Updating Passwords in the Wake of Heartbleed

With many online services now making the necessary security changes in the wake of Heartbleed, it’s time to start updating your passwords and improving your online security. Follow our steps to start using LastPass to update your passwords and better protect yourself going forward.

Before Getting Started

If you haven’t signed up yet, start by downloading LastPass, creating your account, and adding your sites to the vault.

LastPass will prompt you to import during the installer process. If any sites are stored in your browser, or a previous password manager, they can also be imported at any time by opening the LastPass browser icon, click the Tools menu, select Import, and select where you’re importing from. See our article for more information on importing to LastPass.

Getting Started

As a LastPass user, start by running the LastPass Security Check (click the LastPass Icon in your browser menu > Tools > Security Check).

This tool identifies potentially vulnerable passwords and tells you if it’s safe to start updating them.

For the sites that have the recommended action “Go update!”, use LastPass to update the password to a new, generated one.

The security check will also identify weak and duplicate passwords. Prioritize updating those next, so that you have a strong, unique password for each online account.

Replacing Your Old Passwords

Using Gmail as an example, let’s walk through how to update a password using LastPass.

To begin, we’ll go to Gmail.com, login with our current username and password, and locate the Gmail settings page where we can update our password.

On the ‘Change Password’ page, we’re asked to enter the old password, as well as enter a new password twice.

In the current password field, we can click the * icon and select the existing login to fill that password:

Then, we click the “Generate” icon in the “New Password” field to create a random, unique password. If we want to add additional characters to the new password, we can click “Show Advanced Options”, update the settings, and generate a new password to use:

After clicking “Use Password”, LastPass fills both the “New Password” and “Confirm New Password” fields.

Since we are updating an account that is already stored in LastPass, we will see a dialog to either confirm we want to update the existing account, or save as a new account.

We’re going to select “Yes, Use for this Site” because we just want to update the account entry already saved by LastPass.

On the webpage, we’ll click “Save” to submit the account changes. Since we selected “Yes, use for this Site”, the change has also been saved in LastPass. It’s important that the save is made both on the website, and in LastPass, so that it is up-to-date in both places.

The next time you log in to your site, LastPass will autofill with the new, generated password!


  • Anonymous says:

    I installed LP and generated random password for GMAIL. Now I want to manually change the GMAIL password, but it prompts for the current passoword.
    Help. How do I get the current password from LP? It won’t auto fill this form, and I can’t copy the current password or view it.

  • Anonymous says:

    This is great, but what if I want to update my password manually – I am not getting any prompts from LastPass asking if I want to update it in the database as well so it is prefilling the old one all the time which is annoyin. Any suggestions?

  • Mike Shupp says:

    As of this morning, the LastPass Security Challenge recommendations for updating site passwords have reverted 8 sites for which I previously updated passwords, to the status of “Go Update.”

    Example – SoundCloud:

    Age of Password Updated Cert? Action
    2 weeks YES (2 weeks ago) Go update!

    …however, their SSL certificate shows as having been issued on 4/8/2014 6:08:48 AM, and users were alerted via blog post on 4/9/14, after which I changed my password on 4/11/14, and the LastPass Security Challenge recommendations were reporting “You are safe!” until this morning…

    Any guidance on this?

    • Anonymous says:

      I’m getting the same issue, for example:
      springpad.com 11 minutes YES (2 weeks ago) Go update!

      I’ve also noticed the same problem if the item is in a shared folder:
      netflix.com (2 sites) 1 week YES (2 weeks ago) Go update!

      Previously this was showing up as “One share” after the site name but the issue was the same.

    • Anonymous says:

      hi i was wondering if http://www.expedia.co.uk should show up when i do a security check for heartbleed issues. I did a scan it never showed up but when i put the site on the lastpass heartbleed checker it says i can change my password

  • Unknown says:

    I am trying, as described, to change my passwords with LP generated new ones. However, my newly generated passwords NEVER match in the ‘new password’ and ‘confirm password’ boxes, therefore I can’t use them! Since they are all in dots, I can’t read what they are to copy into the confirm box. Pulling my hair out . .

  • I’ve updated almost all the passwords suggested by the security check last week. I got the green checkmark on almost all that were ready to be updated. Now they are showing as I need to update again. That’s confusing…

    fitbit.com 2 weeks YES (2 weeks ago) Go update!

    I updated last week, and got the green checkmark… do I need to update again?

    • Shae says:

      Having the same issue.

    • Will Chatham says:

      Same here…I was really disappointed to see this, as it took a long time to update so many passwords, and now I have half of them showing up as needing to be updated again.

    • Anonymous says:

      Me too. Looks like there’s a bug in the way LastPass calculates the difference between the date the cert was changed and the date the password was changed.

    • Larry says:

      Me too. Went through the entire list of “Go Aheads” and used it as an opportunity to finally set a unique pw for each site. Now it says that most need to updated again. I’m pretty sure it’s just error.

      Last Updated 1 Week ago. Updated Cert Yes (two weeks ago)

    • Anonymous says:

      Same here