Are URLs the only thing that's unencrypted? That's bad enough, but what about other fields? I know I've accidentally saved passwords in the username field before, stored sensitive info in the note field as well.
I guess moving off of LastPass is how I'll be spending my Xmas...
The only data I want my password manager to store is a single encrypted blob, and whatever information they need to store so I can safely decrypt it with my master password on my own device.
I don't think the other fields would be unencrypted. url makes some sense for an extension that doesn't need to unlock the vault to know if there is a password available for a site. it's not the end of the world but it certainly isn't a great look. look at bitwarden. the hn famous security guy tpatek or however you spell his handle recommended that a while ago and it's open source and pretty good. the ui kinda is not amazing but i guess that's alright. (it's 2022 almost 2023 how are they not letting you sort by recently created/used/etc?)
The notice uses language that implies that other fields were unencrypted too:
contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data
“Such as website URLs” reads like it’s giving one example among multiple other fields that are unencrypted.
Now I wonder if the notes are not in fact encrypted either since if the user wanted those to be secure too, they would’ve written them in a “secure note.”
If notes are unencrypted then I'm absolutely fucked. I really hope this isn't the case. I assumed they were, I thought I read they were even. But now I can't find anything confirming this.
A description of Lastpass's vault structure[1] suggests that notes inside entries were encrypted (index 4). I have no additional information about the veracity of that description though.
I agree the verbiage does make is seem that way but also the language could just be imprecise so we'd need a formal statement from them on it to know either way.
That use case seems to indeed be why they have implemented it that way, but I'd consider this a very poor risk-reward trade-off:
Lastpass isn't exactly (or at least was, when I last used it) perfect at figuring out which part of a URL is the generic part (used for identifying a login site), and which part is e.g. a session token or worse, a deep link that lets me access my account without any further authentication.
I guess moving off of LastPass is how I'll be spending my Xmas...