Updating Passwords in the Wake of Heartbleed

With many online services now making the necessary security changes in the wake of Heartbleed, it’s time to start updating your passwords and improving your online security. Follow our steps to start using LastPass to update your passwords and better protect yourself going forward.

Before Getting Started

If you haven’t signed up yet, start by downloading LastPass, creating your account, and adding your sites to the vault.

LastPass will prompt you to import during the installer process. If any sites are stored in your browser, or a previous password manager, they can also be imported at any time by opening the LastPass browser icon, click the Tools menu, select Import, and select where you’re importing from. See our article for more information on importing to LastPass.

Getting Started

As a LastPass user, start by running the LastPass Security Check (click the LastPass Icon in your browser menu > Tools > Security Check).

This tool identifies potentially vulnerable passwords and tells you if it’s safe to start updating them.

For the sites that have the recommended action “Go update!”, use LastPass to update the password to a new, generated one.

The security check will also identify weak and duplicate passwords. Prioritize updating those next, so that you have a strong, unique password for each online account.

Replacing Your Old Passwords

Using Gmail as an example, let’s walk through how to update a password using LastPass.

To begin, we’ll go to Gmail.com, login with our current username and password, and locate the Gmail settings page where we can update our password.

On the ‘Change Password’ page, we’re asked to enter the old password, as well as enter a new password twice.

In the current password field, we can click the * icon and select the existing login to fill that password:

Then, we click the “Generate” icon in the “New Password” field to create a random, unique password. If we want to add additional characters to the new password, we can click “Show Advanced Options”, update the settings, and generate a new password to use:

After clicking “Use Password”, LastPass fills both the “New Password” and “Confirm New Password” fields.

Since we are updating an account that is already stored in LastPass, we will see a dialog to either confirm we want to update the existing account, or save as a new account.

We’re going to select “Yes, Use for this Site” because we just want to update the account entry already saved by LastPass.

On the webpage, we’ll click “Save” to submit the account changes. Since we selected “Yes, use for this Site”, the change has also been saved in LastPass. It’s important that the save is made both on the website, and in LastPass, so that it is up-to-date in both places.

The next time you log in to your site, LastPass will autofill with the new, generated password!


  • Geoff Dunn says:

    Not impressed. LP has stopped working altogether on my laptop. Had to re-install and then install again to a newer version after just re-installing. Then I get the message that I still need to install the newer version. Website opens but won’t save. Getting “unexpected error” code. have to log in everytime I switch screens. ARGGGGGGGGGGGGGGGGGGHHHHHHHHHHHH!!!!!!!! Why did I bother paying for this?

  • Anonymous says:

    Tandmark, chances are that those sites with old certificates, and are deemed safe, is likely because they are using a pre-Heartbleed bugged version of OpenSSL… One of my UNIX servers has OpenSSL version 0.9.8q which was before the affected versions… that’s just one possibility

  • tandmark says:

    Just curious why the LastPass Security Challenge shows that it’s safe to change passwords for Facebook (even though its certificate is dated two months ago), Instagram (even though its certificate is dated three years ago), Indiegogo (even though its certificate is dated nine months ago), and Steam (even though its certificate is dated a year ago). Why are those certs considered safe when Heartbleed was announced on the 7th of this month? Shouldn’t those sites be considered at risk until they have certs newer than ten days?

  • Erik Bates says:

    The security check told me to update my Tumblr password, so I did. I re-ran the security check and it now tells me that I still need to update it, even though, according to the scan, I just updated it 8 minutes ago.

    • Amber Gott says:

      Hi Erik: Do you have more than one Tumblr account and have all of them been updated with a new password?

    • Cody Leslie says:

      Hi Amber from LastPass!

      I love LastPass, but I happen to know that the security check seems to access a cache of some sort. It notified me that I needed to change certain passwords and I changed all of them on the list, but then it only gathered that a couple of them were now safe. Then, the next day, after a reboot or two of the machine, the security check said that they were updated.

      The only other issue I have found with it, and I am not sure there is a really good solution, is that when you add a site to LastPass, it considers that to be a new password, even if you created it eons ago. Maybe the security check could warn you if it only knows that the site was added recently, not when the password was changed?

      Thank you for hopping on this issue LastPass! You were the only reason that I knew that Forbes had been hacked a little while back, those schmucks didn’t even send me a message saying that my stuff had been compromised. LastPass is worth the money just for that! I recommend it to everyone I know.

    • Amber Gott says:

      Thanks Cody, we did push an update out to deal with delayed recognition of updated accounts, glad to hear that’s working for you now. Hm, new sites should be flagged as “go update”, I’ll circle back with our developers. Thanks for recommending LastPass!

    • Erik Bates says:

      Sorry for the delay in response. Just one Tumblr account with a 4-day old password that still says I need to update. I’ll update it again to see if that helps.

    • Erik Bates says:

      Turns out, this may have been all my fault. Because of the way Tumblr has their password change form set up, LastPass couldn’t generate and update my password automatically.

      So what was I doing?

      Generating a new password. Updating my Tumblr password manually via copy/paste, and then deleting my old Tumblr LastPass entry and renaming my generated entry.

      In other words, as far as LastPass was concerned, I wasn’t updating my Tumblr password… I was creating a new entry every time.

  • Anonymous says:

    Great tips! I use Sticky Password but someone sent me your blog post if I agree with it :) So yes I agree and I am changing my passwords too :)

  • Anonymous says:

    Updating passwords is not as painless as it should be. Often when Lastpass offers to fill in my old password, it fills the wrong box (one of the new password-boxes for example), and often the newly generated password gets filled in the old password box, and since they are all asterisks it’s impossible to tell when it goes wrong until you submit.

    • John says:


      This happens on github, for example, where I’ve had to resort to LastPass change history to find my old password and manually do the change on the github web site. Very annoying. I have notified LastPass support about the issue.

    • Anonymous says:

      LastPass doesn’t handle password changes well, in my opinion. Particularly if you have more than one account with the website for which you’re changing your password.