Since April 2023, all new LastPass customers, and any existing customers who took steps to reset their master passwords, have been required to create or update their master password to a minimum of 12 characters. Starting in January 2024, LastPass will enforce a requirement that all customers use a master password with at least 12 characters. The increase to a minimum of 12 characters requires customers to first login to their LastPass account to confirm one of two scenarios: * For those customers who confirm that they already have a master password with 12 or more characters, no actions are needed since they are already in compliance with the new policy. * Those customers who are not already in compliance with the new policy will be prompted to create a new master password with 12 or more characters. For those customers who will have to update their master password, here’s a list of best practices to consider: * Use a minimum of 12 characters, but additional characters are recommended, * Use at least one of each of the following: upper case, lower case, numeric, and special character values, * Make it memorable, but not easily guessed, such as a passphrase, * Make sure that it is unique only to you, * Don’t use your email address as your master password, * Don’t use personal information in your master password, * Don’t use sequential characters (for example, “1234”) or repeated characters (for example, “aaaa”), * Make sure you don’t reuse your master password for any other account or application. As previously noted in ourMarch 2023 security incident communications, resetting MFA is necessary as this action effectively mitigates the remaining risk stemming from the prior exposure of the LastPass MFA/Federation database backup. If you haven’t done so already, initiate a manual re-enrollment of MFA for non-federated customers. You can find the detailed instructions for doing so in ourSecurity Bulletin.

nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Home
General

Updating Master Password Requirements

LastPass Support

Since April 2023, all new LastPass customers, and any existing customers who took steps to reset their master passwords, have been required to create or update their master password to a minimum of 12 characters. Starting in January 2024, LastPass will enforce a requirement that all customers use a master password with at least 12 characters.

The increase to a minimum of 12 characters requires customers to first login to their LastPass account to confirm one of two scenarios:

For those customers who confirm that they already have a master password with 12 or more characters, no actions are needed since they are already in compliance with the new policy.
Those customers who are not already in compliance with the new policy will be prompted to create a new master password with 12 or more characters.

For those customers who will have to update their master password, here’s a list of best practices to consider:

Use a minimum of 12 characters, but additional characters are recommended,
Use at least one of each of the following: upper case, lower case, numeric, and special character values,
Make it memorable, but not easily guessed, such as a passphrase,
Make sure that it is unique only to you,
Don’t use your email address as your master password,
Don’t use personal information in your master password,
Don’t use sequential characters (for example, “1234”) or repeated characters (for example, “aaaa”),
Make sure you don’t reuse your master password for any other account or application.

As previously noted in ourMarch 2023 security incident communications, resetting MFA is necessary as this action effectively mitigates the remaining risk stemming from the prior exposure of the LastPass MFA/Federation database backup.

If you haven’t done so already, initiate a manual re-enrollment of MFA for non-federated customers. You can find the detailed instructions for doing so in ourSecurity Bulletin.

Find more posts tagged with

Accepted answers

All comments

Olivier THOMAS

Dear Ash,

I have updated my password but since then impossible to connect. In fact the change was accepted by Lastpass but it is the MFA which is failing. Authenticator crashed and the I can't generate a code (I don't see my previous account anymore)...

When I want to contact support, I am asked to connect (therefore infinite loop)

Do you know how it can be solved?

Marianne Carter

Hi Ash,

Before changing my master password I would like to set up account recovery (as recommended in the email communication). I have logged into my LastPass account and tried to figure out how to do this but the process to set up account recovery is not intuitive. The email communication has a link to info on setting up account recovery and I have tried using this link but it leads to an error page. I have tried searching the last pass help pages but I keep hitting an error page.

I am reluctant to change my master password until I have set up account recovery. Please help.

OG_MC

coolburnmtw

I always only see 12 characters minimum for master password but what is the maximum?

sjoakeshott

"For those customers who confirm that they already have a master password with 12 or more characters, no actions are needed since they are already in compliance with the new policy."

How do I confirm that my current password is more than 12 characters? My email link gives me 2 steps - account recovery and changing the password, but I don't need to change it as it is of sufficient length.

Thank you.

Suesab

lsysworks

I'd also like to know how to verify my password is an acceptable length without having to reset it since this is explicitly stated in the comm but not addressed in provided links.

Thank you

ishidomitsunari17

Sorry, but I don’t quite understand how exactly I can confirm that my password consists of more than 12 characters?

lamisspapia

I'm not familiar with forums. Did you get a reply about "confirming" that your master password already has 12 characters or more? My situation is the same.

Thank you!

sjoakeshott

No, I'm not familiar with forums, either! I've had no response to the question, beyond others having the same query, so I've just changed my pw. Annoying, when it was already enough. Good luck.

coolburnmtw

no actions are needed since they are already in compliance with the new policy

coolburnmtw

if you know it's more than 12 characters you don't need to do anything. i know it's worded like you need to do something to confirm but all it means is you count the characters. if you needed to change it, it would make you change it.

coolburnmtw

i still haven't seen anything about the maximum characters

atkin

I have the same problem!! atkinkda

coolburnmtw

count the characters. there's nothing you need to do if you're over the minimum 12 characters

rasimorefashions

A nice thing for better performance

goran

Of the 8 bullets in the original post, 7 are wise and good, but the "uppercase, lowercase, numeric, and one special character" requirement is just silly, naive, and nothing a serious security product should demand.