Skip to main content

You’ll have less of a headache if you update your password now. Don’t wait until you’re forced to.

If you’re still using a password with less than 12 characters to safeguard your LastPass account, you’re on borrowed time. LastPass is beginning to enforce its requirement for minimum password length across all accounts—and those who don’t update their credentials could get locked out.

LastPass has been strengthening its security since its massive security breaches in 2022, which saw customer vault data stolen as part of the hacks. Until this week’s announcement, however, legacy users were not forced to meet LastPass’s current requirement for password length, which was adopted in 2018. Only those who changed their credentials after April 2023 had to comply. Now starting in January 2024, all master passwords must use 12 characters or more. Accounts that don’t will be logged out and asked to set a new password.

Prompts for the password change will roll out in waves, and will be shown within the service. Once you receive the message, you have 72 hours to create a new master password. If you fail to do so, you’ll be logged out on all devices and must reset your password to log back in. Free, Premium, and Family consumer accounts are being notified first, starting on January 8. Business and Teams users will follow toward the end of January 2024. Users were originally told of this policy change in September 2023 through email, then again on January 3.

Getting forcibly logged out of LastPass can be particularly dangerous for some users, as they can become completely stuck without access. Those who know their current password will be fine—LastPass says changing a password will be simply a matter of inputting your current password, then choosing a new password. Users who don’t remember their password but have set up account recovery should also still be able to create a new password.

LastPass account settings
LastPass’s recovery method involves two pieces: a verification link, then use of a recovery one-time password generated by a previous login into the web interface or the browser extension. By default, the verification link goes to your email address, but for added safety, you can add a phone number to your account to receive those links—just in case you lack access to your email.

PCWorld

However, anyone who can’t recall their current password and didn’t set up account recovery will become completely locked out after the 72 hour window—that is, you’ll have no hope of getting back into LastPass.

So how do you avoid this terrible fate? If you can’t remember your password, perform a password reset before your 72 hour window is over. Even if you can, it’s not a bad idea to update your password now, before prompted to do so. And either way, don’t wipe the local storage for your web browser or LastPass extension—having logged in at least once through either method is a required part of the recovery process.

To change your LastPass password, head to your account settings. In the web interface, click on your user info at the top right, then Account Settings; in the browser extension, click on the Account icon, then choose Account Settings. LastPass strongly recommends first setting up account recovery methods now, in case you forget a new password after changing it (which sounds like a scenario the company’s seen before), and then creating a longer secure password.

As part of its announcement, LastPass also revealed that it will begin cross-checking new or reset master passwords against those leaked in data breaches. Credentials known to be compromised will not be allowed for use.

With these additional step toward stronger security and increased communication, LastPass is catching up further with rival services. But given its slower rollout of updates, it may be awhile longer until it pulls completely even. If you’re itching to be more on the forefront with your online security, you may want to finally switch to a different password manager, even with how much of a hassle it can be to leave LastPass.