Introducing Auto-Password Changing with LastPass

By December 9, 2014 Product Updates 83 Comments
autopassword_change
In the wake of major security incidents like Heartbleed, there was one piece of advice delivered over and over again: Change your passwords. Change them now. And create much, much stronger ones.

We saw many people struggling with where to begin that process. Even for those already using a password manager like LastPass, it still required setting aside time to navigate through each account and update passwords one by one. Until now.

We’re excited to announce that the Auto-Password Change feature we released to our Pre-Build Team last week is now available for all users in beta. LastPass can now change passwords for you, automatically. We’re releasing this feature for free to all our users, on Chrome, Safari, and Firefox (starting with version 3.1.70).

Maintaining your privacy and security is our top priority. That’s why we’re doing this differently. We’ve implemented this feature to make password changes locally on your machine, ensuring we stay true to our mission and never have access to your data. All of your sensitive information is encrypted on your computer before syncing, and your encryption key is never shared with LastPass.

Auto-Password Change already supports 75 of the most popular websites, including Facebook, Twitter, Amazon, Pinterest, Home Depot, and Dropbox. When clicking “edit” for a supported site, a “Change Password Automatically” button appears:

Once clicked, LastPass opens a new tab where it logs in for you, creates a new password, and submits the changes on the website, while also saving them to LastPass. Next time you log in to that website, LastPass will autofill with the newly-generated password. And all you had to do was click a button!

We’re committed to making password management easier, faster, and even more practical. We’re building features that help you minimize the impact of breaches. Give Auto-Password Change a try. We think you’ll find it life-changing, too.

83 Comments

  • Anonymous says:

    Any update on the ETA for 3.1.70 for FireFox / IE (actually it’s been August since they received any love)?

    Note currently Auto-Password change only works in Chrome or Safari (?I haven’t checked).

  • Anonymous says:

    I would like to see an option to store password requirements, for example for each entry store the length, whether numbers are allowed, special characters, and number of days in order to change. This could trigger a reminder say if 60 days was set for an entry at 55 days a reminder pops on the site to review and change these passwords. This tool is great but I can’t keep track easily of what I changed recently vs what I should change. I realize security challenge shows you but I have to scroll around and I have nothing to measure against for example some passwords I may want to change more frequently. Another thing is why do I see a different score on my pc vs android?

  • J.M. Hardin says:

    There’s one thing I’d like to see included, but it’s something I want for the base LP platform: I tend to like longer, strong passwords with two very special characters in it. I’m guessing that when the automatic password changer runs there’s no way to preview the new password. Of course, then it wouldn’t be automatic anymore.

    It would be a nice feature for LP to have for picky folk like me. Just my $.02.

  • Any way to change the number of characters in these auto generated passwords?

  • Anonymous says:

    This feature doesn’t work with sites that were added to LP using “Save all entered data”

  • The blog post says Amazon is supported, but I don’t see the new button on Amazon.

    Is it possible to get a list of all supported sites?

  • torbengb says:

    Some suggestions:

    1) Consider including Dreamhost.com in your site list – they are a HUGE website/domain operator and I’d guess that many LP users would benefit.

    2) Consider adding some indication in the app whether or not a LP-oneclick password change is possible. I am not going to remember that (growing) list and it would be nice to have a quick indication that I can easily change the PW for whatever site I’m looking at.

    3) Consider building a way to let me order a pw change on ALL my supported sites in one swell foop. Maybe I want to do this yearly, or maybe I feel compromised – whatever my reason could be, it’s currently a hassle to change *hundreds* of passwords, even if many of those might be invidually automated.

  • HAN HOU says:

    why the One-Click Password function is possible now? I’m very curious why lastpass and dashlane almost at the same time publish the new function, and supoort the same number 75 website?

    of course, I will not use dashlane($40/Year!!! ).

  • … And doesn’t work for PayPal.

