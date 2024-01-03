LastPass Uplevels User Security with 12-Character Password Mandate

In a bid to bolster the security of customer accounts, LastPass, the renowned password management service provider, has mandated a new policy requiring a minimum master password length of 12 characters. The move, as elaborated by Mike Kosak, their Senior Principal Intelligence Analyst, is an answer to the escalating potency of password cracking tools and the widespread trend of setting simple passwords.

Going Beyond NIST Guidelines

While the National Institute Standards and Technology (NIST) prescribes a minimum length of eight characters for passwords, LastPass’s decision to insist on a longer password is designed to fortify the encryption keys used to access and encode user data in their LastPass vaults. The company had already ramped up the PBKDF2 iterations earlier within the year, fortifying customer data security further.

A Phased Approach to Enhanced Security

Users with passwords that fail to meet the new strength criteria will be nudged to update them, while those with adequately robust passwords will remain unaffected. The implementation of the new policy will be phased, kick-starting with Free, Premium, and Families customers, and will eventually encompass Teams and Business customers by the close of January 2024.

Multi-factor Authentication and Dark Web Checks

In addition to tweaking the password length, LastPass is also setting in motion a multi-factor authentication (MFA) re-enrollment for federated business customers. To ensure enhanced security, the company will cross-verify updated passwords against a database of credentials known to have been compromised on the Dark Web. A ‘Security Warning’ alert will prompt users to change any password that has previously been exposed.