Responding to the heightened threat landscape and a series of security incidents that targeted its password manager products, LastPass said it will now enforce a 12-character master password requirement.
In a Jan. 2 blog post, LastPass said while a 12-character master password has been the company’s default setting for its password manager since 2018, customers still had the option to forego the recommended default settings and create a master password with fewer characters.
Customers who already have a 12-character password don’t have to do anything, while those with a password fewer than 12-charcters will get a prompt to reset the master password.
Many of the best practices for passwords encouraged by the National Institute of Standards and Technology are included. Here's a sampling:
- Use a minimum of 12 characters, but additional characters are recommended.
- Use at least one of each of the following: upper case, lower case, numeric, and special character values.
- Make the password memorable, but not easily guessed, such as a passphrase.
- Make sure the password is unique only to the person setting it.
- Don’t use an email address as the master password.
- Don’t use personal information in the master password.
- Don’t use sequential characters (for example, “1234”) or repeated characters (for example, “aaaa”).
- Don’t reuse a master password for any other account or application.
The industry responds to LastPass minimum-character enforcement
Passwords have been on the minds of security pros these past few days with the LastPass announcement, and with 23andMe reportedly telling victims that it was their fault they got breached.
While LastPass implementing a 12-character master password certainly will not stop all nefarious activity in its tracks, it’s a step in the right direction for users to understand what hangs in the balance with the creation of a strong password, said Antoine Vastel, head of research at DataDome.
Vastel said having a strong password is even more important when it comes to master passwords that are used in the context of a password manager. Creating a unique password (not reused) helps to protect against credential stuffing attacks in which bots test credentials from other platforms on the password manager, said Vastel.
“Having a long password makes it more difficult for attackers in case of a data breach of the password manager,” said Vastel. “It would make it more costly for the attackers to crack the original master password as they are not stored in plain text. When cybercriminals take control of an online account, they can perform unauthorized transactions, unbeknownst to the victims. Once a hacker gets inside a user’s account, they have the keys to the kingdom, with the ability to access linked bank accounts, credit cards, and personal data that they can use for identity theft.”
Callie Guenther, senior manager, cyber threat research at Critical Start, said longer passwords are inherently more secure against brute-force attacks. Guenther explained that each additional character exponentially increases the number of possible combinations, making it more challenging for attackers to crack the password. By enforcing a longer master password, Guenther said LastPass helps users generate stronger encryption keys for their vault data, critical for safeguarding stored credentials.
“However, relying solely on a master password, regardless of its length, is not the most robust security approach,” said Guenther. “Additional layers of security, such as multi-factor authentication and regular monitoring for breached credentials, are essential. LastPass’s initiative to re-enroll users in MFA is a crucial step. MFA adds an additional layer of security, ensuring that even if a master password gets compromised, unauthorized access can still be prevented.”
Darren Guccione, co-founder and CEO of Keeper Security, added that it’s important to always use a complex and unique master password containing letters, numbers and symbols that’s different from other passwords used for any website, application or system. For example, Guccione said a phrase such as: “GoingH0mE2CookDinner665$” is an example of a strong master password that cybercriminals won’t have access to in dark web repositories or dictionaries and will be more impervious to a brute force attack.
“Put simply, the longer and more complex a master password is, the better it will be at protecting the vault,” said Guccione.