LastPass boosts security with a mandatory 12-character minimum for master passwords, ensuring enhanced account protection.

Today, LastPass announced a mandatory upgrade to enhance account security, requiring users to adopt complex master passwords with a minimum length of 12 characters. While LastPass initially set a 12-character master password requirement in 2018, users could choose shorter passwords. However, starting this month, LastPass enforces the 12-character requirement for all accounts.

Additionally, LastPass now verifies new or updated master passwords against a database of credentials leaked on the dark web to prevent compromises. If a match is found, users receive a security warning to choose a different password.

Announcement: In January 2024, LastPass will require all existing customers to use a master password with at least 12 characters. This policy will be implemented via a phased rollout. More: https://t.co/KjzpBC6l7Z pic.twitter.com/W64Hrb58bB

— LastPass (@LastPass) January 3, 2024

To further bolster security, LastPass initiated a mandatory multi-factor authentication (MFA) re-enrollment process in May 2023, causing login issues for some users.

Mike Kosak, Senior Principal Intelligence Analyst at LastPass, stated, “Changes include requiring customers to update master password length and complexity, as well as re-enrolling in multi-factor authentication.”

Starting January 2024, LastPass universally mandates a 12-character master password. In February, LastPass will check new/reset passwords against a database of known breaches to ensure they are secure.

LastPass will email Business-to-Consumer (B2C) customers today and Business-to-Business (B2B) customers on January 10th regarding these changes, according to information shared with BleepingComputer.

Uncovering the Vulnerability of Master Passwords

LastPass implemented these measures in response to security breaches in August and November 2022. In August, a compromised developer account led to a breach in the developer environment, resulting in the theft of source code and internal system secrets. This information played a key role in the December breach, where attackers, exploiting a DevOps engineer’s computer, stole customer vault data from encrypted Amazon S3 buckets.

In October 2023, hackers seized $4.4 million in cryptocurrency, extracting private keys and passphrases from LastPass databases stolen in the 2022 breaches. Ongoing research indicates that threat actors are decrypting stolen LastPass master passwords for unauthorized access.

These actors search for cryptocurrency wallet details, credentials, and private keys, loading them onto their devices to drain funds. LastPass, used by over 33 million individuals and 100,000 businesses globally, remains committed to its password management solution.


Story credit