LastPass has started enforcing a 12-character minimum master password. The company is also carrying out additional measures to bolster its security against emerging threats. Previously, users could choose a weaker password despite the recommendation for a longer one. The new policy will hopefully put an end to the security breach woes that the password manager application suffered in 2022. To make matters worse, Cybersecurity experts claimed that the security lapses led to a wave of crypto thefts.
LastPass now requires mandatory 12-character master password
LastPass in a blog post revealed that since April 2023, all new users and existing users who took steps to reset their master password were required to follow the 12-character limit. However, this change did not affect legacy customers who continued using a shorter and weaker master password. For the uninitiated, the master password is the one that secures the LastPass account. All stored credentials likely get exposed if the account gets hacked. Still, the company claimed that as long as customers followed ‘best practices’ irrespective of the password strength, their data would remain secure.
Now, all master passwords on LastPass must be 12 characters or more which will remain the default setting. The master password must include uppercase, lowercase, numeric, and special characters, as is generally required for passwords nowadays.
New master password requirement is now rolling out
LastPass says that the new master password policy is rolling out in a phased manner. Free, Premium, and Family accounts are being notified first via email starting January 8. Business and Teams customers will have to comply towards the end of January 2024. Users with a 12-character login don’t need to make any changes and are good to go. Everybody else will have to create a longer master password. User accounts that don’t comply with the new policy will be logged out and asked to set a new password.
LastPass will also cross-check passwords on Dark Web
In addition to the updated longer password, starting next month, LastPass will begin checking new or reset master passwords against a database of known breached credentials on the dark web. If the chosen credential has already been exposed, the password manager will issue a security warning pop-up alerting the user to select another code.