In a blog post on Wednesday, LastPass says that users will now be asked to set a new master password. Here’s why they’re asking users to do that:
When it comes to password security and resilience, there’s strength in numbers. But that’s just for starters. Password strength is a complex notion that’s informed by a number of factors including length, complexity, and unpredictability. The current National Institute of Standards and Technology (NIST) guidelines require that human generated passwords be at least 8 characters in length (NIST 800-3B) but given recent advances in password cracking/brute forcing technology and techniques, coupled with the natural human tendency to create passwords that are predictable and easy to remember, an even longer password is recommended.
LastPass’ new master password length requirement is just one part of a progressive set of initiatives designed to help our customers better protect themselves from current and emerging cyber threats. Historically, while a 12-character master password has been LastPass’ default setting since 2018, customers still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so. By now enforcing a minimum 12-character master password requirement, along with the PBKDF2 iteration increases we delivered earlier this year, we are proactively helping our customers create stronger and more resilient encryption keys for accessing and encrypting their LastPass vault data.
Clearly this relates to the fact that LastPass was pwned in 2022. But this is 2024 and my advice is that you should not be using LastPass because the company taking this sort of action is like closing the barn door after the horses have escaped. In other words, it’s too little too late. Which means if you’re still using LastPass for whatever reason, it’s beyond time for you to move your passwords someplace else.
Like this:
Like Loading...
Related
This entry was posted on January 4, 2024 at 8:40 am and is filed under Commentary with tags LastPass. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
LastPass Is Forcing You To Change Your Master Password… Wait… Why Are You Still Using LastPass??
In a blog post on Wednesday, LastPass says that users will now be asked to set a new master password. Here’s why they’re asking users to do that:
When it comes to password security and resilience, there’s strength in numbers. But that’s just for starters. Password strength is a complex notion that’s informed by a number of factors including length, complexity, and unpredictability. The current National Institute of Standards and Technology (NIST) guidelines require that human generated passwords be at least 8 characters in length (NIST 800-3B) but given recent advances in password cracking/brute forcing technology and techniques, coupled with the natural human tendency to create passwords that are predictable and easy to remember, an even longer password is recommended.
LastPass’ new master password length requirement is just one part of a progressive set of initiatives designed to help our customers better protect themselves from current and emerging cyber threats. Historically, while a 12-character master password has been LastPass’ default setting since 2018, customers still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so. By now enforcing a minimum 12-character master password requirement, along with the PBKDF2 iteration increases we delivered earlier this year, we are proactively helping our customers create stronger and more resilient encryption keys for accessing and encrypting their LastPass vault data.
Clearly this relates to the fact that LastPass was pwned in 2022. But this is 2024 and my advice is that you should not be using LastPass because the company taking this sort of action is like closing the barn door after the horses have escaped. In other words, it’s too little too late. Which means if you’re still using LastPass for whatever reason, it’s beyond time for you to move your passwords someplace else.
Share this:
Like this:
Related
This entry was posted on January 4, 2024 at 8:40 am and is filed under Commentary with tags LastPass. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.