LastPass has recently announced a significant update to improve security for its users by starting to encrypt URLs stored in their password vaults. This move is aimed at boosting protection against data breaches and unauthorized access, marking a pivotal development in their commitment to a zero-knowledge architecture.
Find out more about LastPass’s URL encryption below.
The Importance of Encrypting URLs
When a user accesses a website, LastPass matches the site’s URL with the stored entries in the user’s vault. If credentials are stored, LastPass automatically fills them in. Initially, due to the limited processing power available in 2008, LastPass opted not to encrypt URLs to reduce the load on CPUs and lower the energy consumption of the software.
However, technological advancements have now made it possible for LastPass to encrypt and decrypt URL data seamlessly, without impacting browser performance. This ensures robust security for users storing URLs in vaults.
“Encrypting URLs associated with your accounts, just like every other private field in the LastPass vault, will expand our zero-knowledge architecture and enhance customer privacy, while also helping to further mitigate risk by ensuring that URLs related to specific services or accounts saved within their vault remain private,” explains LastPass.
The addition of this encryption is crucial because URLs can sometimes reveal information about the nature of the accounts linked to the credentials, such as banking, email, or social media accounts.
Strengthening Security Post-Breaches
The decision to encrypt URLs comes in the aftermath of two significant breaches in 2022, where threat actors managed to steal source code and customer data, including encrypted password vaults. The exposed data also contained unencrypted URLs that highlighted which vaults had credentials for high-value targets.
LastPass’ CEO said at that time that only customers know the master password needed to decrypt vaults. However, the breach also involved encrypted master passwords, which could potentially be decrypted if they were weak. This led to incidents where attackers decrypted some master passwords and accessed cryptocurrency exchanges, resulting in thefts exceeding $4 million.
Implementation of URL Encryption
LastPass is diligently working to refactor both client and backend components to support this new feature. The initial phase, scheduled for next month (June 2024), will automatically encrypt primary URL fields across all existing and new accounts. This phase will also see the removal of duplicate and outdated URL fields.
Subsequent updates later in the year will include the encryption of six additional URL-related fields in the vaults, including equivalent domain URLs, wildcard URLs, and redirect URLs, to name a few.
LastPass has assured that users do not need to undertake any actions right now, but they will provide step-by-step instructions via email to all affected accounts on how to leverage the new security feature once the rollout commences.
Related Reads:
