Embattled LastPass Enforcing 12-Character Passwords for All – Source: securityboulevard.com

Password manager vendor LastPass, beset by high-profile data breaches from 2022 that affected millions of users, is strengthening the security requirements for its customers, including requiring all of them to use a minimum of 12 characters for their master passwords.

The company starting next month also will start checking new and reset passwords against a database of credentials that are known to have been breached and is enabling re-enrollment into multifactor authentication programs from the likes of Google, Microsoft, and LastPass, with re-enrollment for Grid authentication coming soon.

“All of these changes are intended to help make our customers more secure,” Mike Kosak, senior principal intelligence analyst for LastPass, wrote in a blog post this week.

Shifting to a 12-character minimum for master passwords isn’t new for the company. It’s been the default setting since 2018 – though customers could still bypass it and create a password with fewer characters – and since April 2023, all new users and existing ones who wanted to reset their master passwords were required to use at least 12 characters.

However, those existing customers who had a password with fewer characters and didn’t move to reset it weren’t required to adopt the 12-character minimum – until now.

“By now enforcing a minimum 12-character master password requirement, along with the PBKDF2 iteration increases we delivered earlier this year, we are proactively helping our customers create stronger and more resilient encryption keys for accessing and encrypting their LastPass vault data,” Kosak wrote.

A Phased Approach

LastPass is taking a phased approach to rolling out the requirement, with emails being sent first the company’s Free, Premium, and Families program users, with alerts going out to Teams and Business customers later this month.

How long before all customers have adopted the requirement is unknown. Kosak noted that LastPass is letting customers decided on the length of time between account logins, when they will be prompted to enter a master password.

When a customer logs into their LastPass account, those with the shorter passwords will be prompted to create a new master password with at least 12 characters, with such requirements as using upper- and lower-case letters, numeric and special characters, make it memorable but difficult to guess, and ensure it’s not a password that the customer is using elsewhere.

They come after more than a year of harsh criticism from within the cybersecurity community about not only the breaches in 2022 – whose effects continued to roll into last year – but also for a lack of transparency and for not making stronger passwords a requirement before the hacks.

Attacks, Criticism Started in 2022

A threat actor first breached LastPass’ systems in early August 2022 and spent four days grabbing source-code repositories and other information before being detected. They used information exfiltrated from that first breach in a more widespread incident days later and remained active in LastPass’ systems for several months.

In November 2022, LastPass executives said that hackers were able to steal password vaults – which include such encrypted and unencrypted data as passwords, website URLs, credit card information, and secure notes – from more than 25 million users.

When the company in September 2022 began notifying customers that they would soon be required to change their master password if it held fewer than 12 characters, they were accused by some who said the move was more of a publicity stunt in hopes of stemming some of the criticism.

LastPass is saying otherwise, with Kosak wrting that “these changes are being implemented in response to the constantly changing cyber threat environment with the goal of making our customers more secure.”

He noted that guidelines from the National Institute of Standards and Technology (NIST) for human-generated passwords call for at least eight characters, though the more characters the better.

“Given recent advances in password cracking/brute forcing technology and techniques, coupled with the natural human tendency to create passwords that are predictable and easy to remember, an even longer password is recommended,” Kosak wrote.