Password-manager purveyor LastPass has introduced it is setting new guidelines concerning the power of buyer passwords, with a brand new mandate that account grasp passwords embrace a minimal of 12 characters.
A Jan. 2 weblog submit from LastPass senior principal intelligence analyst Mike Kosak defined that though the present Nationwide Institute Requirements and Expertise (NIST) pointers advocate an eight-character password, developments in password cracking and the human tendency towards lazy password choosing make 12 characters an much more safe alternative.
LastPass Beefing Up Passwords, MFA & Extra
“By now implementing a minimal 12-character grasp password requirement, together with the PBKDF2 iteration will increase we delivered earlier this 12 months, we’re proactively serving to our clients create stronger and extra resilient encryption keys for accessing and encrypting their LastPass vault knowledge,” Kosak wrote.
Prospects who aren’t in compliance might be prompted to replace their password, however those that have already got a powerful password will not must take any further actions, Kosak added.
“This coverage might be applied by way of a phased rollout to our buyer base, with e-mail notifications being despatched to our Free, Premium and Households clients first, adopted by our Groups and Enterprise clients in direction of the top of January 2024,” Kosak wrote.
LastPass can also be pushing out MFA re-enrollment for federated enterprise clients utilizing broadly accessible authenticators from Microsoft, Google, or LastPass Authenticators, and for re-enrollment for grid authentication, the submit mentioned.
The corporate, which has suffered a string of safety incidents and breaches, may also verify up to date passwords in opposition to a database of these recognized to have been uncovered on the Darkish Internet and supply prompts for account holders to vary to a safer password.
“If the password is detected in a prior breach, a ‘Safety Warning’ pop-up will alert the client that the password has already been uncovered, by which case they are going to be prompted to decide on one other password with a view to proceed,” in accordance with the weblog submit.
A LastPass spokesperson confirmed to Darkish Studying that the brand new grasp password guidelines aren’t the results of a brand new cybersecurity incident on the firm. An enormous breach in August 2022, in addition to subsequent follow-on assaults, allowed menace actors to entry and steal knowledge from the LastPass cloud storage service, together with a backup of LastPass buyer vault knowledge in addition to LastPass supply code.
