LastPass Now Checks If Your Sites Are Affected by Heartbleed

Yesterday we informed our community of the Heartbleed OpenSSL bug. In our blog post, we explained how this security issue impacted our service and what our users should know about the situation. We also built a tool to help our users start checking to see if their sites and services had reissued their certificates, so that users would know if it was safe to start updating passwords for those sites:

To help our users take action and protect themselves in the wake of Heartbleed, we’ve added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.

The LastPass Security Check can be run from the LastPass Icon menu. Click the LastPass icon in the browser toolbar, click the Tools menu, and select the Security Check.

In the Security Check results, we alert you to sites affected by Heartbleed.

We will continue to update the Security Check recommendations based on which sites we have seen take action and where it is safe to update your passwords. We’ll monitor the situation in general and keep our community posted.

If you’re not using LastPass yet, now is the time to get started with organizing and managing your passwords, and use our tools to generate new passwords for your online accounts.

Update: April 10th, 2:29PM ET

Many users are still concerned about what the Heartbleed situation means for their LastPass master passwords. To further clarify, we do not see a need at this time for existing LastPass users to update their master passwords. That said, if you would prefer to, there is no harm in doing so. We continue to update our LastPass Security Check tool to provide you the latest information regarding potentially-impacted sites. Thanks to our community for the feedback and input.


  • Confused says:

    My Last Pass Security Challenge shows 24 sites of which 4 tell me to Go Update but of those 4 I only recognise Yahoo. The other 20 all tell me to WAIT but I have never heard of them either except my free Avast anti-virus which tells me to WAIT but I don’t remember needing a password for them (or I would have recorded it in a secret place I kept all my passwords till now). It certainly contunures to renew my registration each year withour requesting my password.

    Please explain what the heck I do with all the strange sounding ones that tell me to update my password!

  • Lis says:

    When your checker states «Apache/2.2.25 (FreeBSD) PHP/5.2.17 with Suhosin-Patch mod_ssl/2.2.25 OpenSSL/1.0.1e DAV/2» in the «Server software» row, what exactly does it mean? Is it patched and safe or the patch is not related to OpenSSL and a website is unsafe? Thanks.

  • Dillinger says:

    I love this extension

  • Amber Gott,
    I thank the effort of the guys who wrote the script for LastPass Heartbleed checker.
    But, have a look at this blog:—networks-security/2014/04/14/bugs-in-heartbleed-detection-scripts-
    Bugs in Heartbleed detection scripts.
    by Shannon Simpson, Adrian Hayter | Apr 14, 2014

    They reference the tool by Filippo Valsorda at and
    LastPass Heartbleed checker at as
    having “Failed to Detect” when ran against the proof of concept server they setup.
    Initially only their script and SSL Labs passed out or 15 tools tested.
    Since then 4 more as of 18 Apr 2014 have fixed their scripts.

    Amber, please have your guys check it out.

    Below is quote from their blog:
    “To scan your servers using Hut3 Cardiac Arrest, download the script here ( and run it using python:

    python [hostname]

    Disclaimer : There have been unconfirmed reports that this script can crash certain servers. This script complies with the TLS specification, so any crashes are the result of a bad implementation of TLS on the server side. CNS Hut3 and Adrian Hayter do not accept responsibility if this script crashes a server you test it against. USE IT AT YOUR OWN RISK. As always, the correct way to test for the vulnerability is to check the version of OpenSSL installed on the server in question. OpenSSL 1.0.1 through 1.0.1f are vulnerable.”

  • The Age of Password field is not correct – it assumes a password is only as old as when it was imported (even if that password is marked as Never touched in LastPass). This means if you import passwords from another password manager AFTER the Heartbleed bug (like I did), almost all your passwords are marked as good.

  • Pol Effy says:

    I work in security and am impressed by the efforts you do on real security, while so many companies work on their security image. Great job, thanks.