If your LastPass password still falls short of the 12-character mark, it’s time to act before you find yourself locked out. LastPass is stepping up its security measures, gradually enforcing a minimum password length for all accounts. This comes as part of LastPass’s ongoing efforts to fortify security following significant breaches in 2022 that exposed customer vault data. While legacy users were exempt from the current password length requirement until now, starting January 2024, all master passwords must be 12 characters or more. Failing to comply will result in account logout and a prompt to set a new password.
The password change prompts will be introduced in waves, appearing within the LastPass service. Users will have 72 hours to create a new master password once they receive the notification. Failure to do so will lead to a logout on all devices, requiring a password reset for re-entry. Notifications are beginning with Free, Premium, and Family consumer accounts on January 8, with Business and Teams users to follow at the end of January 2024. To avoid the risk of being locked out, users are urged to perform a password reset within the 72-hour window, especially if they cannot recall their current password. LastPass recommends setting up account recovery methods and creating a longer, secure password for added protection.
As part of this security enhancement, LastPass is also implementing cross-checks for new or reset master passwords against those leaked in data breaches, ensuring compromised credentials are not allowed for use. While LastPass is making commendable strides in bolstering security, users looking for more immediate updates may consider exploring alternative password managers.