LastPass is updating its security requirements to enforce 12-character-long master passwords that are harder to crack.
Master passwords in password managers are a single, primary password the user has to remember in order to unlock their vaults, where all their secrets and credentials to login to websites and online services are stored. Since the master password is the “master key” in a sense, it is crucial that it’s strong, unique, and kept completely private.
Password length is directly associated with crackability due to the number of possible combinations increasing exponentially with each added character. Currently, the recommended length by the National Institute of Standards and Technology (NIST) is eight characters, but considering the advancements in technology, particularly GPUs that can be used in brute-forcing, coupled with users’ tendency to pick easy-to-remember passwords, 8-character long passwords are no longer considered very safe.
“Exposed passwords are easy to crack. Modern password crackers can ingest lists of known passwords as part of their dataset, which dramatically reduces the amount of time it takes to figure out an account’s credentials. Requiring our customers to choose a password that has not already been exposed makes cracking it substantially more difficult.”
LastPass
A master password length of 12 characters has been the default for new accounts on LastPass since 2018 and has been made mandatory on new accounts and reset actions since April 2023. However, starting in January 2024, LastPass will enforce it to all existing customers who aren’t using a long enough password, obliging them to pick a new one.
Users who are prompted to pick a new, 12-character long password should ensure it is not reused from another account or service, it does not contain personal information or repeated/sequential characters and includes a mix of character types like uppercase and lowercase letters, numbers, and special characters.
Consider using a memorable but unpredictable passphrase that constitutes of a string of words, and is much longer than the minimum requirement of 12 characters.
LastPass’ decision to enforce stronger master password requirements and other security measures is, in part, a response to a previous security incident that has resulted in reputation damage and legal troubles for the software vendor.
LastPass mentioned in the announcement that resetting multi-factor authentication (MFA) and other updates are necessary actions to mitigate the remaining risk stemming from the prior exposure of the LastPass MFA/Federation database backup.
The new master password policy will be enforced via a phased rollout, starting by the end of this month, so not all users will be prompted to pick a new, long enough password simultaneously.
LastPass plans to perform checks on newly set passwords against a database of credentials that have leaked on the dark web to ensure that none of the new master passwords set by the users has been exposed to cybercriminals. When there’s a match, the user will be served a ‘Security Warning’ alert on the app, prompting them to choose a different password.