Agreed.  Although I understand you do need the password iteration count to not be encrypted.

This should be a requirement, not a feature, I’m leaving the platform after being a paying user on it for most of its existence because not all the data is encrypted and we are now at risk of targeted phishing attacks. I will consider returning only if this feature is implemented and a third party audit has been performed proving security measures have been implemented to better protect user data.

I would also encourage the encryption of the whole blob.  I've put some sensitive information into the comment fields thinking that all this would be encrypted.  I guess that is on me.  If you want my continued subscription, I need you to encrypt all of it.

And I don't know if you do this or not, but you might just encrypt our encrypted blob with your own encryption.  That way anyone getting our vault would have to crack your encryption AND then our encryption. 

Thanks for listening.

The notes (or comments as you call them) on a password record are encrypted.

I am surprised and disappointed that user's metadata is not encrypted. This is a basic requirement. I think, at minimum, that some meta data can remain not encrypted such as house keeping data that does not contain user data (e.g., URL, account settings) or personally identifiable information (e.g, usernames that are emails, etc...).

Absolutely i agree with all posters so far, ALL information should be encrypted.  i went so far as to buy Keeper after the last database compromise.  it is not as good at auto-filling as LP is so I'm still here from now.  but it will take only one whiff of any more breeches and i'm outta here. 

Really, if you're encrypting passwords how hard can it be to encrypt URLs.  

and now that I've read Mark35 comments that suggest our Notes field is unencrypted I'm really concerned.  credit card expiry dates and back of card codes.  holy schit!

@Mike_Ka as I understand it, Mark35‘s information on comments/notes is incorrect. Everything I have read says that the notes on a record are encrypted.

I agree that all fields need to be encrypted.

JayMein, are you sure about the notes being encrypted?  "as i understand it" is a bit too loose.  i nearly had a heart attack when i read Mark35's comment.  how could LP possibly encrypt notes and then make a conscious decision to Not encrypt URLs?

Is there a definitive statement somewhere of what is and is not encrpted?

Further to my earlier comments i just read the data breech report.  it said that Secure Notes are encrypted but i use the Notes field of related passwords to store information.  they are not the same as Secure Notes.  it is frustrating that there is no one place where LP definitively states what is and is not encrypted.

I'm not feeling very good since signing on to the blog today but have no more time to invest in this.  my Keeper licences is waiting!

here is the URL of the LP disclosure of what was and was not encrypted.  i have an opinion but see what you guys think of it in terms of security of Notes data.  they sure don't make it easy to find this page!

https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incid...