LastPass has announced it will now enforce a minimum character length policy for master passwords as part of a sweeping update.
Users of the password manager platform will now be required to set a master password of at least 12 characters in order to bolster account security, the company revealed this week.
In a blog post announcing the updates, LastPass said this new requirement is one part of a set of new initiatives to help improve overall customer account security.
LastPass will also continue its multi-factor authentication (MFA) re-enrollment process that requires users to reset their MFA settings in order to continue using the service.
The decision to mandate a minimum length of 12 characters, as opposed to the NIST recommended 8, was a security precaution taken by the company which it said reflects current levels of password cracking/brute forcing attacks.
LastPass said its policy has been in place for a number of years already, with a 12-character master password being the service’s default setting since 2018.
Yet, up to this point, LastPass was previously allowing users to forgo this security precaution and choose shorter, less secure passwords for their convenience.
Users that have tried to reset their master passwords since April 2023 will have already been required to use a minimum of 12 characters, and from January 2024, all users will have to do the same.
LastPass said it will also cross-check every new master password against a database of compromised credentials previously published on the dark web. Users will be notified if their password has been exposed and will receive prompts to select a new master password.
The company announced its new password policy will undergo a phased rollout coming to personal users first and then enterprise customers towards the end of January.
LastPass master passwords: Why make changes now?
LastPass claimed it is taking this course of action in response to the “constantly changing cyber threat environment”, which includes “recent advances in password cracking/brute forcing technology and techniques,”.
The move follows a difficult 18 months for LastPass fraught with damaging security incidents and confusion around the safety of customer data.
The company disclosed a security incident in August 2022, initially claiming that no customer data was stolen and quickly declaring the incident closed.
But this initial unauthorized access precipitated a drawn-out series of further security breaches that saw threat actors compromise the device of a senior engineer with access to critical decryption keys.
Since then, hackers have been using private keys and passphrases from the exfiltrated LastPass data to target individuals, with over $4 million in stolen cryptocurrency being linked to the data breach.
LastPass’ botched customer response in the wake of the incident was highly criticized and seriously harmed user confidence.
The protracted scandal saw the company repeatedly fumble communications with customers on several occasions, prompting CEO Karim Toubba to issue an apology to users.
Toubba said the company had learned valuable lessons from its response, adding that he sympathized with customers' "frustration with our inability to communicate more immediately, more clearly, and more comprehensively" throughout the process.
