No malicious user can use your data for malicious purposes anymore.
LastPass, a popular password manager, has announced that it will soon begin encrypting URLs stored in user vaults. This step is aimed at strengthening data privacy and protecting against leaks and unauthorized access.
The introduction of the new feature will be a significant step towards implementing a zero-knowledge architecture, which means that even LastPass itself will not have any access to user data. URL encryption will occur automatically and imperceptibly due to the increased performance of modern hardware.
Historically, LastPass engineers decided not to encrypt URLs in 2008 due to the limitations of computing power, in order to reduce the load on processors and minimize power consumption. With the development of technology, these restrictions are no longer relevant, and now the company can encrypt and decrypt URLs without noticeable delays in the operation of its product.
URL encryption is necessary to improve user security and conform to a zero-knowledge architecture. URLs may contain details about the nature of accounts, such as banking, email, or social networks. Encrypting this data will help keep it confidential and reduce risks.
In 2022, LastPass faced two data breaches, which resulted in attackers gaining access to the source code, user data, and backups, including encrypted password stores. Although a master password was required to decrypt these vaults, the leaks included unencrypted URLs, which allowed attackers to target accounts in financial services.
Some weak master passwords were decrypted, and cryptocurrency exchanges were hacked with their help, which led to the theft of more than $4 million. This further confirms the fact that there is not much encryption, and, if possible, they need to protect all the data stored in such sensitive services as, for example, LastPass.
Implementing URL encryption in LastPass will require reworking the client and server components. The first phase of implementation will begin in June 2024 and will include automatic encryption of the main URL fields for all existing and new accounts. At this time, duplicate and outdated URL fields will be deleted, and users will receive notifications about changes made.
The second phase of encryption is planned for the second half of the year and will cover the remaining six URL fields, including equivalent domains, wildcard URLs, redirect URLs, custom URLs, URLs in notes, and historical URLs.
Users don't need to take any action, as LastPass will automatically send all instructions on how to use the new features when the deployment process enters the active phase.
LastPass, a popular password manager, has announced that it will soon begin encrypting URLs stored in user vaults. This step is aimed at strengthening data privacy and protecting against leaks and unauthorized access.
The introduction of the new feature will be a significant step towards implementing a zero-knowledge architecture, which means that even LastPass itself will not have any access to user data. URL encryption will occur automatically and imperceptibly due to the increased performance of modern hardware.
Historically, LastPass engineers decided not to encrypt URLs in 2008 due to the limitations of computing power, in order to reduce the load on processors and minimize power consumption. With the development of technology, these restrictions are no longer relevant, and now the company can encrypt and decrypt URLs without noticeable delays in the operation of its product.
URL encryption is necessary to improve user security and conform to a zero-knowledge architecture. URLs may contain details about the nature of accounts, such as banking, email, or social networks. Encrypting this data will help keep it confidential and reduce risks.
In 2022, LastPass faced two data breaches, which resulted in attackers gaining access to the source code, user data, and backups, including encrypted password stores. Although a master password was required to decrypt these vaults, the leaks included unencrypted URLs, which allowed attackers to target accounts in financial services.
Some weak master passwords were decrypted, and cryptocurrency exchanges were hacked with their help, which led to the theft of more than $4 million. This further confirms the fact that there is not much encryption, and, if possible, they need to protect all the data stored in such sensitive services as, for example, LastPass.
Implementing URL encryption in LastPass will require reworking the client and server components. The first phase of implementation will begin in June 2024 and will include automatic encryption of the main URL fields for all existing and new accounts. At this time, duplicate and outdated URL fields will be deleted, and users will receive notifications about changes made.
The second phase of encryption is planned for the second half of the year and will cover the remaining six URL fields, including equivalent domains, wildcard URLs, redirect URLs, custom URLs, URLs in notes, and historical URLs.
Users don't need to take any action, as LastPass will automatically send all instructions on how to use the new features when the deployment process enters the active phase.
