Apr 16, 2014

Updating Passwords in the Wake of Heartbleed

With many online services now making the necessary security changes in the wake of Heartbleed, it’s time to start updating your passwords and improving your online security. Follow our steps to start using LastPass to update your passwords and better protect yourself going forward.

Before Getting Started


If you haven’t signed up yet, start by downloading LastPass, creating your account, and adding your sites to the vault.

LastPass will prompt you to import during the installer process. If any sites are stored in your browser, or a previous password manager, they can also be imported at any time by opening the LastPass browser icon, click the Tools menu, select Import, and select where you’re importing from. See our article for more information on importing to LastPass.

Getting Started


As a LastPass user, start by running the LastPass Security Check (click the LastPass Icon in your browser menu > Tools > Security Check).

This tool identifies potentially vulnerable passwords and tells you if it’s safe to start updating them.


For the sites that have the recommended action "Go update!", use LastPass to update the password to a new, generated one.

The security check will also identify weak and duplicate passwords. Prioritize updating those next, so that you have a strong, unique password for each online account.

Replacing Your Old Passwords


Using Gmail as an example, let’s walk through how to update a password using LastPass.

To begin, we’ll go to Gmail.com, login with our current username and password, and locate the Gmail settings page where we can update our password.

On the ‘Change Password’ page, we’re asked to enter the old password, as well as enter a new password twice.

In the current password field, we can click the * icon and select the existing login to fill that password:


Then, we click the "Generate" icon in the "New Password" field to create a random, unique password. If we want to add additional characters to the new password, we can click “Show Advanced Options”, update the settings, and generate a new password to use:


After clicking “Use Password”, LastPass fills both the “New Password” and “Confirm New Password” fields.

Since we are updating an account that is already stored in LastPass, we will see a dialog to either confirm we want to update the existing account, or save as a new account.


We’re going to select “Yes, Use for this Site” because we just want to update the account entry already saved by LastPass.

On the webpage, we’ll click “Save” to submit the account changes. Since we selected “Yes, use for this Site”, the change has also been saved in LastPass. It’s important that the save is made both on the website, and in LastPass, so that it is up-to-date in both places.

The next time you log in to your site, LastPass will autofill with the new, generated password!

31 comments:

  1. Instagram shows up suggesting to "wait" but a few outlets have reported Instagram updated their servers.

    ReplyDelete
  2. According to Authy (http://blog.authy.com/heartbleed), the "secret seed" used for generating one time passwords in Google Authenticator could be compromised. They reccomend revoking the current, and generate a new "secret seed". Disabling and re-enabling, or "set up a now phone" for Google should do this.

    ReplyDelete
  3. Thank you for this handy security scan tool. I love LastPass and was very happy to see this tool you've made to help make sure users don't get hacked. I've been using this Security Challenge with heartbleed scan feature to figure out which one need it and then to get my passwords updated since you first announced on the 8th. Today was the 3rd time I've used it and I went in and made multiple password changes to the sites the heartbleed scan pointed out as needing attention. It seemed funny that in this report today it told me to do a couple sites I did just last week but I did them again anyway, making my 2nd password change in a week on several different sign in IDs for a couple of sites (multiple email addresses means multiple IDs therefore multiple password changes). So then I reran the scan tonight and find the same google and yahoo accounts highlighted as needing password changes right now.

    What is up with this? I just changed all of them last week and then again tonight and now it wants them changed again? Is this just a cache issue, as in I need to clear it or reboot or something to get LastPass to figure out that these have already been changed so they no longer show up on the heartbleed scan? Or maybe this scan tool is more advanced than I am assuming and these sites are being compromised over and over so therefore needing password changes over and over? Could you please advise. Thank you.

    ReplyDelete
  4. I changed the facebook arter it said go update. Lastpass failed to detect that password change and still shows go update..

    ReplyDelete
  5. I saw the samething with google, but i have 2accounts, my wife has a work account and my son has a school account stored in lastpass. I expect this will resolve once I get everyone to change their passwords. :)

    ReplyDelete
  6. Updating passwords is not as painless as it should be. Often when Lastpass offers to fill in my old password, it fills the wrong box (one of the new password-boxes for example), and often the newly generated password gets filled in the old password box, and since they are all asterisks it's impossible to tell when it goes wrong until you submit.

    ReplyDelete
    Replies
    1. +1

      This happens on github, for example, where I've had to resort to LastPass change history to find my old password and manually do the change on the github web site. Very annoying. I have notified LastPass support about the issue.

      Delete
    2. LastPass doesn't handle password changes well, in my opinion. Particularly if you have more than one account with the website for which you're changing your password.

      Delete
  7. Great tips! I use Sticky Password but someone sent me your blog post if I agree with it :) So yes I agree and I am changing my passwords too :)

    ReplyDelete
  8. The security check told me to update my Tumblr password, so I did. I re-ran the security check and it now tells me that I still need to update it, even though, according to the scan, I just updated it 8 minutes ago.

    ReplyDelete
    Replies
    1. Hi Erik: Do you have more than one Tumblr account and have all of them been updated with a new password?

      Delete
    2. Hi Amber from LastPass!

