LastPass forces its users to create longer, heavier passwords
LastPass is forcing customers to set 12-character master passwords if they haven't already, in an effort to improve security after a major incident in 2022.
While this has been a default option since 2018, LastPass customers have been able to bypass the twelve-character recommendation, which will now soon be mandatory.
On its website, the password manager said the new requirement exceeds current National Institute of Standards and Technology (NIST) guidelines, which state that human-generated passwords must be at least eight characters long.
Security boost for LastPass
In a company blog postLastPass Senior Principal Intelligence Analyst Mike Kosak said the password length requirement is part of a progressive series of initiatives the company is rolling out to protect customer accounts, minimizing the chance of successful attacks.
In an email to customers seen by Ny BreakingLastPass said in response to why it made this change: “We are committed to adhering to the latest security standards and industry best practices to protect against external threats.”
There's also the fact that the company suffered a “security incident” in 2022, where an unauthorized party gained access to some of the company's data.
Starting in January 2024, LastPass users' master password must contain at least 12 uppercase, lowercase, numeric, and special characters.
Free, Premium and Family customers will be among the first to be notified of the change, with Teams and Business customers expected to receive an alert in late January.
Starting in February, new and reset master passwords will also be compared in real time against a list of publicly disclosed credentials on the dark web. Users will receive a security alert if their chosen password has previously been leaked.
Customers who don't meet the deadline will be logged out and forced to create a new master password, allowing LastPass to ensure that all customers have taken the necessary steps.
A LastPass spokesperson confirmed this in an email Ny Breaking which will start a phased rollout for business customers on January 8.