LastPass requires master password of at least twelve characters after hack

LastPass now requires customers to use a master password of at least twelve characters. Users who already have an account and use a password with fewer characters will need to change it. In 2022, a hack occurred in which encrypted customer login details were stolen.

Although it was already mandatory for new accounts to use a master password of at least twelve characters last year, this was not yet mandatory for existing accounts. LastPass let me know now though that it will enforce this requirement across all accounts. Customers who use a password of less than twelve characters can expect an email in the coming days informing them that they need to change their password.

Starting next month, the company will also compare the newly set passwords with a database of known, leaked passwords. If the passwords match, the user is notified and must choose a different password.

In 2022, LastPass was hacked, resulting in customer usernames and passwords being stolen. However, this data was all encrypted. Only with the master password was it possible to decrypt this data. This password is not stored by LastPass and cannot therefore fall into the hands of malicious parties through such a hack, although it was possible to retrieve it using brute force techniques. LastPass then stated that if customers set a password of at least 12 characters, it should take millions of years for it to be bruteforced.

Announcement: In January 2024, LastPass will require all existing customers to use a master password with at least 12 characters. This policy will be implemented via a phased rollout. More: pic.twitter.com/W64Hrb58bB

— LastPass (@LastPass) January 3, 2024