Why in God's name would they store the URLs unencrypted? Even if they don't crack the account password, you've just given the attackers a lovely dossier of every place I've ever visited frequently enough to make an account. And this is far worse than simply doing reverse-lookups of my email address across site breaches, since I use multiple email addresses and alias-only logins.
LastPass storing the URLs unencrypted is so mind boggling. What could possibly be the justification for that? Also -- LastPass is being intentionally unclear when they write
>stored in a proprietary binary format that contains both unencrypted data, *such as* website URLs,
What do you mean such as?? What else is unencrypted? Now is not the time for tip-toeing around this kind of stuff.
> LastPass storing the URLs unencrypted is so mind boggling. What could possibly be the justification for that?
I've never used LastPass, but if the URLs would be encrypted then checking "is there a password for news.ycombinator.com?" would require unlocking the vault, right?
So then you'd at least have to enter your password once on (browser) startup so it can load the list and keep that in memory, and you won't be able to automatically sync things either.
That's true when it's on the users device, but archived on their servers there's no need for any of the data to be unencrypted. Best case scenario it will never have to be accessed. Even encrypted with their keys would've been a better solution.
I use pass and this attack vector is why I don't sync even in a private git repo like many suggest. I do sync but only encrypted tar files, and even then some sensitve sites are aliases instead of URLs.
Sure it makes life a little more difficult but for some things convenience should be the last priority.
> So then you'd at least have to enter your password once on (browser) startup so it can load the list and keep that in memory, and you won't be able to automatically sync things either.
Correct. However this is how it ought to be. If someone acquires my laptop, I dont want logging into my accounts to be as easy as opening the browser
I created a temporary account to check whether anything of this has changed since 2018, but no, the format is still entirely the same. The fields have slightly different names, but that might be because of the way I got the vault file (looked at network responses during login). There are also four fields not listed in the above link ("Form Fields", "?", "??", and "???"), but those might be an artifact of the process of reading the file.
In particular all timestamps (creation, last modification, last access) are unencrypted, as are information about whether you want to auto-logon or auto-fill, whether the password was auto-generated and whether the password has been breached.
Field 6 "sharedfromaid": "aid of the sharer's Site/Secure Note" is unencrypted. The hackers will be able to infer relationships between Lastpass users.
Field 10: "genpw": "Is an auto-saved generated password". Good for deciding whether to brute force or not.
Yikes. I can't imagine why anyone would trust Lastpass after this.
Not to mention some of the saved URLs may include sensitive information in the URL query string, including things like email address, physical address, etc...
Each unique Bitwarden account has an encryption key derived from your Master Password, according to the methods defined in Encryption. This encryption key is used to encrypt all Vault data.
Nice. Fucking. Job.