Critics aren't thrilled with LastPass's new security measures.
LastPass password management service now requires some of its users to choose longer master passwords. LastPass explains that the changes are necessary to ensure that all customers are protected by their latest security enhancements. However, critics say the move has little to do with improving security and is more like a PR move that won't help many early adopters whose password vaults were exposed in a security breach in 2022.
Earlier this week, LastPass sent a notification to users informing them that they will have to update their master password if it is less than 12 characters long. Officially, this change was introduced back in 2018, but some undetermined number of early customers of the company were not required to increase the length of their master passwords.
In November 2022, LastPass reported a security breach in which hackers stole password vaults containing both encrypted and public data for more than 25 million users. Since then, a number of security experts have concluded that attackers were likely able to break into some of the stolen LastPass vaults, resulting in six-digit cryptocurrency thefts.
Critics, including Adblock Plus creator Vladimir Palant, claim that LastPass's latest actions are just a PR stunt. Palant noted that many old LastPass users have not been updated to the more secure encryption settings offered to new users over the past years. For example, the number of "iterations" (how many times the master password goes through the company's encryption procedures) for many old users was initially between "1" and "500", while for new users from 2013 this value was 5000 iterations by default.
Palant also noted that the latest changes will not help users affected by a security breach in 2022, and recommended that everyone change all their passwords, which LastPass still does not recommend.
LastPass CEO Karim Tubba stated that changing the length of the master password (or the master password itself) is not intended to solve problems with already stolen vaults that are offline. This is designed to better protect users ' online storage and ensure that they bring their accounts in line with the standard LastPass 2018 settings, which provide for a minimum master password length of 12 characters.
Experts emphasize that all bets are off when cybercriminals can gain access to encrypted storage data, which allows them to conduct "extraordinary" attacks using powerful computers, each of which can try to guess the password millions of times a second.
LastPass password management service now requires some of its users to choose longer master passwords. LastPass explains that the changes are necessary to ensure that all customers are protected by their latest security enhancements. However, critics say the move has little to do with improving security and is more like a PR move that won't help many early adopters whose password vaults were exposed in a security breach in 2022.
Earlier this week, LastPass sent a notification to users informing them that they will have to update their master password if it is less than 12 characters long. Officially, this change was introduced back in 2018, but some undetermined number of early customers of the company were not required to increase the length of their master passwords.
In November 2022, LastPass reported a security breach in which hackers stole password vaults containing both encrypted and public data for more than 25 million users. Since then, a number of security experts have concluded that attackers were likely able to break into some of the stolen LastPass vaults, resulting in six-digit cryptocurrency thefts.
Critics, including Adblock Plus creator Vladimir Palant, claim that LastPass's latest actions are just a PR stunt. Palant noted that many old LastPass users have not been updated to the more secure encryption settings offered to new users over the past years. For example, the number of "iterations" (how many times the master password goes through the company's encryption procedures) for many old users was initially between "1" and "500", while for new users from 2013 this value was 5000 iterations by default.
Palant also noted that the latest changes will not help users affected by a security breach in 2022, and recommended that everyone change all their passwords, which LastPass still does not recommend.
LastPass CEO Karim Tubba stated that changing the length of the master password (or the master password itself) is not intended to solve problems with already stolen vaults that are offline. This is designed to better protect users ' online storage and ensure that they bring their accounts in line with the standard LastPass 2018 settings, which provide for a minimum master password length of 12 characters.
Experts emphasize that all bets are off when cybercriminals can gain access to encrypted storage data, which allows them to conduct "extraordinary" attacks using powerful computers, each of which can try to guess the password millions of times a second.
