In the wake of a devastating data breach, LastPass is forcing all customers to upgrade their master passwords to include at least 12 characters.

LastPass experienced a data breach last year that went from bad to worse as more details emerged. The company is eager to improve security in the wake of the incident, and is forcing users to upgrade their passwords as part of that effort. Mike Kosak, Senior Principal Intelligence Analyst, outlined the company’s new policy.

You may have noticed that lately we’ve been asking our customers to make some changes to their LastPass accounts. These changes include requiring customers to update their master password length and complexity to meet recommended best practices and prompting customers to re-enroll their multi-factor authentication (MFA), among others. All of these changes are intended to help make our customers more secure, and we want to share additional context about the evolving cyber threat environment that’s driving these requests so customers can better understand WHY these changes are important. To do this, we’ll address some of these recent changes, and explain what threats are driving them, and how these updates are designed to help.

Kosak emphasized that the 12-character password policy already existed, but is now mandatory.

LastPass’ new master password length requirement is just one part of a progressive set of initiatives designed to help our customers better protect themselves from current and emerging cyber threats. Historically, while a 12-character master password has been LastPass’ default setting since 2018, customers still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so. By now enforcing a minimum 12-character master password requirement, along with the PBKDF2 iteration increases we delivered earlier this year, we are proactively helping our customers create stronger and more resilient encryption keys for accessing and encrypting their LastPass vault data.

The move is a welcome one, and will hopefully help LastPass subscribers keep their sensitive data secure.