...
LastPass now requires 12-character master passwords for better security

In a major move to enhance user security, LastPass has announced that all customers must now use master passwords with a minimum of 12 characters. This change aims to protect user accounts more effectively, following a history of security recommendations and recent breaches.

Although LastPass has recommended a 12-character master password since 2018, users were previously able to create shorter passwords if they preferred. “Historically, while a 12-character master password has been LastPass’s default setting since 2018, customers still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so,” LastPass explained in a recent statement.

Starting in April 2023, LastPass began enforcing the 12-character requirement for new accounts and password resets. However, older accounts were still allowed to use shorter passwords until now. Beginning this month, all accounts must comply with the new 12-character minimum.

In addition to the stricter password requirements, LastPass will check new or updated master passwords against a database of credentials previously leaked on the dark web. If a match is found, users will receive a security warning and will be prompted to select a different password to prevent potential hacking attempts.

To further bolster security, LastPass initiated a mandatory multi-factor authentication (MFA) re-enrollment process in May 2023, which caused some users to experience login issues and temporary lockouts.

“These changes include requiring customers to update their master password length and complexity to meet recommended best practices and prompting customers to re-enroll their multi-factor authentication (MFA), among others,” said Mike Kosak, a Senior Principal Intelligence Analyst at LastPass.

“Starting in January 2024, LastPass will enforce a requirement that all customers use a master password with at least 12 characters. Next month, LastPass will also begin immediate checks on new or reset master passwords against a database of known breached credentials in order to ensure the password hasn’t been previously exposed on the Dark Web.”

LastPass indicated that individual (B2C) customers would begin receiving notifications about these changes immediately, while business (B2B) customers would receive them starting January 10th.

Master Passwords Cracked After 2022 Breach

The decision to enforce stricter password policies is a direct response to significant security breaches that LastPass disclosed in August and November 2022. In August, attackers compromised a developer account and accessed the company’s developer environment. They stole source code, technical information, and other internal secrets during this breach.

This stolen information was subsequently used in a December breach, where attackers accessed encrypted customer vault data stored in Amazon S3 buckets. They accomplished this by compromising a senior DevOps engineer’s computer with a remote code execution vulnerability and installing a keylogger.

By October 2023, hackers had stolen $4.4 million worth of cryptocurrency from over 25 victims, exploiting private keys and passphrases extracted from LastPass databases compromised during the 2022 breaches.

According to research by MetaMask developer Taylor Monahan and security expert ZachXBT, threat actors have been cracking stolen LastPass master passwords to gain access to user accounts. Once inside, they search for cryptocurrency wallet passphrases, credentials, and private keys, which they use to transfer funds to their own accounts.

LastPass serves over 33 million individuals and 100,000 businesses globally. The company’s recent security updates emphasize its commitment to protecting users’ sensitive information and maintaining trust in its password management services. By enforcing stronger password requirements and enhancing overall security measures, LastPass aims to safeguard its users’ data against evolving cyber threats.

4o

By Dale John

Dale John, age 37, is a seasoned writer with over a decade of experience specializing in the dark web and Tor network. With a deep commitment to providing private access to an uncensored internet, Dale's work is instrumental for human rights activists, journalists, and individuals living under oppressive regimes who need to access information and communicate securely. Dale's expertise is supported by a robust background in academic activities, including numerous publications and presentations at key conferences in the field of internet privacy and cybersecurity. Holding certifications in cybersecurity and digital privacy, Dale combines technical prowess with a passion for education, striving to raise awareness and understanding of the dark web's implications and potential. Dale is dedicated to maintaining a diverse patient population, ensuring her knowledge benefits a wide range of users seeking privacy solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.