LastPass has made it compulsory for all users to have master passwords with a minimum length of 12 characters.
LastPass has imposed a mandatory change on all users, instructing them to update their master passwords to a minimum length of 12 characters. This action arises amid suspicions surrounding a 2022 security breach that may have triggered this move.
In a recent email to its user base, LastPass conveyed this new requirement, stating, “You must now ensure that all master passwords consist of at least 12 characters. If your current master password doesn’t meet this requirement, you must promptly update it.”
The email underscores LastPass’s dedication to adhering to the latest industry security standards and best practices, explaining that this adjustment aims to bolster overall security. A LastPass spokesperson clarified that this measure does not directly respond to a recent threat or incident but did mention plans to issue a more comprehensive statement.
Nevertheless, LastPass may be reacting to recent revelations regarding a significant breach in the previous year. In this breach, an unauthorized individual accessed the password vaults of all users, which, despite encryption, could remain susceptible to compromise if the attacker successfully guessed the master password for each vault.
Reports indicate that some victims of the LastPass breach may be experiencing unauthorized access to their cryptocurrency wallet login details. Security experts suspect that cybercriminals have been attempting to crack master passwords from these vaults, and this task becomes considerably easier with shorter passwords. Interestingly, LastPass began mandating a minimum password length of 12 characters for new users in 2018 but neglected to implement this requirement for existing users, as journalist Brian Krebs reported. Additionally, concerns exist that LastPass may not have employed adequate encryption measures to thwart potential password-cracking attempts.
Although conclusive evidence linking the cryptocurrency thefts to the LastPass breach is lacking, it appears that LastPass is actively working to enhance login security for all users, notwithstanding the damage already incurred. As an additional precaution, the company recently began prompting users to reset their multi-factor authentication (MFA) for their accounts. LastPass explained that the MFA re-enrollment process cannot be completed solely by the company and requires customers to take action to secure their accounts. A subset of users had not yet taken this recommended step, prompting LastPass to encourage them to do so during their next log-in.