LastPass to enforce minimum Master Password length of 12 characters
LastPass announced today (via email) that the requirements for the master password have been changed. The master password is the primary password used to gain access to accounts.
In an email, LastPass states that "all master passwords must meet a 12-character minimum". Customers who use master passwords with less than 12 characters will be required to update them, according to the company.
To better understand the change, it is necessary to look back to 2018. Back then, LastPass changed the minimum length of the master password to 12 characters. All new accounts, created after the change landed in the year, needed to set master passwords with 12 or more characters.
What LastPass did not do at the time was require older accounts to change their master passwords. LastPass was founded in 2008. Users who created accounts between 2008 and 2018 may have created them using master passwords with less than 12 characters.
Since LastPass did not make the new master password limit mandatory in 2018, users could continue to use shorter master passwords to sign-in to the service.
Shorter passwords are considered weak, as brute forcing attacks take less time to reveal the password. Passwords that use 6 characters, for instance, are brute forced near instantly, even if they user numbers, upper and lower case letters and symbols.
A 12 character password that uses the very same mix of characters may take years to brute force.
Failing to enforce the minimum password length was not the only blunder. LastPass did change the number of PBKDF2 iterations to 100100 from the previous limit of 5000, but it did not enforce the change either.
The LastPass hack(s) of the past years put older accounts at a much greater risk of being cracked than newer accounts.
Now comes the change that LastPass should have enforced in 2018: all LastPass customers who use a master password with less than 12 characters will be required to change it.
LastPass recommends that users set up "account recovery" before making changes. This is the only way of regaining access to an account if the master password can't be remembered.
Existing users will see a prompt with instructions to update the master password, if their password is less than 12 characters in length.
It states: "The in-product prompt will be your final notice before you will be forced to logout and set a new master password.
Act today to avoid potential account lockouts or delays in support requests that may occur when this change is enforced."Most users may want to set passwords with more than 12 characters. While this may make the passwords less easy to remember, it improves brute force protections significantly.
Now You: which password manager do you use, if any?