  • You need to update your help page :) Hit one on Google when searching for “lastpass automatically change passwords” https://lastpass.com/support.php?cmd=showfaq&id=5956

  • Anonymous says:

    Where to download the beta? I searched everywhere can’t find it.

  • Anonymous says:

    There is work to do with this feature but it’s a start. I just used this new feature to change my Amazon password. What I’m concerned about is there is no way to specify the length and type of password. My old Amazon password was 32 characters long with letters, numbers, and symbols. The password that was generated by this feature was only 12 characters long with letters and numbers. I would hope to see a new password generated that is at least as complex as my current one.

  • Anonymous says:

    This is a good step forward but there is still WAY to much user interaction needed. I don’t want to have to click on edit for each site. There should be an routine that can do all the supported sites at once and prompt for whatever information is needed similar to dashlane’s implementation.

  • andrevanm says:

    Thanks for your suggestion, Brandon. I initially re-installed Lastpass on Firefox and did not see the feature. In the link to the manual, I discovered that feature is only now for Chrome and Safari. I installed Chrome and Lastpass for Chrome and it voila… it is there. Thanks very much and have a nice day. Andre

  • Anonymous says:

    Hello, can somebody please tell me how to get this great feature?

  • awesome, do you support common software as well? like wordpress? vbulletin? jira, etc, will you?

    would you considering publishing a perceived workflow so that perhaps we developers could create a sort of standard API to resetting a password?

    • Amber Gott says:

      Thanks Caleb, it’s something we would like to do in the future, though no ETA on when we may support an API.

    • I do not think you and I mean the same thing by API, you currently have to use the DOM’s API, I imagine to some extent a custom way for each site to figure out how to navigate, if there were a specification for how we build our site’s so that it would just work, I’m sure that many people would build their site’s that way. It really wouldn’t matter if if it was just elements with class=”password” class=”username” for login, and a class=”profile” class=”oldpassword” class=”newpassword”, etc, etc, as a way to find the fields on the page. using class is an example of course. Basically designers/developers can’t make using lastpass easier if we don’t have a spec for what it needs to do.

  • Lakai says:

    Hey. This is a neat little feature but I have a few suggestions.

    1. There’s no way to really do this for ‘all’ of the sites that can do this. Dashlane allows you to do this, and you can even see the progress bar for all of them–Changing it in the background and stuff. That would be cool.

    2. It’s really really bulky to get into. Have to manually go into each single site to edit it, click button, exit tab, go onto next one. It gets repetitive. Have a single action button for it and how old password is, whether you can just click to change it, etc. Have one central location for it.

    3. It’s failed a few times for certain sites, like Tumblr and Facebook, but worked on 2nd try. I was also logged in to different accounts so that may have been it. Make it more stable.

    Otherwise, it’s a good feature and I applaud you, just some minor downfalls.

  • Anonymous says:

    Dashlane is way better. I jus tried Lastpass and it’s painful!

  • Neil Bergman says:

    When will the Internet Explorer LastPass app have this capability?

    • Brian Madsen says:

      And Firefox! I’m looking for a Firefox add-on that has this, and I”m startled to find that Firefox and IE both haven’t been updated since August, back in the 3.1.50-something era. When will these be brought up to 3.1.70 or later so all browsers get this feature?

    • Amber Gott says:

      @Neil: It’s on our roadmap but we don’t have an ETA.

      @Brian: It should be available for Firefox, have you downloaded from https://lastpass.com/download with any further trouble? You can also get in touch with the team here: https://lastpass.com/supportticket.php for further help.

    • Anonymous says:

      I re-ran the installer myself and it still shows version 3.1.54 for FF and 3.1.75 for Chrome.

    • Nick says:

      I’m only seeing 3.1.54 for FF.

    • Brian Madsen says:

      @Amber, no, it’s not available for Firefox. Nor should you or I expect it to be. Check your own release notes! They’re at https://lastpass.com/upgrade.php?fromwebsite=1&releasenotes=1 — and they show clearly that the FF add-on hasn’t been updated since August — and so of *course* Firefox users who reinstall the add-on are not going to see this feature. You and I and @Anonymous and @Nick can reinstall all day long, and the best we’re going to get by doing so is 3.1.54 — NOT anything later, until your release notes say that there’s a later version to be had!!

