LastPass Hikes Password Requirements to 12 Characters

A phased rollout will also prompt LastPass customers to re-enroll their accounts in multifactor authentication (MFA) to prevent future breaches.

LastPass logo displayed on mobile device screen
Source: SOPA Images Limited via Alamy Stock Photo

Password-manager purveyor LastPass has announced it's setting new rules about the strength of customer passwords, with a new mandate that account master passwords include a minimum of 12 characters.

A Jan. 2 blog post from LastPass senior principal intelligence analyst Mike Kosak explained that although the current National Institute Standards and Technology (NIST) guidelines recommend an eight-character password, advancements in password cracking and the human tendency toward lazy password picking make 12 characters an even more secure choice.

LastPass Beefing Up Passwords, MFA & More

"By now enforcing a minimum 12-character master password requirement, along with the PBKDF2 iteration increases we delivered earlier this year, we are proactively helping our customers create stronger and more resilient encryption keys for accessing and encrypting their LastPass vault data," Kosak wrote.

Customers who aren't in compliance will be prompted to update their password, but those who already have a strong password won't need to take any additional actions, Kosak added.

"This policy will be implemented via a phased rollout to our customer base, with email notifications being sent to our Free, Premium and Families customers first, followed by our Teams and Business customers towards the end of January 2024," Kosak wrote.

LastPass is also pushing out MFA re-enrollment for federated business customers using widely available authenticators from Microsoft, Google, or LastPass Authenticators, and for re-enrollment for grid authentication, the post said.

The company, which has suffered a string of security incidents and breaches, will also check updated passwords against a database of those known to have been exposed on the Dark Web and provide prompts for account holders to change to a more secure password.

"If the password is detected in a prior breach, a 'Security Warning' pop-up will alert the customer that the password has already been exposed, in which case they will be prompted to choose another password in order to proceed," according to the blog post.

A LastPass spokesperson confirmed to Dark Reading that the new master password rules are not the result of a new cybersecurity incident at the company. A massive breach in August 2022, as well as subsequent follow-on attacks, allowed threat actors to access and steal data from the LastPass cloud storage service, including a backup of LastPass customer vault data as well as LastPass source code.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights