Starting this month, LastPass will require all users to change their master password if it contains fewer than twelve characters. A year and a half ago, something went wrong at LastPass.

The password manager LastPass introduces new rules. The “master password” that protects users’ safes must in future be at least twelve characters long. LastPass announced this in a blog. In addition to twelve characters, LastPass requires the following criteria:

• Use at least twelve characters, but additional characters are recommended.
• Use at least one of the following values: uppercase letters, lowercase letters, numbers, and special characters.
• Make it memorable but not easy to guess, like a passphrase.
• Make sure it is unique just for you.
• Do not use your email address as your master password.
• Do not use personal information in your master password.
• Do not use consecutive characters (e.g. “1234”) or repeated characters (e.g. “aaaa”).
• Make sure you do not reuse the master password for another account or application.

These guidelines are in line with our tips for the perfect password. First, free, premium and family accounts will be asked to see their password, and at the end of January it will be the turn of business customers. LastPass checks every new master password you create to see if it has ever been leaked somewhere. Does your password meet all guidelines? Then you don’t have to do anything.

One year later

LastPass said the new guidelines are necessary in the “rapidly changing cybersecurity landscape.” There is no further discussion about the consequences of possible incidents with the password manager itself. At the end of 2022 it became known that hackers had crept behind the scenes of LastPass.

User passwords were also stolen. LastPass has already advised setting longer master passwords and is now making this advice mandatory.