Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

LastPass Now Requires 12-Character Master Passwords (bleepingcomputer.com) 31

LastPass notified customers today that they are now required to use complex master passwords with a minimum of 12 characters to increase their accounts' security. From a report: Even though LastPass has repeatedly said that there is a 12-character master password requirement since 2018, users have had the ability to use a weaker one. "Historically, while a 12-character master password has been LastPass' default setting since 2018, customers still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so," LastPass said in a new announcement today.

LastPass has begun enforcing a 12-character master password requirement since April 2023 for new accounts or password resets, but older accounts could still use passwords with fewer than 12 characters. Starting this month, LastPass is now enforcing the 12-character master password requirement for all accounts. Furthermore, LastPass added that it will also start checking new or updated master passwords against a database of credentials previously leaked on the dark web to ensure that they don't match already compromised accounts.

This discussion has been archived. No new comments can be posted.

LastPass Now Requires 12-Character Master Passwords

Comments Filter:
  • I migrated and switched all passwords (PITA, not the Greek variant) after the data breach.

    Here's a Kreb's article about how some of the stolen vaults may have been comprimised:
    https://krebsonsecurity.com/20... [krebsonsecurity.com]

    • Re: (Score:3, Insightful)

      I'm sure they still have millions of users, despite several security incidents.

      • by Pascoea ( 968200 )
        I'm still one of them. Mainly because I'm too lazy to change. I'm still "cleaning out" passwords from Chrome Password Manager after I switched to LastPass. Call me an idiot if you'd like, but I have MFA on anything important, and still change passwords on things like bank accounts and my primary e-mail regularly enough. If they do manage to crack my old vault (15+ character password. Good luck.) the only thing of "value" they are going to get access to is my Myspace account.
    • Comment removed (Score:4, Informative)

      by account_deleted ( 4530225 ) on Wednesday January 03, 2024 @05:05PM (#64128917)
      Comment removed based on user account deletion
      • by AmiMoJo ( 196126 )

        What value do you get from it that you don't get for free with Keepass or your browser's password manager?

        • by Tarlus ( 1000874 )

          I can host my own Bitwarden server so that my different devices can still share the same database without relying on a 3rd party cloud host. Open source, frequently audited, client is available for every major OS and web browser.

  • Have these geniuses ever heard of key stretching? Do they even salt their hashes any way in the first place? Have they ever heard of rainbow tables? If THIS is their fix for getting hacked more than any other password manager then I think it's time for them to fire their IT management.
  • 1234567890-=

  • Here's some 12-letter words. I'm using these would be secure, right?

    Acknowledged, Independence, Overwhelming, Satisfaction, Exaggeration, Necessitated, Accomplished, & Considerable
  • Outdated master password requirements, laughable internal security, and questionable product design. What a joke.

    • by gweihir ( 88907 )

      Apparently, still a joke that sells. Makes the customers the joke, or maybe the absence of legal and regulatory requirements.

  • by Gabest ( 852807 ) on Wednesday January 03, 2024 @04:39PM (#64128835)

    Since LastPass is only 8 characters, use LastPass.com.

  • that they have access to my master password. Good that they are now checking for leaks, but they shouldn't have that capability.

    It took a while after the last breach, but I finally got everything migrated to Bitwarden, and changed all 400 or so passwords. Major pita, as I temporarily lost my new master and had to do the migration 100% manually.

    Just in time, too. I've recently seen login fail activity on my bank accounts, which tells me my vault is in active exploit.

    • by gweihir ( 88907 )

      that they have access to my master password. Good that they are now checking for leaks, but they shouldn't have that capability.

      Indeed. Makes you wonder whether they know what they are doing. No, strike, that. It makes it pretty clear they have no clue how to do password security.

  • passwordpassword

  • Or anything like it? What does it do that combination of KeePassXC and Syncthing cannot do?
  • As all counting-metrics, this one is stupid. A bad password at 12 chars (like "joejoejoejoe") is still a bad password. A good password at 8 chars is a lot better. But really, password security is limited in the real world. That is why anything with higher security requirements uses 2FA, at least if competent people are behind it.

"The pathology is to want control, not that you ever get it, because of course you never do." -- Gregory Bateson

Working...