logo

LastPass is now encrypting URLs in password vaults for better security

LastPass

LastPass announced it will start encrypting URLs stored in user vaults for enhanced privacy and protection against data breaches and unauthorized access.

The vendor of the popular password manager also notes that this new security feature is a significant step towards reinforcing its commitment to implementing zero-knowledge architecture in the product, so it's not just to protect data from external threats.

Value of encrypted URLs

When users visit a website, LastPass compares the URL against an entry in the user's password vault to determine if they have stored credentials and then offers to enter them automatically.

LastPass says that due to restrictions in processing power in 2008, when that system was created, its engineers decided to leave those URLs unencrypted, lessening the strain on CPUs and minimizing the software's energy consumption footprint.

With most of the hardware performance constraints of the past now having been lifted, LastPass can now start encrypting/decrypting those URL values on the fly without the user noticing any hiccups in browser performance while enjoying ultimate data security.

LastPass says this is being done to enhance user security and comply with the company's zero-knowledge architecture.

"It is possible for URLs to contain details about the nature of the accounts associated with your stored credentials (e.g., banking, email, social media)," explains Lastpass.

"Encrypting URLs associated with your accounts, just like every other private field in the LastPass vault, will expand our zero-knowledge architecture and enhance customer privacy, while also helping to further mitigate risk by ensuring that URLs related to specific services or accounts saved within their vault remain private."

LastPass' zero-knowledge security operates under the premise that all customer data should be encrypted, and thus inaccessible to LastPass and hackers who may breach its service.

In 2022, LastPass suffered two breaches that ultimately allowed threat actors to steal source codecustomer data, and production backups, including encrypted password vaults.

LastPass CEO Karim Toubba said at the time that only customers knew the master password required to decrypt vaults. However, the stolen data included encrypted master passwords, which LastPass warned could be decrypted if they were weak.

The stolen data also included unencrypted URLs associated with password entries, providing valuable insight into which password vaults could be targeted to steal credentials to financial services, like cryptocurrency exchanges.

It was later revealed that threat actors decrypted some of these weaker master passwords and used the stored credentials to breach cryptocurrency exchanges and steal over $4 million in funds.

Rolling out encryption

LastPass says that the encryption of URLs requires them to refactor client and back-end component functionality, a work that is already progressing well.

The first phase of the URL encryption implementation will occur next month (June 2024), automatically encrypting primary URL fields for all existing and new accounts.

During that stage, duplicate and legacy URL fields in the vault will be deleted, while personal and business accounts will receive emails informing them about the changes.

The second phase will occur sometime in the second half of the year when the remaining six URL-related fields stored in LastPass vaults will also be automatically encrypted.

These six values concern the equivalent domain URLs, wildcard URLs, redirect URLs, user-defined custom URLs, URLs stored in user notes, and historical URLs.

Currently, users don't need to take any action, but LastPass will email impacted accounts step-by-step instructions on how they can take advantage when the roll-out starts next month.


Free security scan for your website