LastPass now requires a minimum number of characters for the master password. Internet users who had opted for another setting are required to change it.
This is a decision that will undoubtedly annoy part of its community, but which appears essential given the recent history of LastPass. Starting in January 2024, everyone will need to use a master password of at least 12 characters. This is whatannounced the official account of the password manager on X (formerly Twitter), on January 3.
The master password designates the secret code necessary to unlock the manager’s safe, the one in which all the other precious keys are stored (for example, the combinations to connect to Google, Facebook, your email, your bank, etc. .). This code is therefore extremely sensitive and should not be shared under any circumstances.
In fact, the master password opens everything. In these conditions, the advice that is systematically hammered out is to choose a unique one, but also strong enough so that it cannot be guessed or cracked by technical means. It must also avoid being reused elsewhere, to prevent a hack from finding this code in the wild, without protection.
For several years, LastPass has encouraged Internet users to use a master password of at least 12 characters. This has even been the default calibration since 2018. But, the password manager admits, there was always the possibility of opting for a less demanding setting. In short, choose a code with fewer characters.
Internet users whose personal code does not have the correct number of symbols are therefore required to update it. An inevitably painful passage, which will require a new effort to memorize, while taking the habit of typing, each time necessary, not the old key, but the new one to unlock the LastPass safe.
Raising the level of security
This expansion imposed on a portion of Internet users comes in the wake of other measures taken by LastPass to increase the general level of security of the manager. For example, the company mentions its encouragement for greater character complexity, and increased iterations of PBKDF2 (an acronym for Password-Based Key Derivation Function 2).
This last technical notion designates a process for securing passwords, by transforming them into complex and robust cryptographic keys. It is a key derivation function from a password using a cryptographic primitive with a large number of iterations in order to slow down exhaustive search attacks, recalls Anssi.
Another security measure that LastPass includes is two-factor authentication (2FA). This requires entering a second security code, once the master password is entered when opening the manager. This code can be sent by SMS, generated by a mobile application or validated using biometrics (fingerprint).
Starting in February, LastPass also intends to compare old or new master passwords against a baseline of known credentials. If the password is detected in a previous breach, a warning pop-up will alert the user that the master password has already been exposed on the web, for whatever reason.
This correspondence work aims, according to the company, to inform the Internet user. This does not mean that his safe is necessarily compromised, but that the key he chose to lock it by chance has the same characteristics as a leaked code. In this case, he will be advised to use another one, which does not suffer from this unfortunate coincidence.
Measures taken after failures
The measures taken by LastPass follow notable security incidents that occurred in 2022, with a leak of personal data, but also copies of backups of data from the vault. Data which, however, cannot be read in plain text, since it is encrypted. What’s more, the master password is never retained by LastPass.
There is a risk that some encrypted backups may end up being decrypted by testing combinations until the correct master password is found. An a priori higher threat if these sesames have a slightly insufficient number of characters to resist certain types of attacks for a long time. The length and complexity are there to complicate the task of the attackers.
Hence LastPass’ decision to impose a minimum threshold. Still, this will protect the current coffers. However, this will not change anything for already leaked encrypted items. These will not be able to benefit from the new threshold required by LastPass. For Internet users who were initially lax, and concerned by this incident, it may be a time bomb.
Subscribe for free to Artificielles, our newsletter on AI, designed by AIs, verified by Numerama!