LastPass Enforces 12-Character Master Passwords

Written by

Two years after suffering a series of major beaches, LastPass has started implementing stricter password measures for its customers.

These include the requirement for all customers to use a master password with at least 12 characters.

This measure has been LastPass’ default option since 2018. In April 2023 it was made mandatory for new customers and existing customers who reset their master passwords.

However, other existing customers, i.e. those who joined before April 2023 and had not changed their master password, could keep their shorter master passwords until now.

In a blog post announcing the change, Mike Kosak, LastPass senior principal intelligence analyst, explained: “When it comes to password security and resilience, there’s strength in numbers. But that’s just for starters. Password strength is a complex notion that’s informed by a number of factors including length, complexity, and unpredictability.”

Although the current National Institute of Standards and Technology (NIST) guidelines (NIST 800-3B) require that human-generated passwords be at least eight characters in length, recent advances in password cracking and brute-forcing technology and techniques mean that an even longer password is recommended, he continued.

Additional Recommendations for a Good Master Password

LastPass provided a list of additional recommendations for customers needing to change their master password. These include:

  • A master password longer than 12 characters is recommended
  • Using at least one of each of the following: upper case, lower case, numeric, and special character values
  • Making the new master password memorable, but not easily guessed (e.g. passphrase)
  • Making sure that it is unique only to an individual and not reused anywhere else
  • No email addresses as master passwords
  • No personal information in master passwords
  • No sequential characters (e.g. ‘1234’) or repeated characters (e.g. ‘aaaa’)

A phased rollout will be implemented from the end of January to progressively nudge customers to implement the new measure.

This new policy “is just one part of a progressive set of initiatives designed to help our customers better protect themselves from current and emerging cyber threats,” Kosak wrote, suggesting new password security measures could be rolled out soon.

MFA Re-Enrollment Announced

LastPass will also begin cross-checking its customers’ new master passwords against a database of known breached credentials in order to ensure the password has not been previously exposed on the dark web.

The firm will also start prompting customers to re-enroll their multi-factor authentication (MFA) with common authenticators like Microsoft Authenticator and Google Authenticator.

Read more: Is MFA Enough to Protect You Against Cyber-Attacks?

These new measures come after LastPass suffered multiple breaches in 2022, which saw an unauthorized party gain access to some of the company’s data.

The series of incidents, extensively reported by Infosecurity Magazine, highlighted the importance of having a long and complex master password when using a password manager.

Read more: The LastPass Breaches: Password Managers in the Spotlight

What’s hot on Infosecurity Magazine?