Password-manager purveyor LastPass has announced it's setting new rules about the strength of customer passwords, with a new mandate that account master passwords include a minimum of 12 characters.
A Jan. 2 blog post from LastPass senior principal intelligence analyst Mike Kosak explained that although the current National Institute Standards and Technology guidelines recommend an eight-character password, advancements in password cracking and the human tendency toward lazy password picking make 12 characters an even more secure choice.
Customers who aren't in compliance will be prompted to update their password, but those who already have a strong password won't need to take any additional actions, Kosak added.
LastPass is also pushing out MFA re-enrollment for federated business customers using widely available authenticators from Microsoft, Google, or LastPass Authenticators, and for re-enrollment for grid authentication, the post said.
The company, which has suffered a string of security incidents and breaches, will also check updated passwords against a database of those known to have been exposed on the Dark Web and provide prompts for account holders to change to a more secure password.
A LastPass spokesperson confirmed to Dark Reading that the new master password rules are not the result of a new cybersecurity incident at the company.
A massive breach in August 2022, as well as subsequent follow-on attacks, allowed threat actors to access and steal data from the LastPass cloud storage service, including a backup of LastPass customer vault data as well as LastPass source code.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 03 Jan 2024 20:05:14 +0000