existing key can decrypt the shared key which decrypts the vault.

link