LastPass announced it will start encrypting URLs stored in user vaults for enhanced privacy and protection against data breaches and unauthorized access.
The vendor of the popular password manager also notes that this new security feature is a significant step towards reinforcing its commitment to implementing zero-knowledge architecture in the product, so it's not just to protect data from external threats.
Value of encrypted URLs
When users visit a website, LastPass compares the URL against an entry in the user's password vault to determine if they have stored credentials and then offers to enter them automatically.
LastPass says that due to restrictions in processing power in 2008, when that system was created, its engineers decided to leave those URLs unencrypted, lessening the strain on CPUs and minimizing the software's energy consumption footprint.
With most of the hardware performance constraints of the past now having been lifted, LastPass can now start encrypting/decrypting those URL values on the fly without the user noticing any hiccups in browser performance while enjoying ultimate data security.
LastPass says this is being done to enhance user security and comply with the company's zero-knowledge architecture.
"It is possible for URLs to contain details about the nature of the accounts associated with your stored credentials (e.g., banking, email, social media)," explains Lastpass.
"Encrypting URLs associated with your accounts, just like every other private field in the LastPass vault, will expand our zero-knowledge architecture and enhance customer privacy, while also helping to further mitigate risk by ensuring that URLs related to specific services or accounts saved within their vault remain private."
LastPass' zero-knowledge security operates under the premise that all customer data should be encrypted, and thus inaccessible to LastPass and hackers who may breach its service.
In 2022, LastPass suffered two breaches that ultimately allowed threat actors to steal source code, customer data, and production backups, including encrypted password vaults.
LastPass CEO Karim Toubba said at the time that only customers knew the master password required to decrypt vaults. However, if the passwords were weak, they could potentially be bruteforced to gain access to the encrypted content.
The stolen data also included unencrypted URLs associated with password entries, providing valuable insight into which password vaults could be targeted to steal credentials to financial services, like cryptocurrency exchanges.
It was later alleged that threat actors decrypted some of these weaker master passwords and used the stored credentials to breach cryptocurrency exchanges and steal over $4 million in funds.
Rolling out encryption
LastPass says that the encryption of URLs requires them to refactor client and back-end component functionality, a work that is already progressing well.
The first phase of the URL encryption implementation will occur next month (June 2024), automatically encrypting primary URL fields for all existing and new accounts.
During that stage, duplicate and legacy URL fields in the vault will be deleted, while personal and business accounts will receive emails informing them about the changes.
The second phase will occur sometime in the second half of the year when the remaining six URL-related fields stored in LastPass vaults will also be automatically encrypted.
These six values concern:
- url_rules = URLs rules that allow for path matching, host matching or port matching
- Equiv_domains = equivalent domains
- accts_never = never match/autofill on these URLs (deny list)
- accts_never_excluded = always match/autofill & never exclude (allow list)
- acs = URLs used only for business customers leveraging a legacy LP SSO solution
- launchurl = URLs used for SAML SSO for business customers leveraging a legacy LP SSO solution
Currently, users don't need to take any action, but LastPass will email impacted accounts step-by-step instructions on how they can take advantage when the roll-out starts next month.
Update 5/23/24: This article incorrectly said master passwords were stolen, when it was that weak passwords were bruteforced for stolen password vaults.