LastPass Hikes Password Requirements to 12 Characters

  /     /     /  
Publicated : 23/11/2024   Category : security


LastPass Hikes Password Requirements to 12 Characters


A phased rollout will also prompt LastPass customers to re-enroll their accounts in multifactor authentication (MFA) to prevent future breaches.



Password-manager purveyor LastPass has announced its setting new rules about the strength of customer passwords, with a new mandate that account master passwords include a minimum of 12 characters.
A Jan. 2
blog post from LastPass
senior principal intelligence analyst Mike Kosak explained that although the current National Institute Standards and Technology (NIST) guidelines recommend an eight-character password, advancements in password cracking and the human tendency toward lazy password picking make 12 characters an even more secure choice.
By now enforcing a minimum 12-character master password requirement, along with the
PBKDF2 iteration
increases we delivered earlier this year, we are proactively helping our customers create stronger and more resilient encryption keys for accessing and encrypting their LastPass vault data, Kosak wrote.
Customers who arent in compliance will be prompted to update their password, but those who already have a strong password wont need to take any additional actions, Kosak added.
This policy will be implemented via a phased rollout to our customer base, with email notifications being sent to our Free, Premium and Families customers first, followed by our Teams and Business customers towards the end of January 2024, Kosak wrote.
LastPass is also pushing out MFA re-enrollment for federated business customers using widely available authenticators from Microsoft, Google, or LastPass Authenticators, and for re-enrollment for
grid authentication
, the post said.
The company, which has suffered a
string of security incidents and breaches
, will also check updated passwords against a database of those known to have been exposed on the Dark Web and provide prompts for account holders to change to a more secure password.

If the password is detected in a
prior breach
, a Security Warning pop-up will alert the customer that the password has already been exposed, in which case they will be prompted to choose another password in order to proceed, according to the blog post.
A LastPass spokesperson confirmed to Dark Reading that the new master password rules are not the result of a new cybersecurity incident at the company. A massive breach in August 2022, as well as subsequent follow-on attacks, allowed threat actors to access and
steal data from the LastPass cloud storage service
, including a backup of
LastPass customer vault data
as well as
LastPass source code
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
LastPass Hikes Password Requirements to 12 Characters