LastPass is enforcing some security changes to user accounts
LastPass is making some changes to enhance the security of its to user accounts. The news comes as a follow-up to the company's plans to enforce stronger passwords a few months ago.
A brief recap of the LastPass security breaches
LastPass has had a disastrous couple of years following two major data breaches that happened in 2022. The first of these security mishaps occured in August 2022, while the second attack took place a few months later. The company drew criticism from users after it was discovered that the threat actors had managed to steal user data from its servers. Can you imagine how it would be if the password manager that you trusted to save all your email addresses and their passwords, social media accounts, and credit cards was breached? That is literally a privacy nightmare.
Security experts including Wladimir Palant, the creator of AdBlock Plus, who had analyzed the cloud-based password manager's practices, had criticized the service for not enforcing modern security standards in order to protect its servers and users data (password vault, email and other personal information). They also accused the company for openly lying to its users about the safety of their data, the weak encryption it had used, and also failing to notify users about potential threats that could occur as a result of the hack.
Almost a year after revealing details about the security incidents and the theft of user data, LastPass is finally enforcing a rule to make all users set up a master password that is at least 12 characters in length. Technically, this rule has been in place for a few years, from 2018. But, LastPass didn't actually enforce the rule. It sounds bizarre, but the password manager service had allowed users to skip the minimum requirement, and use shorter passwords instead. Such passwords could be brute forced by hackers, which would allow them access to your password vault, and we all know what happened.
LastPass to enforce new master password requirement
This time that rule is becoming a mandatory change which will apply to all users starting in January 2024. All new users who sign up for an account with the company will need to use a password that is 12 characters long or more. As for existing users and subscribers who had set a shorter password, they will be prompted to update to a longer password when they try to login. LastPass says that this policy will be rolled out in a phased manner with notifications being sent via email to its Free, Premium and Families customers first, and then for its Teams and Business customers. The roll out is expected to be completed by the end of this month. Users who already have a master password with 12 or more characters are not affected by the change, though I would probably change the password, just to be safe.
LastPass has also changed the number of PBKDF2 iterations to 600,000 rounds for new users. You can change it manually by following our tutorial. Take a moment to ensure that you have set up "account recovery" in your LastPass account's settings. This is the only way to recover your account and its data, without the master password.
LastPass will cross-check your master password on the Dark Web
That's not the only security measure that is changing. LastPass' article talks about a new feature that will check new master passwords, or those that have been reset, against a database of credentials that have been leaked online. The company says it is doing this to prevent passwords that have been exposed on the dark web, which could be exploited by hackers to steal your online identities, bank accounts, and other personal or financial information. It kind of sounds something like the "Have I been pwned" service which checks for passwords that were leaked via data breaches, but LastPass' method only applies to master passwords associated with its service.
If LastPass detects that your master password has been found in a prior breach, it will display a “Security Warning” pop-up to alert you about the security risk, and prompt you to choose another password to secure your account. That sounds good, but it remains unclear whether this master password monitoring across the dark web will be a premium feature, or if it will be available for all users.
I'm not entirely sure how this would work without storing the password on the servers directly. Would it be done on the user's device? I'm assuming it would run a one-time check when you key in the password while creating a new password or after you reset it.
Multi-factor authentication (MFA) Re-Enrollments
LastPass is asking users to re-enroll their Multi-factor Authentication (MFA) methods. If you have used an app like LastPass Authenticator, Google Authenticator, Microsoft Authenticator, or something similar as a two-step verification method, you should remove LastPass from it, and re-add your account to it manually. This is being recommended as an extra precaution, because the LastPass data breach had also impacted the company's MFA database that contained seeds and telephone numbers associated with user accounts. LastPass will bring re-enrollment for Grid authentication soon, and users will have the option to re-enroll with Microsoft or Google.
While these are welcome security changes, they may have come too late. The LastPass data breaches, and the mis-management of the situation has unsurprisingly led to a massive exodus of users who shifted to rival services. Several loyal subscribers had even canceled their account with the company, after the security breaches, and honestly who can blame them for doing so.
If you want to switch from LastPass, I recommend that you take a look at KeePass, it's free, open source, and completely offline. KeePassXC is probably the best fork, it's available for Windows, macOS, Linux, and has browser extensions for Firefox and Chrome. There are some impressive mobile apps for KeePass such as Keepass2Android Password Safe, and KeePassium for iOS.
On the other hand, if you want to migrate to a cloud based password manager, Bitwarden is the best alternative for LastPass. It's available for all major operating systems and browsers, and if you have the skill for it, you can even host your instance.
sudo apt install keepassxc
have used password safe for over a decade and never a hint of any problems. i only trust my passwords being on my own computer, not someone else’s. and the cloud is just someone else’s computer.
I used to use Bitwarden for years, and have dabbled in KeePass too. But if you really want polish and have non-techie family members, then nothing can beat 1Password. And yes I know it’s closed-source.
I would save time and just read the last 3 paragaphs of the article.
LastPass is (mostly) closed-source payware with a repeated record of failure.
There are excellent, free, open-source alternatives. I agree with Ashwin’s choices of KeePass and Bitwarden.
This is not a tough decision. I doubt any Ghacks reader is still using LP.