- Jan 8, 2011
LastPass on Thursday sent an email to users about the new requirement. “All master passwords must meet a 12-character minimum. If your master password is less than 12 characters, you will be required to update it,” the message says.
The email adds that LastPass is “committed to meeting the latest industry security standards and best practices” by instituting the new requirement. A spokesperson for LastPass adds “that this is not in response to a new threat or incident.”
UPDATE: LastPass provided PCMag with a longer statement about the new requirement:
"LastPass’ new master password length requirement is one part of a planned and progressive set of initiatives to provide a more secure experience for our customers that we committed to in March of this year. Historically, while a 12-character master password has been LastPass’ default setting since 2018, customers still had the ability to forego the default settings and choose to use less characters if they wished to do so. By enforcing a minimum 12-character master password requirement, along with the PBKDF2 iteration increases we delivered earlier this year, we are helping our users create stronger and more resilient encryption keys for accessing and encrypting their LastPass vault data."
"These initiatives began months ago in April 2023, when all new LastPass customers, and any existing customers who reset their master passwords, have been required to create a master password with a minimum of 12 characters in length. Now, starting in October, LastPass will require all existing customers to update their master password to at least 12 characters. In preparation for this new requirement, we began emailing our Free, Premium and Families customers this week, recommending that they update their master passwords to a minimum of 12 characters at their earliest convenience to avoid any interruptions to their account."
"Similarly, we plan to begin emailing our Business, Enterprise and Teams customers about this requirement beginning in October. LastPass customers who have already confirmed that their master password has 12 or more characters do not have to take any action."