Lastpass to make account updates

This one is part of Sans News Bites that we just posted earlier.

This is a big deal, although its about 6 years too late. While they’ve required people who have had new accounts since 2018 to have a 12 character password, this year they’re now requiring people like you and I who have been around to have a 12 character password that is a minimum length.

My password has always been 12 characters, memorable and easy to remember.

While they want us to use letters, numbers and special symbols, a Pass Phraise is also good where you are able to write it down somewhere.

Let’s say that your phraise is talking about your dog. It says that your dog is the best dog that you’ve ever had.

You can change some of the letters to symbols in places of their letters like 5 for e, dollar sign for s, or something that makes sense for you, the user putting it in place.

Remember that this password should be memorable so have fun with it!

If you have a two factor authenticator app like Lastpass’s or someone else, they’ll possibly want you to re-establish yourself with it only if you fail the password step.

The blog post which is linked within the Newsletter and that we’ll link to here should be read if you are a customer. It discusses why they’re making the changes and what you are to expect.

When it comes to password security and resilience, there’s strength in numbers. But that’s just for starters. Password strength is a complex notion that’s informed by a number of factors including length, complexity, and unpredictability. The current National Institute of Standards and Technology (NIST) guidelines require that human generated passwords be at least 8 characters in length (NIST 800-3B) but given recent advances in password cracking/brute forcing technology and techniques, coupled with the natural human tendency to create passwords that are predictable and easy to remember, an even longer password is recommended.

Here are quirements by Lastpass’s article if you do need to change your password to meet requirements.

  • Use a minimum of 12 characters, but additional characters are recommended,
  • Use at least one of each of the following: upper case, lower case, numeric, and special character values,
  • Make it memorable, but not easily guessed, such as a passphrase,
  • Make sure that it is unique only to you,
  • Don’t use your email address as your master password,
  • Don’t use personal information in your master password,
  • Don’t use sequential characters (for example, “1234”) or repeated characters (for example, “aaaa”),
  • Make sure you don’t reuse your master password for any other account or application.

If you change it and you make it longer, bonus points! In the newsletter linked in our prior post, recommendations are 16 characters, but that might be a bit hard to memorize. I’m not saying it isn’t, but the Pass Phraise idea above would make that a lot easier.

What the newsletter didn’t cover is crosschecking your master password against those that are out in databases that could be on the dark web.

Next month, LastPass will also begin immediate checks on new or reset master passwords against a database of known breached credentials in order to ensure the password hasn’t been previously exposed on the Dark Web. If the password is detected in a prior breach, a “Security Warning” pop-up will alert the customer that the password has already been exposed, in which case they will be prompted to choose another password in order to proceed.

They are asking “Why are we doing this?” I think in my opinion that it is long over due.

For a company who has had a bad track record, this is a good sign, and doing this will better protect your customers. Although if your employee was smart, they would’ve never authenticated and we would not be talking about this in the first place, but maybe we would.

They write:

This one is simple: Exposed passwords are easy to crack. Modern password crackers can ingest lists of known passwords as part of their dataset, which dramatically reduces the amount of time it takes to figure out an account’s credentials. Requiring our customers to choose a password that has not already been exposed makes cracking it substantially more difficult.

My question would be why they didn’t do this from the beginning and force password updates and itterations from the beginning.

Back in May 2023, LastPass initiated efforts to streamline MFA re-enrollment for non-federated Business customers who use common authenticators like Microsoft Authenticator, Google Authenticator, or LastPass Authenticator. Re-enrollment for Grid authentication is coming soon, and customers will have the option to re-enroll with Microsoft or Google.

As previously noted in our March 2023 security incident communications, resetting MFA is necessary as this action effectively mitigates the remaining risk stemming from the prior exposure of the LastPass MFA/Federation database backup.

If you haven’t done so already, initiate a manual re-enrollment of MFA for non-federated customers. You can find the detailed instructions for doing so in our Security Bulletin.

For links to these places, see the complete blog post: LastPass Is Making Account Updates. Here’s Why and please read it if you’re a lastpass customer. Its important that you do!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.