LastPass is forcing customers to set up 12-character master passwords, if they haven’t already, in an effort to improve security following a major incident in 2022.
While this has been a default option since 2018, LastPass customers have been able to evade the 12-character recommendation, which will now soon be mandatory.
On its website, the password manager said the new requirement surpasses the current National Institute of Standards and Technology (NIST) guidelines which state that human-generated passwords should be at least eight characters long.
LastPass security boost
In a company blog post, LastPass Senior Principal Intelligence Analyst Mike Kosak said the password length requirement is part of a progressive set of initiatives that the company is rolling out in order to protect customer accounts, thus minimizing the likelihood of any successful attacks.
In an email to customers seen by TechRadar Pro, LastPass said in response to why it was making the change: “We’re committed to meeting the latest industry security standards and best practices to protect against external threats.”
There’s also the fact that the company suffered a “security incident” in 2022, which saw an unauthorized party gain access to some of the company’s data.
From January 2024, LastPass users’ master password should include at least 12 upper case, lower case, numeric, and special characters.
Free, Premium, and Family customers are among the first to be notified about the change, and Teams and Business customers are expected to receive a warning by the end of January.
From February, new and reset master passwords will also be cross-referenced in real-time against a list of exposed credentials on the dark web. Users will receive a security warning if the password they choose has been previously leaked.
Customers who fail to meet the deadline will be logged out and forced to create a new master password, helping LastPass to ensure that all customers have taken the necessary steps.
A LastPass spokesperson confirmed in an email to TechRadar Pro that a phased rollout begins on January 8 for business customers.