LastPass Makes a Major Change to How Master Passwords Work

LastPass alerted users of its password manager that they will now be required to use a master password with 12 or more characters. But this change is a waste of time that ignores how to best secure your online accounts.

“You may have noticed that lately we’ve been asking our customers to make some changes to their LastPass accounts,” LastPass senior analyst Mike Kosak writes in the announcement post. “These changes are intended to help make our customers more secure.”

LastPass is making three changes to how its customer accounts work, and two are related to the master password that LastPass, like other password managers, uses. The most significant change is the 12-character requirement: LastPass has made a 12-character master password the default since 2018, but it allowed customers to use shorter master passwords if desired. But LastPass began requiring new customers, and those who reset their master password, to use 12 or more characters since April 2023. And now that requirement is being enforced for all customers.

“When it comes to password security and resilience, there’s strength in numbers,” Kosak explains. “But that’s just for starters. Password strength is a complex notion that’s informed by a number of factors including length, complexity, and unpredictability. The current National Institute of Standards and Technology (NIST) guidelines require that human-generated passwords be at least 8 characters in length (NIST 800-3B), but given recent advances in password cracking/brute-forcing technology and techniques, coupled with the natural human tendency to create passwords that are predictable and easy to remember, an even longer password is recommended.”

That’s ridiculous.

The Achilles Heel of all password managers is that they still rely on users having a master password to protect their personal data. Here we are in 2023, configuring as many accounts as possible to be passwordless with technologies like two-step verification and passkeys, and yet somehow the vaults that store our account passwords, credit card numbers, and other important data still use … a password? This makes no sense to me: Password managers should support and require the same two-step verification techniques that we use to protect our other online accounts, and they should give us the option to go completely passwordless by not even using a master password in the first place. Which is easily hacked no matter the length.

And, as it turns out, they do: Most password managers—including LastPass—actually do support passwordless authentication techniques. So maybe make that the default, LastPass, and remove the master password from the equation. Until it does so, users will continue to take the path of least resistance, which in this case is using something that is familiar but also insecure. And this LastPass announcement doesn’t even mention passwordless, despite the firm’s efforts elsewhere to promote this. That, to me, seems irresponsible.

This announcement was an interesting coincidence, but I’ll be writing more about password managers and passwordless soon.