LastPass is encrypting URLs. Here’s what that means for users and admins.
LastPass has built a popular password manager used by millions of consumers and hundreds of thousands of businesses worldwide. Protecting the security and privacy of customer data is vital to our mission, and over the past 18 months, we have invested significant time and effort hardening our security, without sacrificing user experience, while also improving overall security operations and privacy.
Those enhancements continue today with the encryption of URLs in LastPass vaults.
Why are we making this change – and why now? Read on for background and updates on URL encryption, how it works, and why we believe it will help our users better protect their vaults.
The journey to URL encryption
Today, every time you use LastPass, the URL of the website you are visiting in your web browser needs to be matched against entries saved in your LastPass vault to determine whether fields can and should be auto filled. To accomplish this, the URLs from your web browser are matched against unencrypted URL fields within the vault. Once a match is made, LastPass performs its magic.
The reason URLs have historically been unencrypted within vaults is that when LastPass was first created back in 2008, technology looked dramatically different from today. Decryption was a computationally and memory intensive action that adversely impacted performance on low-powered PCs and mobile devices, often resulting in sluggish user experience and battery drain on mobile devices.
To maximize performance and user experience, LastPass did not encrypt URLs in the vaults to ensure the performance and user experience was acceptable. Over time, additional URL matching functionality, such as the equivalent domains feature, were built atop this logic.
Thankfully, those computer and memory constraints no longer exist with most of today's devices. LastPass can now safely encrypt all URL-related fields in your vault without any adverse user experience.
Why does URL encryption matter?
It is possible for URLs to contain details about the nature of the accounts associated with your stored credentials (e.g., banking, email, social media).
Encrypting URLs associated with your accounts, just like every other private field in the LastPass vault, will expand our zero-knowledge architecture and enhance customer privacy, while also helping to further mitigate risk by ensuring that URLs related to specific services or accounts saved within their vault remain private.
Adding URL encryption required us to re-engineer LastPass to refactor the way nearly every client and back-end component works. That kind of change does not happen overnight, but we have made significant progress, and we are excited to begin delivering URL encryption, which will require some action on the part of our customers in order to take effect.
What should customers expect?
There will be two phases for implementing URL encryption: The first phase is expected to be completed in June, with rollout beginning in August. At that time, both personal users and business admins will receive emails with prescriptive details as to what to expect, and we will begin automatically encrypting the primary URL fields of existing accounts stored within their vaults, as well as any new or edited accounts after the change is made. We will also use this as an opportunity to delete a duplicate and unneeded legacy URL field.
The follow-on phase, currently expected to be completed during the latter half of 2024, will focus on automatically encrypting the remaining six URL-related fields stored in LastPass vaults. You can find the complete list of all eight URL-related fields here.
It’s important to note that there are no current actions for customers and admins to take. In the coming month we will communicate step-by-step instructions to both personal plan users and business plan users explaining how to complete the initial URL encryption upgrade, as well as how to prepare for encryption of all remaining URL fields in the vault later this year. We’ll also offer prescriptive guidance for functionality that is specific to LastPass Business plan admins.
More detailed information on URL encryption can be found here (and here for Admins).
Our commitment to security
URL encryption represents another significant milestone towards completing our years long quest to further strengthen and harden our password management vault without sacrificing the end user experience. That said, we recognize that cybersecurity remains a journey, not a destination, and we are committed to continuing to build a LastPass that is grounded in innovation, security, privacy and trust.
For more information on LastPass’s commitment to security, read the recent addition to "What we have done to secure LastPass” here.