You may have noticed that lately we’ve been asking our customers to make some changes to their LastPass accounts. These changes include requiring customers to update their master password length and complexity to meet recommended best practices and prompting customers to re-enroll their multi-factor authentication (MFA), among others. All of these changes are intended to help make our customers more secure, and we want to share additional context about the evolving cyber threat environment that’s driving these requests so customers can better understand WHY these changes are important. To do this, we’ll address some of these recent changes, and explain what threats are driving them, and how these updates are designed to help.
Updating Master Password Requirements
Why Are We Doing This?
When it comes to password security and resilience, there’s strength in numbers. But that’s just for starters. Password strength is a complex notion that’s informed by a number of factors including length, complexity, and unpredictability. The current National Institute of Standards and Technology (NIST) guidelines require that human generated passwords be at least 8 characters in length (NIST 800-3B) but given recent advances in password cracking/brute forcing technology and techniques, coupled with the natural human tendency to create passwords that are predictable and easy to remember, an even longer password is recommended.
LastPass’ new master password length requirement is just one part of a progressive set of initiatives designed to help our customers better protect themselves from current and emerging cyber threats. Historically, while a 12-character master password has been LastPass’ default setting since 2018, customers still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so. By now enforcing a minimum 12-character master password requirement, along with the PBKDF2 iteration increases we delivered earlier in 2023, we are proactively helping our customers create stronger and more resilient encryption keys for accessing and encrypting their LastPass vault data.
Details on the New Requirements
Since April 2023, all new LastPass customers, and any existing customers who took steps to reset their master passwords, have been required to create or update their master password to a minimum of 12 characters. Starting in January 2024, LastPass will enforce a requirement that all customers use a master password with at least 12 characters.
The increase to a minimum of 12 characters requires customers to first login to their LastPass account to confirm one of two scenarios:
- For those customers who confirm that they already have a master password with 12 or more characters, no actions are needed since they are already in compliance with the new policy.
- Those customers who are not already in compliance with the new policy will be prompted to create a new master password with 12 or more characters.
For those customers who will have to update their master password, here’s a list of best practices to consider:
- Use a minimum of 12 characters, but additional characters are recommended,
- Use at least one of each of the following: upper case, lower case, numeric, and special character values,
- Make it memorable, but not easily guessed, such as a passphrase,
- Make sure that it is unique only to you,
- Don’t use your email address as your master password,
- Don’t use personal information in your master password,
- Don’t use sequential characters (for example, “1234”) or repeated characters (for example, “aaaa”),
- Make sure you don’t reuse your master password for any other account or application.
Why haven’t I been prompted to change my master password yet?
This policy will be implemented via a phased rollout to our customer base, with email notifications being sent to our Free, Premium and Families customers first, followed by our Teams and Business customers towards the end of January 2024. For the convenience of our end users, LastPass allows customers to choose the length of time between account logins when they are next prompted to enter their master password, and due to these customized login settings, we are not able to estimate how long this initiative will ultimately take to reach 100% adoption across our entire customer base.
Set up Account Recovery Prior to Changing Master Password
How to Change Your Master Password
Cross-Checking New Master Passwords on the Dark Web
Next month, LastPass will also begin immediate checks on new or reset master passwords against a database of known breached credentials in order to ensure the password hasn’t been previously exposed on the Dark Web. If the password is detected in a prior breach, a “Security Warning” pop-up will alert the customer that the password has already been exposed, in which case they will be prompted to choose another password in order to proceed.
Why Are We Doing This?
This one is simple: Exposed passwords are easy to crack. Modern password crackers can ingest lists of known passwords as part of their dataset, which dramatically reduces the amount of time it takes to figure out an account’s credentials. Requiring our customers to choose a password that has not already been exposed makes cracking it substantially more difficult.
How to enable Dark Web Monitoring in LastPass
Multi-factor authentication (MFA) Re-Enrollments
Back in May 2023, LastPass initiated efforts to streamline MFA re-enrollment for non-federated Business customers who use common authenticators like Microsoft Authenticator, Google Authenticator, or LastPass Authenticator. Re-enrollment for Grid authentication is coming soon, and customers will have the option to re-enroll with Microsoft or Google.
Why Are We Doing This?
As previously noted in our March 2023 security incident communications, resetting MFA is necessary as this action effectively mitigates the remaining risk stemming from the prior exposure of the LastPass MFA/Federation database backup.
If you haven’t done so already, initiate a manual re-enrollment of MFA for non-federated customers. You can find the detailed instructions for doing so in our Security Bulletin.
In Closing
To summarize, these changes are being implemented in response to the constantly changing cyber threat environment with the goal of making our customers more secure. LastPass will not ask you to take action or make changes without a distinct purpose, and we will always strive to be transparent as to what that purpose is.
Follow our LastPass Labs blog posts for updates on future changes and the latest on the threats facing authentication methods, our industry, and our customers.