LastPass is an evolved Host Proof hosted solution, which avoids the stated weakness of vulnerability to XSS as long as you're using the add-on. LastPass strongly believes in using local encryption, and locally created one way salted hashes to provide you with the best of both worlds for your sensitive information: Complete security, while still providing online accessibility and syncing capabilities.
We've accomplished this by using 256-bit AES implemented in C++ and JavaScript (for the website) and exclusively encrypting and decrypting on your local PC. No one at LastPass can ever access your sensitive data. We've taken every step we can think of to ensure your security and privacy.
You need to always have access to your data, we've accomplished this in multiple ways, first we have 2 data-centers in production service, second we store your encrypted data on your local PC when you login, so that if LastPass.com can't be reached, you can still login to the add-on and get to your accounts. The website is usable without the add-on installed (the Encryption and Decryption happens in JavaScript which you can see happen on some forms), but we take advantage of faster encryption available in the add-ons if they're available. We also have a mobile site m.lastpass.com if you're on your phone.
LPBar64.dll
On Windows, LastPass helps find insecure passwords stored on your computer so you can store them securely in LastPass and remove the easy access by malicious software. LastPass uses SSL exclusively for data transfer even though the vast majority of data you're sending is already encrypted with 256-bit AES and unusable to both LastPass and any party listening in to the network traffic -- the amount of data is trivial so the extra encryption doesn't hurt. Our policy of never receiving private data that you haven't already locked down with your LastPass master password (which we never receive and will never ask for) radically reduces attack vectors. We use firewalls and best practices to protect the servers and service, but our best line of defense is simply not having access to data even if someone got in. If LastPass can't access it, hackers can't either.
LPIEHome64.ocx