LastPass enforces master passwords to 12 characters


Two years after suffering a series of major breaches, LastPass has begun implementing stricter password measures for its customers.

These include requiring all customers to use a master password of at least 12 characters.

This measure has been the default option for LastPass since 2018. In April 2023, it became mandatory for new and existing customers who reset their master password.

However, other existing customers, i.e. those who joined before April 2023 and did not change their master password, could until now keep their master passwords shorter.

In a blog post announcing the change, Mike Kosak, Senior Intelligence Analyst at LastPass, explained: “When it comes to password security and resiliency, there is strength in numbers. But that’s just the beginning. Password strength is a complex concept that depends on a number of factors, including length, complexity and unpredictability.

Although current National Institute of Standards and Technology (NIST) guidelines (NIST 800-3B) require human-generated passwords to be at least eight characters long, recent advances in technology and hacking techniques of passwords and brute force mean that even longer delay is required. password is recommended, he continued.

Additional Recommendations for a Good Master Password

LastPass has provided a list of additional recommendations for customers needing to change their master password. These include:

  • A master password longer than 12 characters is recommended
  • Use at least one of the following: uppercase, lowercase, numeric, and special characters
  • Make the new master password memorable, but hard to guess (e.g. passphrase)
  • Ensure that it is unique to a single individual and is not reused elsewhere
  • No email address as master password
  • No personal information in master passwords
  • No sequential characters (e.g. ‘1234’) or repeated characters (e.g. ‘aaaa’)

A gradual deployment will be implemented from the end of January to gradually encourage customers to implement the new measure.

This new policy “is just one part of a progressive set of initiatives designed to help our customers better protect themselves against current and emerging cyber threats,” Kosak said. wrotewhich suggests that new password security measures could be rolled out soon.

MFA re-registration announced

LastPass will also begin cross-checking its customers’ new master passwords against a database of known breached credentials to ensure the password has not been previously exposed on the dark web.

The company will also begin inviting customers to re-enroll their multi-factor authentication (MFA) with popular authenticators such as Microsoft Authenticator and Google Authenticator.

Read more: Is MFA enough to protect you against cyberattacks?

These new measures come after LastPass suffered several violations in 2022, which saw an unauthorized party access some company data.

The series of incidents, widely reported by Information security Magazine, highlighted the importance of having a long and complex master password when using a password manager.

Read more: LastPass Breaches: Password Managers in the Spotlight

Leave a comment