Honestly, there is none. Not unless they offer an API where you can do remote management on your accounts. Pick and choose. Which ones are the highest priority. Bank for example you should change. Forums and other media sites could be ranked lower and changed on a need basis.

PS: I also think people are blowing this heartbleed way out of proportion.

I'm curious what kind of answer you expect to get... A piece of software that cascades password changes over various protocols, sites, procedures, etc.? I'll bite my tongue on my opinion of the cost/benefit of actually changing all those passwords, considering any one of them could be cracked in a reasonable time frame, regardless if they are compromised. Instead, I'll recommend you gather contact information for each of these sites and services. Then send an e-mail to all of them requesting your password reset or to re-establish a new password on next login. I don't see any other shortcuts here.

Since your question probably doesn't lend itself to an easy answer, I would propose that you change the passwords of websites based on how vulnerable they make you (loss of money, loss of privacy, loss of reputation, etc.)

I will probably:

• review the list for sites storing truly sensitive information
• change those as soon as it seems clear the site is ready for that
• change the remainder the next time I use the site or if the site requests/forces a change.

This means some of them will never be changed, because I will never use the site again, and that's the source of the efficiency gain over doing them all now. In fact this might eventually provoke a clear-up of pointless accounts. In the context of doing that, changing passwords isn't such a big operation.

I think (although I am not sure) that if I very infrequently use a site then there's relatively little chance of my password on that site having being compromised due to heartbleed. Hence the preference for sites I actually use.

The main danger of that guess being wrong is if it turns out that heartbleed has been actively exploited for a long time. Then there is plenty of opportunity for masses of passwords to have been compromised either directly via heartbleed, or by the use of private keys or admin credentials from heartbleed.

[Edit: it's starting to look like maybe heartbleed has been exploited by the NSA for about as long as it has existed. Will have to wait for more information on that, but in any case I'm not as concerned by the NSA having my passwords as you might expect. If the NSA wants my passwords then it has them, heartbleed is one of only many means by which they might acquire them. If they've had them for two years then another month until I find time to change a bunch of low-value accounts won't make a difference.]

The main danger of delaying the password change is that somebody might already have my password, but either hasn't got around to pulling it out of the GB of data they obtained using heartbleed, or else hasn't got around to using it yet. Hence the preference for more sensitive systems.

Specifically for LastPass since you mentioned that, you could export a ccv file and submit the sites to one of the validation tools such as the one LastPass itself offers to determine which sites are even ready to have the passwords changed.

I'm sure each of the vendors is also busy creating/considering a tool to automate something equivalent (e.g., a supplement to LP's Security Challenge).

Each password manager is going to present a different challenge. For example Dashlane does not include the ability to sort passwords by date changed, although it does have a field you can re-purpose to checkoff passwords that have been changed or that you are going to ignore.

Update (Oct 2015) - LastPass and Dashlane (the two I've tried) and some other password managers now have a procedure/form that can make changing passwords at several hundred sites as simple as checking a box (if you trust the automation; they even know that some sites exclude/require certain special characters or mandate length). Alternatively, some take you directly to the site change page via a link, suggest a new password, and record your change.

If you like, open another browser and very quickly test the new password by using the 1 to 3 click open-and-autologin/autofill procedure for that website. Just be cognizant of how and when sync occurs.

I thought this deserved an update since we have had so many more large site cracks and network and router exploits.

Check whether you can login with Google OpenID in some sites. That could reduce the number of passwords you need to change/manage/use.

Bookmark all 'Change password' pages and open them all in tabs together (or maybe in batches of 50). Make a script for generating a list of random passwords and copy-paste them with a copy-and-paste tool. Clean your system after doing this. Changing 50 passwords with this method won't take you more than 10 minutes, which seems a pretty reasonable time for a weekly maintenance.

Doing this, you'll change all your passwords once a month, investing 10 min. a week.

If the systems let you connect via telnet or ssh or something similar, you could script the password changes in a relatively straightforward manner. If the password changes have to be done via a web interface, writing tooling to deal with the variations would probably be more work than it'd be worth but I'd at least try to make sure the new password was pasted in from a reliable source rather than hoping I could accurately retype it 400 times.

Federated ID systems simplify this somewhat by providing a single point to change the password for multiple systems... but of course you have to decide whether you trust those ID hubs.

NOTE: Changing passwords on a regular basis does NOT improve security as much as is commonly believed. If anything, it may encourage folks to pick inferior passwords, because picking a new good one every N months is a pain in the patootie. It only helps if you believe someone is reasonably likely to have stolen your existing password and if that password's getting out exposes something you care about or has a risk of being leveraged for rights amplification.

I do have a proposal which sounds feasible. I never try out myself though.

use AHK (key mouse event recorders ) you do a batch of password changes , and log the session using AHK. next time you want to change password. take out the AHK script and change the password only. you only need to play the AHK script again.

I myself use different pass for different sites, unless they are all leaked out, I don't need to change them at one time.

Create an Amazon Mechanical Turk.
Make a list of your web sites, user names, and current passwords. Each HIT will give out one or more of these. Give rules for what the new password must consist of. Paying $0.01 per password. The user must go change the password for you, and report back the new password. This should get your passwords changed pretty quick. https://requester.mturk.com/