LastPass Hikes Password Requirements to 12 Characters

We Keep you Connected

LastPass Hikes Password Requirements to 12 Characters

A phased rollout will also prompt LastPass customers to re-enroll their accounts in multifactor authentication (MFA) to prevent future breaches.
January 3, 2024
Password-manager purveyor LastPass has announced it's setting new rules about the strength of customer passwords, with a new mandate that account master passwords include a minimum of 12 characters.
A Jan. 2 blog post from LastPass senior principal intelligence analyst Mike Kosak explained that although the current National Institute Standards and Technology (NIST) guidelines recommend an eight-character password, advancements in password cracking and the human tendency toward lazy password picking make 12 characters an even more secure choice.
"By now enforcing a minimum 12-character master password requirement, along with the PBKDF2 iteration increases we delivered earlier this year, we are proactively helping our customers create stronger and more resilient encryption keys for accessing and encrypting their LastPass vault data," Kosak wrote.
Customers who aren't in compliance will be prompted to update their password, but those who already have a strong password won't need to take any additional actions, Kosak added.
"This policy will be implemented via a phased rollout to our customer base, with email notifications being sent to our Free, Premium and Families customers first, followed by our Teams and Business customers towards the end of January 2024," Kosak wrote.
LastPass is also pushing out MFA re-enrollment for federated business customers using widely available authenticators from Microsoft, Google, or LastPass Authenticators, and for re-enrollment for grid authentication, the post said.
The company, which has suffered a string of security incidents and breaches, will also check updated passwords against a database of those known to have been exposed on the Dark Web and provide prompts for account holders to change to a more secure password.
"If the password is detected in a prior breach, a 'Security Warning' pop-up will alert the customer that the password has already been exposed, in which case they will be prompted to choose another password in order to proceed," according to the blog post.
A LastPass spokesperson confirmed to Dark Reading that the new master password rules are not the result of a new cybersecurity incident at the company. A massive breach in August 2022, as well as subsequent follow-on attacks, allowed threat actors to access and steal data from the LastPass cloud storage service, including a backup of LastPass customer vault data as well as LastPass source code.
Becky Bracken, Editor, Dark Reading

You May Also Like
2024 API Security Trends & Predictions
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Tips for Managing Cloud Security in a Hybrid Environment
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Threat Terrain of the Modern Factory: Survey of Programmable Assets and Robot Software
The OT Zero Trust Handbook: Implementing the 4 Cornerstones of OT Security
2023 Snyk AI-Generated Code Security Report
Migrations Playbook for Saving Money with Snyk + AWS
2023 Software Supply Chain Attack Report
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.