Unencrypted parts inside the vault?
Hi there, after that LastPass breach, many people in the media are discussing the threats that are possibly coming up for the users whose vaults got copied.
Most experts say that the risk is generally low if that data encryption was properly done by LastPass and also if the users had a good master password. But one threat always comes up. The unencrypted URLs in the vault that are linked to the user's vault. This gives a good vector for phishing, they say.
Now my question, are there also unscripted data fields inside the 1P online vault? Is there a way for you to not have those? Since those are for fast lookup of available logins without encrypting every entry, one expert recommended like a two-level encryption where there is an E2E encrypted lookup list of all URLs and a corresponding ID of the vault entry connected to that URL. This list should be downloaded by the client and then being decrypted locally as soon as the user unlocks the client. By that, the user a fast look-up and the data is still E2EE on the server.