LastPass Now Requires 12-Character Master Passwords (bleepingcomputer.com) 31
LastPass notified customers today that they are now required to use complex master passwords with a minimum of 12 characters to increase their accounts' security. From a report: Even though LastPass has repeatedly said that there is a 12-character master password requirement since 2018, users have had the ability to use a weaker one. "Historically, while a 12-character master password has been LastPass' default setting since 2018, customers still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so," LastPass said in a new announcement today.
LastPass has begun enforcing a 12-character master password requirement since April 2023 for new accounts or password resets, but older accounts could still use passwords with fewer than 12 characters. Starting this month, LastPass is now enforcing the 12-character master password requirement for all accounts. Furthermore, LastPass added that it will also start checking new or updated master passwords against a database of credentials previously leaked on the dark web to ensure that they don't match already compromised accounts.
LastPass has begun enforcing a 12-character master password requirement since April 2023 for new accounts or password resets, but older accounts could still use passwords with fewer than 12 characters. Starting this month, LastPass is now enforcing the 12-character master password requirement for all accounts. Furthermore, LastPass added that it will also start checking new or updated master passwords against a database of credentials previously leaked on the dark web to ensure that they don't match already compromised accounts.
Is anyone still using LastPass? (Score:2, Informative)
I migrated and switched all passwords (PITA, not the Greek variant) after the data breach.
Here's a Kreb's article about how some of the stolen vaults may have been comprimised:
https://krebsonsecurity.com/20... [krebsonsecurity.com]
Re: (Score:3, Insightful)
I'm sure they still have millions of users, despite several security incidents.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
There are plenty more reasons [palant.info] to stop using LastPass than just the most recent breach.
Re: (Score:2)
Realizing the importance of the case, my men are rounding up twice the usual number of letters.
This seems like pure security theatre to me. Either you've already got a good high-entropy master password, in which case rounding up more letters won't make any difference, or you've got a weak master password, in which case appending "12345" to it to make it fit the length requirements also won't make any difference. They'd be better off focusing on things like filtering out weak passwords before they're ever used, by which I mean proper Markov-model based filters and the schemes used by major password
Comment removed (Score:4, Informative)
Re: (Score:2)
What value do you get from it that you don't get for free with Keepass or your browser's password manager?
Re: (Score:2)
I can host my own Bitwarden server so that my different devices can still share the same database without relying on a 3rd party cloud host. Open source, frequently audited, client is available for every major OS and web browser.
Re: (Score:2)
You can do that with Keepass too. I'm trying to understand what extra value they offer.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
It's a 12 character *minumum*. When you're done failing to brute force it in a week you can think about it while it also fails to brute force it for like another 20 years.
The Bell Labs password (Score:2)
Supposedly, this was circulated at Bell Labs at one time.
It was a list of rules of what your password had to be and could not be, and when you applied every rule, there was only one valid password.
Re: (Score:2)
How quickly can you do it when rate limiting at the host grinds your brute force to a halt?
Unless you've already gotten in and acquired an encrypted vault. But LastPass would never allow that to happen...
ancient tech much? (Score:2, Troll)
My new master password (Score:2)
1234567890-=
12-letter words, they say? (Score:2)
Acknowledged, Independence, Overwhelming, Satisfaction, Exaggeration, Necessitated, Accomplished, & Considerable
BatteryStapl (Score:2)
CorrectHorse = 12 letter
BatteryStapl = 12 letter
Proving that they really want to lose customers (Score:2)
Outdated master password requirements, laughable internal security, and questionable product design. What a joke.
Re: (Score:2)
Apparently, still a joke that sells. Makes the customers the joke, or maybe the absence of legal and regulatory requirements.
Recommendation (Score:5, Funny)
Since LastPass is only 8 characters, use LastPass.com.
Re: (Score:3)
This is why LastPass is more secure than Keypass!
I'm creeped out (Score:1)
that they have access to my master password. Good that they are now checking for leaks, but they shouldn't have that capability.
It took a while after the last breach, but I finally got everything migrated to Bitwarden, and changed all 400 or so passwords. Major pita, as I temporarily lost my new master and had to do the migration 100% manually.
Just in time, too. I've recently seen login fail activity on my bank accounts, which tells me my vault is in active exploit.
Re: (Score:2)
that they have access to my master password. Good that they are now checking for leaks, but they shouldn't have that capability.
Indeed. Makes you wonder whether they know what they are doing. No, strike, that. It makes it pretty clear they have no clue how to do password security.
Can't use "password" any more (Score:1)
passwordpassword
Why would you want to use LastPass? (Score:2)
Stupid (Score:1)
As all counting-metrics, this one is stupid. A bad password at 12 chars (like "joejoejoejoe") is still a bad password. A good password at 8 chars is a lot better. But really, password security is limited in the real world. That is why anything with higher security requirements uses 2FA, at least if competent people are behind it.