Executive Summary
LastPass, a popular password manager service, is starting to mandate at least 12 characters long master passwords.
This change is aimed at improving security after a breach in 2022 exposed password vaults of millions of users.
However, critics argue that the move is merely a public relations effort and does not address the concerns of those whose password vaults were compromised in a 2022 LastPass breach.
What Happened
LastPass recently informed its users that they must update their master passwords if they were less than 12 characters long. This requirement was officially introduced in 2018 but was not enforced for certain long-time customers.
The significance of this lies in the fact that LastPass disclosed a breach in November 2022, during which hackers gained access to password vaults containing both encrypted and plaintext data for over 25 million users.
Since then, there have been reports of cryptocurrency thefts targeting LastPass users. Some attackers may have successfully cracked the stolen LastPass vaults. One victim reported losing over three million dollars in cryptocurrency and had never changed their eight-character master password.
Please see our recent news regarding related LastPass issues:
- LastPass Data Breach Leads To Phishing Scams
- LastPass Users Who Stored Cryptocurrency Seed Phrases Urged to Take Action
LastPass has been criticized for not upgrading many of its older customers to more secure encryption measures offered to newer customers, such as the number of “iterations” used in encryption routines.
LastPass’s Notification to Users
LastPass highlighted that starting in October, LastPass will require all existing customers to update their master password to at least 12 characters.
LastPass CEO Karim Toubba explained that the changes in master password length are aimed at safeguarding online vaults and encouraging users to meet the 2018 LastPass standard default setting of a 12-character minimum.
LastPass has always stressed that if users lose their master password, recovery is impossible because the company does not store it.
Critics
Security experts and researchers have criticized LastPass for its handling of the breach and its failure to enforce stronger security measures.
Some argue that LastPass should recommend password changes for all affected users and upgrade encryption settings for older customers.
LastPass has been accused of blaming users for weak passwords instead of taking responsibility for weak default settings.
In summary, LastPass’s decision to enforce longer master passwords has garnered mixed reactions, with some seeing it as a positive step toward security improvement and others viewing it as inadequate and overdue, given the 2022 breach.
- Major Australian Ports Hit by Cyberattack
- Congress Making Inquiries into Change Healthcare Attack
- Equifax Fined for 2017 Data Breach in the UK
- INTERPOL: AI Scams and Human Trafficking Increase Cybercrime
- [Zero-Day] Google’s Urgent Chrome Update
- [Zero-Day]Ongoing Battle between Cisco and Exploit Actors