Dive Brief:

• LastPass is requiring customers to increase the complexity and length of their master passwords to at least 12 characters, the company said Tuesday.
• The password manager made 12-character master password lengths a default setting starting in 2018, but customers could still, until now, create a less complex master password with fewer characters.
• LastPass sent notices of the change to consumer customers this week and will inform business customers on Jan. 10, a company spokesperson said.

Dive Insight:

The new requirement comes almost a year and a half after LastPass was hit by a cyberattack that unraveled into one of the most notorious intrusions of 2022. The attack exposed a cloud-based backup of all customer vault data, with the exception of users’ master passwords.

Longer and more complex passwords is one of multiple security improvements LastPass instituted since the attack. CEO Karim Toubba previously described the company’s security overhaul as a “systemic change” fueled by a multiyear and multimillion-dollar investment.

“We didn’t just address the issues that were the cause of the breach, we literally looked at everything and made investments across the board,” Toubba told Cybersecurity Dive in October.

LastPass added a cloud security posture management layer to all cloud infrastructure and the company switched to an endpoint detection and response system it deemed more effective. LastPass also said it invested in a secure access service edge deployment and improved logs and alerts in its security orchestration, automation and response platform.

Some technical components of the company’s cybersecurity makeover, a plan it first shared in March, are still underway.

The company will also, starting next month, check new or reset master passwords against a database of known breached credentials, Mike Kosak, senior principal intelligence analyst at LastPass, said Tuesday in a blog post.