      And so I ask again: when are Firefox users going to see this feature? Or to put the question another way, when is your release schedule going to show that a Firefox add-on exists that is later than 3.1.54?

  • David Woods says:

    Excellent feature!
    Quick question/suggestion, if a site that isn’t part of your initial 75 reports a breach can/will you prioritize adding them so that it’s easier to change our password for that site?

    • Amber Gott says:

      Hi David: Yes, we want it to be as easy as possible for our users to update passwords after a breach, we will prioritize those sites whenever possible.

  • Guy Gordon says:

    It would be great to have a button for items on the security challenge results for sites that support it.

  • Ashkan says:

    There are complication with Google multiple log-ins.
    Currently I am logged-in to 3 of my Google accounts with addresses https://accounts.google.com/b/0/ to https://accounts.google.com/b/2/
    I wanted LP to change my second accounts password: https://accounts.google.com/b/1/ but it tries to change the default one https://accounts.google.com/b/0/

    • Amber Gott says:

      Thanks for the feedback, noted for the product team to take a closer look.

    • Anonymous says:

      I find that Lastpass handles the presence of multiple Google accounts poorly. I have so much trouble with handling a lot of Google accounts, some on clients’ domains using Google Apps, that I have given up using Lastpass for this. It is just too much manual work to manage properly, and Lastpass is always trying to log me into the wrong Gmail account or using the wrong password.
      For this reason I would never even attempt allowing Lastpass to automatically change passwords on Google accounts – it would be just asking to get locked out of all of them.

  • Anonymous says:

    The feature does not even show up for sites in a linked personal account, as well as sites in shared folders I presume. I had to log into my personal account to access the feature.
    It seemed rather useless, honestly. The first time I tried it, it said it failed. The second time it worked, but took about two minutes to finish. I could have easily done it myself in half that time.

  • Albert Dutra says:

    Great tool… But there should be a separate section/tab in your Last Pass Vault to show all of your passwords that are associated with sites that allow this functionality. This way you can easily go and “update” the password for the sites that it will work with. Rather than comparing a list on a website and then locating your lastpass vault item for that particular site, editing it, then hitting change password.

  • Anonymous says:

    I definitely appreciate this feature and I hope you guys will add more sites. I just went through changing all my passwords and let me tell you it was a pain. I know its not necessarily Lastpass’ fault, but sometimes Lastpass’ interaction with the site can be a bit wonky. There were a few times where I had to generate the password and copy it to notepad or something else because a few times depending on the site Lastpass didn’t capture the change or captured the change incorrectly, and subsequently locking me out of the site since, yes, I am the guy that wants to use 64 char. passwords… because I can and because Lastpass enables me to. Also, it would be nice to have the autofill and auto login disabled by default if its not already. Too many times I have been locked out of a site or screwed up a password change because Lastpass detected it as a login form and killed the site for me. Not really complaining, as I LOVE Lastpass but you have to tame the beast and make it work for you at times.

    • Amber Gott says:

      Thanks for the feedback, we hope this does save you time and is more convenient going forward, the sheer variability of password requirements and password change process from site-to-site is a challenge but we’re working to make this as easy as possible for our users.

  • How will you handle the password requirements for different sites? For example, some sites won’t let you use certain symbols. Others have maximum length limits.

    • Anonymous says:

      I am pretty sure they figured that they will use the strongest possible password based on the site’s current password requirements, otherwise whats the point? Why would they implement an automatic solution that would make you less secure. I give the Lastpass team a little more credit than that.

    • Yes, but it’s not like there’s a way to automatically discover an arbitrary site’s password policy. So that means they have to manually maintain it, or else make assumptions that they think will hold across the board.

    • Felininho says:

      Specific sites (currently 75) will have this feature, so I believe they test each of them before releasing the feature.

