LastPass announced it will start encrypting URLs (website addresses) stored within user vaults, adding an extra layer of protection against data breaches and unauthorized access.
While LastPass already encrypts passwords and other sensitive data, URLs were previously left unencrypted to optimize performance and user experience. However, the company recognized that URLs can contain potentially revealing information about the associated accounts, such as banking, email, or social media. By encrypting URLs, LastPass further safeguards user privacy and aligns its practices with a zero-knowledge security model.
“It is possible for URLs to contain details about the nature of the accounts associated with your stored credentials (e.g., banking, email, social media),” explains Lastpass.
“Encrypting URLs associated with your accounts, just like every other private field in the LastPass vault, will expand our zero-knowledge architecture and enhance customer privacy, while also helping to further mitigate risk by ensuring that URLs related to specific services or accounts saved within their vault remain private.”
What Does This Mean for Users?
For LastPass users, this update means enhanced security and peace of mind. Even in the unlikely event of a data breach, encrypted URLs would be meaningless to attackers, preventing them from identifying and targeting specific accounts. The update also reinforces LastPass’s commitment to user privacy and its ongoing efforts to strengthen its security infrastructure.
LastPass says that the encryption of URLs requires them to refactor client and back-end component functionality, a work that is already progressing well.
The first phase of the URL encryption implementation will occur next month (June 2024), automatically encrypting primary URL fields for all existing and new accounts.
