Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

LastPass’s Overdue Password Length Enforcement

Executive Summary

LastPass, a popular password manager service, is starting to mandate at least 12 characters long master passwords.

This change is aimed at improving security after a breach in 2022 exposed password vaults of millions of users.

However, critics argue that the move is merely a public relations effort and does not address the concerns of those whose password vaults were compromised in a 2022 LastPass breach.

What Happened

LastPass recently informed its users that they must update their master passwords if they were less than 12 characters long. This requirement was officially introduced in 2018 but was not enforced for certain long-time customers.

The significance of this lies in the fact that LastPass disclosed a breach in November 2022, during which hackers gained access to password vaults containing both encrypted and plaintext data for over 25 million users.

Since then, there have been reports of cryptocurrency thefts targeting LastPass users. Some attackers may have successfully cracked the stolen LastPass vaults. One victim reported losing over three million dollars in cryptocurrency and had never changed their eight-character master password.

Please see our recent news regarding related LastPass issues:

LastPass has been criticized for not upgrading many of its older customers to more secure encryption measures offered to newer customers, such as the number of “iterations” used in encryption routines.

LastPass’s Notification to Users

LastPass highlighted that starting in October, LastPass will require all existing customers to update their master password to at least 12 characters.

LastPass CEO Karim Toubba explained that the changes in master password length are aimed at safeguarding online vaults and encouraging users to meet the 2018 LastPass standard default setting of a 12-character minimum.

LastPass has always stressed that if users lose their master password, recovery is impossible because the company does not store it.


Security experts and researchers have criticized LastPass for its handling of the breach and its failure to enforce stronger security measures.

Some argue that LastPass should recommend password changes for all affected users and upgrade encryption settings for older customers.

LastPass has been accused of blaming users for weak passwords instead of taking responsibility for weak default settings.

In summary, LastPass’s decision to enforce longer master passwords has garnered mixed reactions, with some seeing it as a positive step toward security improvement and others viewing it as inadequate and overdue, given the 2022 breach.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.