LastPass now requires 12-character master passwords for better security

LastPass notified customers today that they are now required to use complex master passwords with a minimum of 12 characters to increase their accounts' security.

Even though LastPass has repeatedly said that there is a 12-character master password requirement since 2018, users have had the ability to use a weaker one.

"Historically, while a 12-character master password has been LastPass’ default setting since 2018, customers still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so," LastPass said in a new announcement today. 

LastPass has begun enforcing a 12-character master password requirement since April 2023 for new accounts or password resets, but older accounts could still use passwords with fewer than 12 characters. Starting this month, LastPass is now enforcing the 12-character master password requirement for all accounts.

Furthermore, LastPass added that it will also start checking new or updated master passwords against a database of credentials previously leaked on the dark web to ensure that they don't match already compromised accounts.

If a match is found, the customers will be alerted via a security warning pop-up and prompted to select another password to block future cracking attempts.

As part of the same effort to increase account security, LastPass also started a forced multi-factor authentication (MFA) re-enrollment process in May 2023, which led to many users experiencing significant login issues and getting locked out of their accounts.

"These changes include requiring customers to update their master password length and complexity to meet recommended best practices and prompting customers to re-enroll their multi-factor authentication (MFA), among others," said Mike Kosak, a Senior Principal Intelligence Analyst at LastPass.

"Starting in January 2024, LastPass will enforce a requirement that all customers use a master password with at least 12 characters.

"Next month, LastPass will also begin immediate checks on new or reset master passwords against a database of known breached credentials in order to ensure the password hasn't been previously exposed on the Dark Web."

LastPass told BleepingComputer that B2C customers will begin receiving emails about these changes today, with B2B customers receiving them on January 10th.

Master passwords cracked after 2022 breach

These measures are the direct result of two security breaches LastPass disclosed in August 2022 and November 2022.

In August, the company confirmed its developer environment was breached via a compromised developer account after the attackers hacked into a software engineer's corporate laptop. During the breach, they stole source code, technical info, and some LastPass internal system secrets.

The information stolen in this incident was later used by threat actors in the December breach when they also stole customer vault data from its encrypted Amazon S3 buckets after compromising a senior DevOps engineer's computer using a remote code execution vulnerability to install a keylogger.

In October 2023, hackers stole $4.4 million worth of cryptocurrency from over 25+ victims using private keys and passphrases they could extract from LastPass databases stolen in LastPass' 2022 breaches.

According to research by MetaMask developer Taylor Monahan and ZachXBT, it is believed that threat actors are now cracking stolen LastPass master passwords to gain access to the password.

Using this access, the threat actors search for cryptocurrency wallet passphrases, credentials, and private keys and use them to load the wallets onto their own devices to drain them of all funds.

LastPass says its password management solution is now used by over 33 million people and 100,000 businesses worldwide.

Source