Security !? Rated 5 out of 5 stars
I think that this solution/addon seems great but I have a question about security.
You say that "data is locked down with your LastPass master password (which we never receive and will never ask for)..."
But why does the Master Password used for local encryption is equal to the lastpass.com website user password?
You say you never receive and you never ask but when I access to your website I do send my password...
This is even more true when I don't have the lastpass plugin installed in FF and I just log to your site.
Can you please clarify this?
When you log in (doesn't matter if it is in plugin or on website), we take a 1 way hash of your password and send it to our servers for authentication. Your password never leaves your computer (feel free to use TamperData to watch what goes across the wire) because we clear the field before the form submits.
We then locally generate the encryption key from your username and your password. All encryption/decryption is done locally. So since LastPass never receives your password, we can never create the key to decrypt your data. It is perfectly safe.