LastPass will finally enforce a 12-character minimum master password

Keep your passwords safe from this guy. | Illustration: Beatrice Sala Following a high-profile security breakdown in 2022, LastPass is finally imposing a 12-character minimum for customers’ master passwords. BleepingComputer spotted a release from LastPass confirming the change that acknowledges 12 characters was already the default setting, but preexisting users previously had the option to set a shorter password. LastPass removed this option last April, requiring new customers and anyone resetting their master password to hit the 12-character requirement. But if your account had a shorter, less secure password, you’ll be forced to change it soon. LastPass’ security woes are well documented — breaches in 2022 allowed hackers to steal customer vault data. If you were affected, this meant the only thing between a bad actor and all of your passwords was the master password used to secure your LastPass account. The company claimed that so long as customers followed its “best practices” when setting a master password, their data would be secure — even as some subscriber accounts were still using weaker passwords. When all of this came to light a year ago — a year ago! — experts criticized the company for not enforcing the 12-character minimum on older accounts or updating other settings that increased security, like a new minimum standard for password hashing iterations. Now, both settings will be applied to older accounts, too. The company also says that it’s about to start checking “new or reset master passwords” against a database of credential breaches and alerting users if they choose one that matches login information that has already been exposed. This is vital because reused logins from other breaches can be used in “credential stuffing” attacks like the one that exposed many 23andMe users late last year. LastPass says its customers still using shorter master passwords will be prompted to set a new one with a phased rollout this month, starting with Free, Premium, and Families accounts, followed by business customers. And even if you’re not a LastPass customer, consider this your sign to revisit critical passwords and double-check relevant settings. A few more characters could make all the difference.

LastPass will finally enforce a 12-character minimum master password
A cartoon illustration shows a shadowy figure carrying off a red directory folder, which has a surprised-looking face on its side.
Keep your passwords safe from this guy. | Illustration: Beatrice Sala

Following a high-profile security breakdown in 2022, LastPass is finally imposing a 12-character minimum for customers’ master passwords.

BleepingComputer spotted a release from LastPass confirming the change that acknowledges 12 characters was already the default setting, but preexisting users previously had the option to set a shorter password. LastPass removed this option last April, requiring new customers and anyone resetting their master password to hit the 12-character requirement. But if your account had a shorter, less secure password, you’ll be forced to change it soon.

LastPass’ security woes are well documented — breaches in 2022 allowed hackers to steal customer vault data. If you were affected, this meant the only thing between a bad actor and all of your passwords was the master password used to secure your LastPass account. The company claimed that so long as customers followed its “best practices” when setting a master password, their data would be secure — even as some subscriber accounts were still using weaker passwords.

When all of this came to light a year ago — a year ago! — experts criticized the company for not enforcing the 12-character minimum on older accounts or updating other settings that increased security, like a new minimum standard for password hashing iterations. Now, both settings will be applied to older accounts, too. The company also says that it’s about to start checking “new or reset master passwords” against a database of credential breaches and alerting users if they choose one that matches login information that has already been exposed. This is vital because reused logins from other breaches can be used in “credential stuffing” attacks like the one that exposed many 23andMe users late last year.

LastPass says its customers still using shorter master passwords will be prompted to set a new one with a phased rollout this month, starting with Free, Premium, and Families accounts, followed by business customers. And even if you’re not a LastPass customer, consider this your sign to revisit critical passwords and double-check relevant settings. A few more characters could make all the difference.