BleepingComputer spotted a release from LastPass confirming the change that acknowledges 12 characters was already the default setting, however preexisting customers beforehand had the choice to set a shorter password. LastPass eliminated this selection final April, requiring new prospects and anybody resetting their grasp password to hit the 12-character requirement. But when your account had a shorter, much less safe password, you’ll be compelled to vary it quickly.
LastPass’ safety woes are effectively documented — breaches in 2022 allowed hackers to steal customer vault data. If you happen to had been affected, this meant the one factor between a foul actor and your whole passwords was the grasp password used to safe your LastPass account. The corporate claimed that as long as prospects adopted its “greatest practices” when setting a grasp password, their knowledge can be safe — at the same time as some subscriber accounts had been nonetheless utilizing weaker passwords.
When all of this got here to mild a 12 months in the past — a 12 months in the past! — experts criticized the company for not implementing the 12-character minimal on older accounts or updating different settings that elevated safety, like a brand new minimal customary for password hashing iterations. Now, each settings might be utilized to older accounts, too. The corporate additionally says that it’s about to start out checking “new or reset grasp passwords” towards a database of credential breaches and alerting customers in the event that they select one which matches login data that has already been uncovered. That is important as a result of reused logins from different breaches can be utilized in “credential stuffing” assaults just like the one that exposed many 23andMe users late last year.
LastPass says its prospects nonetheless utilizing shorter grasp passwords might be prompted to set a brand new one with a phased rollout this month, beginning with Free, Premium, and Households accounts, adopted by enterprise prospects. And even if you happen to’re not a LastPass buyer, take into account this your signal to revisit essential passwords and double-check related settings. A number of extra characters might make all of the distinction.