LastPass prompting users to set a stronger master password after major security incident

LastPass faced a major attack in 2022 after hackers gained access to sensitive user data through an exploit found on the computer of one of the engineers working for the company. More than two years after this incident, LastPass has now announced new measures to better protect users’ data, who will now be required to set a stronger master password.

LastPass now requires stronger master password

In a blog post on Wednesday, LastPass says that users will now be asked to set a new master password to protect their account on the platform. This new password needs to be at least 12 characters long, whereas previously the master password only needed to be 8 characters long.

According to the company, while the National Institute of Standards and Technology (NIST) says that passwords must be at least 8 characters long, more advanced password cracking and brute force techniques have motivated the company to set a new, stronger standard. The password must also contain at least one special character, a number and an upper case letter.

The company reinforces that since last year, all new users or existing users who needed to reset their master password were already asked to set a 12-character password. With today’s change, everyone will be required to update their LastPass master password. LastPass also says it will check a database to make sure the new password hasn’t been leaked before.

By now enforcing a minimum 12-character master password requirement, along with the PBKDF2 iteration increases we delivered earlier this year, we are proactively helping our customers create stronger and more resilient encryption keys for accessing and encrypting their LastPass vault data.

A major security incident

LastPass doesn’t explicitly mention the security incident that affected the company in 2022, saying only that the changes “are being implemented in response to the constantly changing cyber threat environment.”

At the time, hackers gained access to data such as passwords, names, emails, addresses, phone numbers and more from LastPass customers. Last year, LastPass revealed that the credentials for the Amazon AWS servers used by the company were stolen from a DevOps engineer through a vulnerability found in the Plex media platform.

More than 15 million passwords were compromised. Following the incident, LastPass has taken a number of steps to prevent future attacks. The engineer was assisted in strengthening the security of their personal network while new multifactor authentications were added to LastPass’ systems.

If you’re a LastPass user, make sure you update your master password right now. You can learn more about LastPass on its official website.

FTC: We use income earning auto affiliate links. More.