      I love LastPass, but I happen to know that the security check seems to access a cache of some sort. It notified me that I needed to change certain passwords and I changed all of them on the list, but then it only gathered that a couple of them were now safe. Then, the next day, after a reboot or two of the machine, the security check said that they were updated.

      The only other issue I have found with it, and I am not sure there is a really good solution, is that when you add a site to LastPass, it considers that to be a new password, even if you created it eons ago. Maybe the security check could warn you if it only knows that the site was added recently, not when the password was changed?

      Thank you for hopping on this issue LastPass! You were the only reason that I knew that Forbes had been hacked a little while back, those schmucks didn't even send me a message saying that my stuff had been compromised. LastPass is worth the money just for that! I recommend it to everyone I know.

      Delete
    3. Thanks Cody, we did push an update out to deal with delayed recognition of updated accounts, glad to hear that's working for you now. Hm, new sites should be flagged as "go update", I'll circle back with our developers. Thanks for recommending LastPass!

      Delete
    4. Sorry for the delay in response. Just one Tumblr account with a 4-day old password that still says I need to update. I'll update it again to see if that helps.

      Delete
    5. Turns out, this may have been all my fault. Because of the way Tumblr has their password change form set up, LastPass couldn't generate and update my password automatically.

      So what was I doing?

      Generating a new password. Updating my Tumblr password manually via copy/paste, and then deleting my old Tumblr LastPass entry and renaming my generated entry.

      In other words, as far as LastPass was concerned, I wasn't updating my Tumblr password... I was creating a new entry every time.

      Delete
  9. Hi,
    Just curious why the LastPass Security Challenge shows that it's safe to change passwords for Facebook (even though its certificate is dated two months ago), Instagram (even though its certificate is dated three years ago), Indiegogo (even though its certificate is dated nine months ago), and Steam (even though its certificate is dated a year ago). Why are those certs considered safe when Heartbleed was announced on the 7th of this month? Shouldn't those sites be considered at risk until they have certs newer than ten days?

    ReplyDelete
  10. Tandmark, chances are that those sites with old certificates, and are deemed safe, is likely because they are using a pre-Heartbleed bugged version of OpenSSL... One of my UNIX servers has OpenSSL version 0.9.8q which was before the affected versions... that's just one possibility

    ReplyDelete
    Replies
    1. and many servers don't even use OpenSSL for the SSL layer of encryption

      Delete
  11. Not impressed. LP has stopped working altogether on my laptop. Had to re-install and then install again to a newer version after just re-installing. Then I get the message that I still need to install the newer version. Website opens but won't save. Getting "unexpected error" code. have to log in everytime I switch screens. ARGGGGGGGGGGGGGGGGGGHHHHHHHHHHHH!!!!!!!! Why did I bother paying for this?

    ReplyDelete
  12. I've updated almost all the passwords suggested by the security check last week. I got the green checkmark on almost all that were ready to be updated. Now they are showing as I need to update again. That's confusing...

    Example:
    fitbit.com 2 weeks YES (2 weeks ago) Go update!

    I updated last week, and got the green checkmark... do I need to update again?

    ReplyDelete
    Replies
    1. Same here...I was really disappointed to see this, as it took a long time to update so many passwords, and now I have half of them showing up as needing to be updated again.

      Delete
    2. Me too. Looks like there's a bug in the way LastPass calculates the difference between the date the cert was changed and the date the password was changed.

      Delete
    3. Me too. Went through the entire list of "Go Aheads" and used it as an opportunity to finally set a unique pw for each site. Now it says that most need to updated again. I'm pretty sure it's just error.

      Last Updated 1 Week ago. Updated Cert Yes (two weeks ago)

      Delete
  13. I am trying, as described, to change my passwords with LP generated new ones. However, my newly generated passwords NEVER match in the 'new password' and 'confirm password' boxes, therefore I can't use them! Since they are all in dots, I can't read what they are to copy into the confirm box. Pulling my hair out . .

    ReplyDelete
  14. As of this morning, the LastPass Security Challenge recommendations for updating site passwords have reverted 8 sites for which I previously updated passwords, to the status of "Go Update."

    Example - SoundCloud:

    Age of Password Updated Cert? Action
    2 weeks YES (2 weeks ago) Go update!

    ...however, their SSL certificate shows as having been issued on 4/8/2014 6:08:48 AM, and users were alerted via blog post on 4/9/14, after which I changed my password on 4/11/14, and the LastPass Security Challenge recommendations were reporting "You are safe!" until this morning...

    Any guidance on this?

    ReplyDelete
    Replies
    1. I'm getting the same issue, for example:
      springpad.com 11 minutes YES (2 weeks ago) Go update!

      I've also noticed the same problem if the item is in a shared folder:
      netflix.com (2 sites) 1 week YES (2 weeks ago) Go update!

      Previously this was showing up as "One share" after the site name but the issue was the same.

      Delete
    2. hi i was wondering if www.expedia.co.uk should show up when i do a security check for heartbleed issues. I did a scan it never showed up but when i put the site on the lastpass heartbleed checker it says i can change my password

      Delete
  15. This is great, but what if I want to update my password manually - I am not getting any prompts from LastPass asking if I want to update it in the database as well so it is prefilling the old one all the time which is annoyin. Any suggestions?

    ReplyDelete