LastPass is making some changes to enhance the security of its to user accounts.
The news comes as a follow-up to the company's plans to enforce stronger passwords a few months ago.
ADVERTISEMENT. A brief recap of the LastPass security breaches.
Security experts including Wladimir Palant, the creator of AdBlock Plus, who had analyzed the cloud-based password manager's practices, had criticized the service for not enforcing modern security standards in order to protect its servers and users data.
Almost a year after revealing details about the security incidents and the theft of user data, LastPass is finally enforcing a rule to make all users set up a master password that is at least 12 characters in length.
It sounds bizarre, but the password manager service had allowed users to skip the minimum requirement, and use shorter passwords instead. Such passwords could be brute forced by hackers, which would allow them access to your password vault, and we all know what happened.
LastPass to enforce new master password requirement.
As for existing users and subscribers who had set a shorter password, they will be prompted to update to a longer password when they try to login.
Users who already have a master password with 12 or more characters are not affected by the change, though I would probably change the password, just to be safe.
This is the only way to recover your account and its data, without the master password.
LastPass will cross-check your master password on the Dark Web.
LastPass' article talks about a new feature that will check new master passwords, or those that have been reset, against a database of credentials that have been leaked online.
The company says it is doing this to prevent passwords that have been exposed on the dark web, which could be exploited by hackers to steal your online identities, bank accounts, and other personal or financial information.
I'm not entirely sure how this would work without storing the password on the servers directly.
If you have used an app like LastPass Authenticator, Google Authenticator, Microsoft Authenticator, or something similar as a two-step verification method, you should remove LastPass from it, and re-add your account to it manually.
This is being recommended as an extra precaution, because the LastPass data breach had also impacted the company's MFA database that contained seeds and telephone numbers associated with user accounts.
The LastPass data breaches, and the mis-management of the situation has unsurprisingly led to a massive exodus of users who shifted to rival services.
There are some impressive mobile apps for KeePass such as Keepass2Android Password Safe, and KeePassium for iOS. On the other hand, if you want to migrate to a cloud based password manager, Bitwarden is the best alternative for LastPass.
LastPass is enforcing some security changes to user accounts.
LastPass is enhancing the security of user accounts to protect them from hackers.
This Cyber News was published on www.ghacks.net. Publication date: Thu, 04 Jan 2024 14:13:05 +0000