In a blog post to the latest security incident at lastpass they wrote the following:
"The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. "
If i am correct, that means that the URLs are not encrypted at lastpass? The shocked me as i realy thought, that all data in the vault are stored encrypted.
I am a bitwarden customer for years now and hope that bitwarden encrypts everything stored in the vault? Can kyle or someone else confirm?
I am (probably was) a LastPass customer. I’ve used it for years with the thought that the entire vault was encrypted. I had no idea that only some fields were. They certainly never made that clear.
So, whilst I’m confident that my passwords will be secure, I am concerned that there may be personal information in some URLs.
Any insight into data that is NOT encrypted by BitWarden would be very appreciated.
Yes, everything in your vault items is encrypted, except for trivial metadata such as the last modification date, whether the item is a “favorite”, etc. The only moderately “sensitive” information that is stored in cleartext in the encrypted vault is your login email.
@Guenx thanks for checking in! Yes, everything you input into your Bitwarden vault is encrypted, including URLS. You can test this at any time by exporting an encrypted JSON file and opening with a text editor.
Yes, only the login email to Bitwarden itself is stored unencrypted. All usernames, passwords, URIs, custom fields, TOTP secrets, notes, etc. are stored as encrypted ciphers.
One reason is that the login email is used as a “salt” for hashing your master password, and salts need to be stored in cleartext. Another reason is to allow Bitwarden to notify you when there are suspicious login attempts.