LastPass is forcing its users to make longer, tougher passwords

(Image credit: Future)

LastPass is forcing customers to set up 12-character master passwords, if they haven’t already, in an effort to improve security following a major incident in 2022.

While this has been a default option since 2018, LastPass customers have been able to evade the 12-character recommendation, which will now soon be mandatory.

On its website, the password manager said the new requirement surpasses the current National Institute of Standards and Technology (NIST) guidelines which state that human-generated passwords should be at least eight characters long.

LastPass security boost

In a company blog post, LastPass Senior Principal Intelligence Analyst Mike Kosak said the password length requirement is part of a progressive set of initiatives that the company is rolling out in order to protect customer accounts, thus minimizing the likelihood of any successful attacks.

In an email to customers seen by TechRadar Pro, LastPass said in response to why it was making the change: “We’re committed to meeting the latest industry security standards and best practices to protect against external threats.”

There’s also the fact that the company suffered a “security incident” in 2022, which saw an unauthorized party gain access to some of the company’s data.

From January 2024, LastPass users’ master password should include at least 12 upper case, lower case, numeric, and special characters.

Free, Premium, and Family customers are among the first to be notified about the change, and Teams and Business customers are expected to receive a warning by the end of January.

From February, new and reset master passwords will also be cross-referenced in real-time against a list of exposed credentials on the dark web. Users will receive a security warning if the password they choose has been previously leaked. 

Customers who fail to meet the deadline will be logged out and forced to create a new master password, helping LastPass to ensure that all customers have taken the necessary steps.

A LastPass spokesperson confirmed in an email to TechRadar Pro that a phased rollout begins on January 8 for business customers.

More from TechRadar Pro

Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!