Hm, with all that talk about "zero knowledge architecture", I thought your vault file would be encrypted "in one piece", not just the passwords. If they have the URLs in clear text, that's not really zero knowledge, now is it? And why do they need the URLs anyway, when I can share the passwords just fine from my local PC? Statistics?!

Honestly, URLs are a potentially massive threat vector themselves.

Are the urls associated with individual users either directly or in a bucketed fashion? Seems like no to the former but the release leaves a lot to be desired.

Is anyone aware whether Bitwarden encrypts everything, or just the passwords like lastpass?

According to Bitwarden it’s all Login information (including usernames, passwords, URIs, TOTPs, etc.). [1]

[1]: https://bitwarden.com/help/vault-data/

Nice, thank you

LastPass is an enormous target, obviously. And, I guess, the inevitable has happened: Encrypted trove of passwords is "out there".

Let's assume one's master password is strong. And that LastPass knows how to encrypt data. We're really down to whether 256-bit AES can be brute forced, right? And I guess understanding phishing attacks.

I mean, yes, wouldn't it be great of LastPass took the measures with its development environment years ago? So put another way: Lack of operational excellence hopefully is made for in strong encryption. I hope.

    contains both unencrypted data, such as website URLs,

No I think this is the worst that could have happened short of loosing the clear-text passwords. Noone is going to stop the attackers from looking for high-value login URLs and than spear-phish the password for the offline vault.

Forcing a password reset onto customers is not going to help LastPass here.

Unfortunately, if you like me have been a LP customer for years you are hosed.

Early on, they only did 500 rounds of AES which significantly weakens you even with a strong password.

So, I've had to change my master password and now I'm in the process of updating all my passwords :(

By not forcing a re-encryption when they uped the number of rounds, LP has hung all their old time customers out to dry with this leak. It's not ok.

> LastPass is an enormous target, obviously. And, I guess, the inevitable has happened: Encrypted trove of passwords is "out there".

This is why a company’s bug bounty should be the sum of the assets protected by the data they have, for all their customers, minus $1.

Sounds crazy? Don’t store all passwords at the same place.

'form-filled data' includes 'Payment cards' section I believe, which should then make securing your cards an even larger priority than having to change your passwords

Why are the sites where you have accounts not part of your encrypted vault?

Can someone confirm my understanding that 1Password does in fact encrypt the entire vault, including the URL/domain associated with each login?

No, as stated, they don't encrypt the URL. This is likely so that, regardless of what you have entered for your "when is master password required" settings, the browser plugin can highlight when it knows that you've entered a password for a site.

Was your answer about what LastPass does, or what 1Password does? The person you replied to was asking about 1Password.