LastPass Now Tells You Which Heartbleed-Affected Passwords To Change

LastPass Now Tells You Which Heartbleed-Affected Passwords To Change

This week, a giant security hole came to light that affects a large portion of the internet. As different sites recover, you’ll need to change your passwords, and now LastPass tells you when to do so.

Due to the nature of the Heartbleed bug (read more here), you’ll need to wait until affected sites update their infrastructure before you change your passwords. LastPass’ ever-useful Security Check tool now includes recommendations for Heartbleed, letting you know which sites have closed the hole, when, and if you should update yet.

To run the tool, just click on the LastPass extension and head to Tools > Security Check. After running the tool, you’ll get the results (shown above) so you know what passwords to change. Hit the link to read more.

LastPass Now Checks If Your Sites Are Affected by Heartbleed [LastPass Blog]


  • OK for Lastpass users. For all the rest of us (who do not use Lastpass), is there any list of sites who are fixing themselves, and when that’s happening?

    • Why not sign up to Lastpass?
      It’s free and a brilliant service. And only $12/year if you want mobile device support.
      $12 is worth it just for this Heartbleed service in my opinion.

      • This is a pretty good option, @barb. You could just sign up for Lastpass, import any saved passwords you use in Chrome/FF/IE, and then run the security check.

        It’s not really going to be able to give you a list of sites which may be vulnerable. According to the heartbleed website, two of the major open source web servers are vulnerable, and they account for 66% of active websites. That’s a hell of a lot of sites to list. (LINK:

        EDIT: Spoke too soon. One of the articles in Whinston’s story links to a site to test websites ( and a list of possibly vulnerable sites (

        But… They don’t tell you if it was vulnerable before, and is now OK. Just if it is vulnerable.

        • But… They don’t tell you if it was vulnerable before, and is now OK.

          Don’t worry about before!

          Due to how prevelent OpenSSL is, a combination of to see the patch is done and assuming all sites were compromised before is your absolute best bet.

          What I have done is start a long list of sites I use and I am just working down them as I go.

          Google – check
          Twitter – check
          Work – check
          Westpac – check
          XYZ – nope
          ABC – nope

          Ultimately this should be a forced password change for everyone, for every site (after you plug it into the site to see it’s now safe to proceed) .

  • Is there a version of LastPass that doesn’t require you to install it as part of a browser? I’m looking for a portable app to run off a USB key…
    …do I really need to put Firefox [or Chrome] on my USB as a portable app as well?

Log in to comment on this story!