    • Anonymous says:

      @John why would you release a feature that you wouldn’t maintain and subsequently make your customers less secure? How often does a site change their password policy? Again, I am sure that they have figured this out and that you didn’t just discover a major flaw in their master plan here. No doubt someone already figured it out. Security is their business. Common sense dude.

    • Amber Gott says:

      At the moment we’re evaluating on a site-by-site basis, so yes we’re taking this into consideration. Always appreciate feedback and input from our community!

    • PRMan says:

      Be careful, though. If you max out Amazon’s password, for instance, you can’t type that many characters on some devices that support Prime Video.

    • Anonymous says:

      The easiest method would be to sample your current password for length, symbols, letters and numbers – then create a new password based on those. It would be up to you to create the best possible password the first time.

  • Bob Taylor says:

    I’m still waiting and hoping for the ability to log in to my iOS apps without opening and copying in LastPass

    • Anonymous says:

      You’d be waiting on Apple then.

    • Anonymous says:

      Actually you’re waiting on the app developers. I believe Lastpass has the API out there so an app developer can use lastpass for authentication. Even if they don’t though, no one will use it. I know for a fact 1password has the API, and of all my apps, only Hipchat supports it.

    • Anonymous says:

      You just proved my point. It’s Apple’s API that needs to change to allow more functionality to make it feasible to make an acceptable Lastpass app. Otherwise you are waiting on not only Lastpass to implement it but then ALL other apps have to support it as well, and if those apps don’t have a strong Lastpass user base then what will make them want to put the effort into implementing it? At least we agree on that point, but its Apple’s broken design that dictates this outcome. It is Apple that decides how apps interact with each other and I personally think they don’t want Lastpass functionality because they want to push their own solution so they make it as difficult as possible until they roll their own. As a matter of fact, I would put money on us ever seeing that functionality before passwords are rendered obsolete and we move to a current generation log on solution.

    • Baggins says:

      Couldn’t that feature potentially be implemented as a replacement keyboard now that Apple has added support for those in its API? Just have a LastPass icon on the bottom corner of the keyboard that you tap to bring up the vault?

    • torbengb says:

      Baggins has a good point – in the olden times, Lastpass on Android also operated using an add-on keyboard. So this sounds like a good method (at least relatively to what iOS allows).

  • Brian Madsen says:

    It worked cleanly for Facebook, but not a lot of my other websites are supported, even ones like Chase Bank that I thought would be common enough to make the cut. Can we see a list of which 75 websites did make the cut?

    Also, you know what would be helpful along with this, as long as we’re in this neighborhood? I’d love some kind of tickle-reminder that says that I’ve let my passwords age a little too long. “You know, Brian, that Bank of America password hasn’t changed in over two years; you should think about changing it.”

  • Pariah Burke says:

    This is wonderful, but what about mobile? If LastPass is changing crucial account passwords, then the mobile apps for those accounts will logged out. For each account users will then have to launch the mobile LP app and lookup the password.

    We’re all multi-device now. Having a great desktop-based system without effectively handling mobile is pre-2010 thinking.

    • It depends on the app…some apps receive a token after successful login; changing the main account password won’t necessarily invalidate that token.

    • Amber Gott says:

      True, on Android we can autofill apps now, though, which should simplify the process of logging in again. And from the app vault on iOS or Android you can tap a site, copy password, and paste elsewhere if needed. We’ll continue iterating!

    • I agree, I use Dropbox on multiple devices (both mobile and desktop) and I really don’t want to go update the password on every device manually.

  • Anonymous says:

    Does it handle sites with 2FA enabled?

  • Fabi says:

    I guess thats the reason why LP is publishing this feature now

  • Anonymous says:

    dashlane is also pushing a similar function on their platform: https://www.dashlane.com/password-changer-beta

    • Anonymous says:

      Indeed. Dashlane bought a company to get their offering to market. I’m still going to prefer LastPass for their overall security and reputation.

Get LastPass Now! Download