LastPass, the password management service, has announced a significant security enhancement by mandating a minimum 12-character complex master password for all users. While LastPass had set a 12-character default since 2018, users could choose weaker passwords. However, starting this month, all accounts will be required to adhere to the 12-character master password standard. Additionally, LastPass will now check new or updated passwords against a dark web database of previously leaked credentials, alerting users if a match is found and prompting them to choose a different password for heightened protection against cracking attempts.
This security initiative follows two security breaches disclosed by LastPass in August 2022 and November 2022. The breaches involved compromising a developer environment and the theft of customer vault data from encrypted Amazon S3 buckets. The information stolen in these incidents was later used by threat actors in subsequent attacks. As a response, LastPass is taking proactive measures to secure user accounts, acknowledging the critical role of robust master passwords in protecting user data.
The changes also include a forced multi-factor authentication (MFA) re-enrollment process initiated in May 2023, causing login issues for some users. The increased master password requirements and checks against a breached credential database aim to mitigate the risks posed by compromised passwords. These measures are critical for LastPass users, especially in the aftermath of cryptocurrency thefts resulting from cracked master passwords. The enhanced security measures are part of LastPass’s commitment to safeguarding user accounts and preventing unauthorized access.
