Ok, I was tired of rumors speculating about which #LastPass fields appear to be encrypted client-side before being sent to LastPass, so I ran some tests of my own.
For a basic "Password" item, here is what I can tell so far.
When saving the item, the following primary fields are transmitted encrypted:
- Name
- Extra (Notes field)
- Username
- Password
- TOTP (not in this screenshot, but did test)
However, I also observed the following fields having a cleartext (hex) version in the payload as well:
- Name
- Username
- URL
- Folder Name (not hex)
So in other words, there is more than just the URL being transmitted to LastPass in the clear, which makes sense because LastPass' Admin console reveals login activity for all users which includes Name, Username, and URL of the login event; so naturally, these things must be transmitted and kept server-side outside of the vault. However, this once again does go against their "zero-knowledge of anything in your vault" marketing...
Screenshots of this test below. I have omitted the encrypted data to prevent revealing enough for a "Known Plaintext Attack" to derive a key, but the relevant pieces are visible.
If I am missing anything here, do let me know.