This week, a giant security hole came to light that affects a large portion of the internet. As different sites recover, you’ll need to change your passwords, and now LastPass tells you when to do so.
Due to the nature of the Heartbleed bug (read more here), you’ll need to wait until affected sites update their infrastructure before you change your passwords. LastPass’ ever-useful Security Check tool now includes recommendations for Heartbleed, letting you know which sites have closed the hole, when, and if you should update yet.
To run the tool, just click on the LastPass extension and head to Tools > Security Check. After running the tool, you’ll get the results (shown above) so you know what passwords to change. Hit the link to read more.
LastPass Now Checks If Your Sites Are Affected by Heartbleed [LastPass Blog]
Comments
9 responses to “LastPass Now Tells You Which Heartbleed-Affected Passwords To Change”
Awesome, I was just wondering if there was a way to find out the vulnerable sites.
OK for Lastpass users. For all the rest of us (who do not use Lastpass), is there any list of sites who are fixing themselves, and when that’s happening?
Why not sign up to Lastpass?
It’s free and a brilliant service. And only $12/year if you want mobile device support.
$12 is worth it just for this Heartbleed service in my opinion.
This is a pretty good option, @barb. You could just sign up for Lastpass, import any saved passwords you use in Chrome/FF/IE, and then run the security check.
It’s not really going to be able to give you a list of sites which may be vulnerable. According to the heartbleed website, two of the major open source web servers are vulnerable, and they account for 66% of active websites. That’s a hell of a lot of sites to list. (LINK: http://heartbleed.com/)
EDIT: Spoke too soon. One of the articles in Whinston’s story links to a site to test websites (http://filippo.io/Heartbleed) and a list of possibly vulnerable sites (https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt).
But… They don’t tell you if it was vulnerable before, and is now OK. Just if it is vulnerable.
Don’t worry about before!
Due to how prevelent OpenSSL is, a combination of http://filippo.io/Heartbleed to see the patch is done and assuming all sites were compromised before is your absolute best bet.
What I have done is start a long list of sites I use and I am just working down them as I go.
Google – check
Twitter – check
Work – check
Westpac – check
XYZ – nope
ABC – nope
Ultimately this should be a forced password change for everyone, for every site (after you plug it into the filippo.io site to see it’s now safe to proceed) .
You can check manually check sites you’re curious about the status of here:
https://lastpass.com/heartbleed/
Thanks, all!
Finally a benefit of running under IIS, one major security flaw that I don’t have to worry about (from a operator point of view)
Is there a version of LastPass that doesn’t require you to install it as part of a browser? I’m looking for a portable app to run off a USB key…
…do I really need to put Firefox [or Chrome] on my USB as a portable app as well?