The other day LastPass started bugging me to change my god awful 32 character master passphrase that has mixed case and non-alpha characters based only on how long I’ve used it. It is very discouraging that LastPass is not following the best science on passphrases.
I was loath to try to come up with and memorize another passphrase as robust as the one I’ve been using but it refused to stop bugging me. So figuring that since they are not following password best practices I tried the ancient workaround that best practices say should be prevented and it works. I simply changed my master passphrase to something else and the immediately changed it back to what it was before.
The only concern I have is that maybe LastPass had a recent undisclosed data leak in which case forcing a change is the correct procedure. Anybody hear about a major security breach or is it just LastPass being anti-science idiots?
You might drop them a note in their user forum asking about this. I’d frankly be stunned if they had a leak and didn’t disclose it. That would eventually come to light and their credibility would evaporate.
p.s. I haven’t heard anything about a leak or a change in policy around resetting master passwords.
Nope, I am none of those things, just an average user of the free service (formerly of the paid service and 2-factor user, but unwilling to pay them 3x the price for just two factor), just a long time customer. And here is what I get on EVERY login:
Perhaps you’re not seeing it @Leo because you have two factor enabled.
I’ve had a premium personal account for about 6 or 7 years and had never seen the notice that @PHolder posted until this week. Looked around all the settings and can’t find any way to turn off the notice.
Well at least I could work around the issue by changing it and then changing right back to the old passphrase.
I get asked to change mine every now and then - maybe three times in eight years, at a guess? And I hate it, because of course I have picked something complex!
It seems like the kind of misfeature that should be optionally disabled. This is old thinking… and it implies that they have been hacked or breached. If they’re as secure as they advertise themselves to be, there is no value in forcing people to change a long and strong password… this is old world thinking.
I find it incredible rude when you are strong armed in to having something forced upon you. User choice is apparently now a “feature” you have to request with LastPass. It does feel like other forced resets of passwords after a breach.
Seriously, too old for their liking, they have clearly gone anti-science, probably due to the new ownership. Even funnier the site shown is long gone, it’s the company LastPass bought, promised to keep going, and then killed.
Password policies should not require employees to change passwords on a regular basis: Mandatory periodic password resets used to be hailed as a security best practice, but that is no longer the case. As NIST puts it, “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.”
I doubt I have any influence but I’ll raise this with them the next time we speak. This is a terrible annoyance and worse than useless.
I’ll just chime in that I am a long-time paid subscriber, and I am also getting this annoying prompt each and every time I log in. I also use two-factor authentication.
I have had it with LastPass, honestly. This will be the last straw. It suddenly changed with an update not do long ago that eradicated all my “form Fills”. That was incredibly annoying as I had to re-enter banking information and was discovered, of course, when I was doing a time sensitive data entry that needed the info.
I stopped using it then and have been relying on Safari/apple. It works fine. Time to download any information from LastPass and close that account.
I don’t remember ever getting that message. What browser do you guys use? It’s possible that there’s something that causes the extension to think there’s a problem.
Same here. On the website I have been seeing the reminder forever, it did not bug me there (I rarely log in to the website anyway). But recently (because of an update?) I also see it in the Firefox and Safari browser add-on, where it breaks my (bad) habit of saving the master password. Really annoying.
