New Year’s Resolutions with LastPass: #3 Replace Weak and Duplicate Passwords


With a newly reorganized vault and the results of the Security Check in hand, let’s roll up our sleeves and go through the steps to update those weak and duplicate passwords.

We recommend starting with important passwords – online banking, email addresses, online shopping accounts with stored credit card information – that are critically weak (the bar is red in the results) or that share passwords with other logins. Set a goal to work on a handful of accounts at a time, over several days or weeks if needed, until all passwords are at a ‘strong’ level. This is likely the hardest resolution on our list, but an important step to increasing your online security with LastPass.

To start with the most critical areas first, we want to pay attention to the Security Check results that display the number of duplicate passwords, the number of sites with duplicate passwords, and the number of weak passwords:

The Security Check’s detailed results makes it easy to identify these problems and correct them. The sites are ranked from weakest passwords to strongest passwords, with the weakest showing a shorter red bar, and the strongest showing a longer green bar.

As we’ve shown before, updating a site’s password requires logging into the site itself, then using LastPass to go through the password change process. By clicking “visit site” next to the weak password in the Security Check results, LastPass will take us to the login page for that entry:

For example, if a Gmail login is very weak or is currently the same as another password, we’ll click “Visit Site” and be directed to the Gmail login page, where LastPass will autofill the data:

We can then navigate to Gmail’s “account settings” page, where we can access the page to change our Gmail password:

On the password change page, LastPass will present a notification bar, allowing you to first autofill the existing password, and to then generate a new password. Note that when you click the “Generate” button, you can check the “show advanced options” box to customize the length of your password, and the types of digits, characters, and letters that will be included in the generated password.

When the fields are complete, save the account changes. LastPass will present another notification bar, asking you to confirm the change to an existing account, or to save a new site entry. When clicking “confirm”, a dialog will appear allowing you to select the entry to which you want to apply the change.You should then repeat this process with every site that contains a weak or duplicate passwords, working your way through the Security Check results. Note that, after updating the username or password for a site stored with LastPass, you can go to the “edit” dialog and click “History” to see a record of changes made to the entry:

We hope the article provides a helpful push for you to remove duplicate and update weak passwords. You’re well on your way to topping the Security Check!

The LastPass Team


  • sdunnin says:

    I wish the change password dialog would work for more sites. That is the one area that I find most difficult / frustrating about Lastpass is when passwords need to be changed. As a matter of fact, I have never seen the change password detection notification for any sites. Does it only work for Google accounts?

    • Amber says:

      Thanks for the feedback. It’s supported on a range of sites, but we’re still improving our accuracy. If you have a specific site or set of sites where you see errors with the update process, please submit a report to the team: or at support at lastpass dot com so we can investigate further and look at fixing.

    • sdunnin says:

      Well, I can’t say that I’ve seen any errors per se, it’s just that I’ve never seen the change password functionality noted in this article work for any of the sites I use. For example, I just changed passwords for and after using LP to login. On neither site was I prompted by LP on the change password page, and I had to manually update the password for the site in the vault using the one LP generated for me.

    • sdunnin says:

      I do have to admit I just encountered my first “change password” process as noted above for

  • S Smith says:

    As far as duplicates go, I use LastPass for both personal and company passwords. There are a lot of different sites at the company that all use my username and password. Could a domain default password be added to LastPass? Then if a URL matches a key, it still uses that key. Otherwise, recognizing just, it fills in my MyCorp credentials.