Popular Password Manager Starts Enforcing 12-Character Master Passwords

While there are different schools of thought on password complexity, security experts agree that when it comes to making passwords difficult to guess, the longer the password is the better. Regardless of what the password consists of, the longer the password is, the longer it will take a hacker to crack it.

LastPass, one of the most popular password manager providers, has long recommended that users set long and complex passwords for their password vaults. The master password is all that stands between a hacker and an individual’s entire collection of passwords. If a hacker can gain access to a user’s password manager, they can steal every password in the vault. It stands to reason that the master password should therefore be exceptionally strong.

Since 2018, the default setting on LastPass has been for passwords of 12 characters or more; however, users had the option of not following this best practice and could set shorter passwords for their password vaults. That is no longer the case. LastPass is now enforcing the 12-character minimum master password requirement. LastPass explained in a recent blog post that the absolute minimum password length recommended by the National Institute of Standards and Technology (NIST) is 8 characters; but given the processing power of modern GPUs and advances in password cracking and brute forcing technology and techniques, passwords need to be even longer. LastPass also explained that in addition to this enforced minimum password length, the PBKDF2 iteration delivered in 2023 means its customers are protected with more resilient encryption keys for accessing and encrypting their LastPass vault data.

In addition to setting a master password of at least 12 characters, LastPass recommends:

  • At least one of each of: upper case, lower case, numeric, and special character values,
  • Using a memorable passphrase that cannot be easily guessed.
  • Setting a password/passphrase that is unique to the user
  • Not including an email address in the paster password or any personal information
  • Not using sequential characters (e.g. “1234”) or repeated characters (e.g. aaaa),
  • Not reusing a master password for any other account.

The change to the 12-character password has been gradual. In April 2023, all new LastPass customers plus any existing customers who chose to update their master password had to set a master password of at least 12 characters. Starting in January 2024, all existing customers who have not yet updated their master password must ensure it is at least 12 characters in length. Those customers have now been notified and business customers will be informed of the change on January 10, 2024.

LastPass has also announced that starting in February it will be cross-checking new master passwords against a database of known breached credentials to ensure that a user’s new master password has not been exposed on the dark web. If a match is found, customers will be notified and required to set a new master password. LastPass will also start prompting customers to re-enroll their multifactor authentication with authenticators such as Microsoft Authenticator or Google Authenticator.

These new requirements have come into force a year and a half after LastPass suffered a highly damaging series of data breaches. Hackers gained access to its development environment after compromising the laptop of a software engineer and stole source code and technical information. The information gained was used to target another employee, from whom credentials were obtained that allowed access to and decryption of some storage volumes. While hackers did not gain access to plaintext master passwords – which are not stored by LastPass – they did obtain a backup of LastPass’ customer database, which contained unencrypted account information, related metadata, and application configuration options such as multifactor authentication. They also obtained an encrypted cloud-based backup of customer vault data. While they did not obtain the decryption keys, given enough time they could crack the encryption.

LastPass CEO Karim Toubba said that in addition to addressing the cause of the breach, LastPass looked at all aspects of security and operations has made a “systemic change” and has committed to multiyear, multimillion-dollar investments, and the latest changes will help to make LastPass vaults even more secure.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news