Password management software vendor LastPass has begun mandating re-enrolments of multi-factor authentication (MFA) and master passwords of at least 12 characters, among new capabilities like monitoring for password exposure on the dark web.
Mike Kosak, senior principal intelligence analyst at LastPass, said customers were previously able to select a master password with fewer characters than the 12-character default.
“Current [US] National Institute of Standards and Technology (NIST) guidelines require that human generated passwords of at least eight characters but, given advances in password cracking and brute-forcing technology and techniques, coupled with the natural human tendency to create passwords that are predictable and easy to remember, an even longer password is recommended,” Kosak wrote in a post on the LastPass website.
Email notifications to update master passwords should be received by the end of January – although new customers have been mandated to choose 12 characters since April 2023. Customers are also being prompted to re-enrol their multi-factor authentication (MFA), among other things, he said.
Alongside its Password Based Key Derivation Function 2 (PBKDF2) cryptographic iteration increases earlier in 2023, the result should be stronger and more resilient encryption keys to users’ LastPass vault data, he added.
Account recovery options should be set up before changing the password, he emphasised.
Other new features include dark web monitoring for exposed passwords, starting February 2024.
“LastPass will begin immediate checks on new or reset master passwords against a database of known breached credentials,” Kosak said.
“If the password is detected in a prior breach, a pop-up will alert the customer that the password has already been exposed, in which case they will be prompted to choose another password in order to proceed.”
Kosak said modern password crackers can ingest lists of known passwords as part of their dataset, making it quicker to figure out an account’s credentials.
“Requiring our customers to choose a password that has not already been exposed makes cracking it substantially more difficult,” Kosak said.
LastPass began streamlining MFA re-enrolment for business customers using the likes of Microsoft Authenticator, Google Authenticator, or LastPass Authenticator during 2023, with re-enrolment for Grid authentication coming soon, he added.
“This action effectively mitigates the remaining risk stemming from the prior exposure of the LastPass MFA/Federation database backup,” Kosak said. “If you haven’t done so already, initiate a manual re-enrollment of MFA for non-federated customers.”
In other LastPass news, the Boston, USA based vendor named Esther Flammer its new chief marketing officer (CMO), overseeing global marketing and strategy, including corporate marketing and communications, product marketing, demand generation and related operations. Flammer has more than 20 years of experience in “high-growth” marketing, the company said.
Karim Toubba, chief executive officer at LastPass, said Flammer was skilled at working with high-growth technology companies, scaling marketing programmes and optimising go-to-market strategies.
“[She] will be instrumental in supporting our efforts in 2024 and beyond,” Toubba said in the announcement.
Customer trust was central to LastPass success, noted Flammer.
“I’ve benefited first hand from the value of LastPass as a customer. I am excited to spearhead a robust go-to-market strategy that centres around our customers’ trust and their experience with our market-leading solutions,” she said.