Tool/Procedure to Evaluate Whether Each Site in a Password Manager (e.g., KeePass, LastPass, Dashlane) is ready for a new password (post Heartbleed)?

2

1

Sites need to be remediated for the Heartbleed exploit before a password is updated. Some sites will be remediated immediately but others may not be updated for months. Lots of us have many dozens to several hundred sites in a password manager that may need to be updated.

Is there already a tool / utility / procedure / site that will identify and track which sites are ready to have their passwords reset for all sites in a password manager (e.g., KeePass, LastPass, or Dashlane).

If not, what features would such a tool need?

I can envision three approaches at the moment.

  1. Some other password manager includes this feature and both has a trial version and also will import the data from the current password manager.

  2. A tool that will accept export data from current password manager (e.g., to .CCV), submit each site to a Heartbleed test site, and

  3. A Heartbleed test site that will accept a list of sites (file or pasted). Again, the list would be derived by exporting the data from the current password manager with perhaps a little judicious editing.

The Heartbleed test sites that I know about will only accept one site at a time for testing.

UPDATE - LastPast Security Challenge now includes a Heartbleed section. I don't know how accurate the test is -- or can even be without site administrator participation.

BillR

Posted 2014-04-10T00:32:44.123

Reputation: 471

Question was closed 2017-10-15T00:07:54.487

2LastPass Now Checks If Your Sites Are Affected by Heartbleed – Sathyajith Bhat – 2014-04-10T05:51:28.053

Answers

2

Well, you change the password on affected sites anyway, especially if you have used the same password multiple times before. Keepass will help you generate and track unique passwords for each site.

There are checker tools for sites:

Here is a Chrome Extension:

(I have not tested this yet)

David

Posted 2014-04-10T00:32:44.123

Reputation: 2 222

"The Heartbleed test sites that I know about will only accept one site at a time for testing" like the Qualys, Filippo Valsorda, LastPass, and other Heartbleed test sites I've found. Chromebleed may prove useful but doesn't specifically address the need. – BillR – 2014-04-10T02:29:12.603

Also LastPass, even if you don't use the service: https://lastpass.com/heartbleed/?h=

– Kip – 2014-04-10T14:58:43.713

FWIW, ssllabs is telling me all my banking sites are not vulnerable, but LastPass is saying "may be vunlerable" for all of them – Kip – 2014-04-10T15:03:01.310

Do any of those tests check that a new certificate has been issued? – None – 2014-04-10T15:06:41.453

Anti-weakpasswords provided the most complete list of Heartbleed vulnerability checkers for sites (see below) that I've seen so far in response to: HeartBleed - How to detect compromised websites It doesn't mention (at least not yet): LastPass also has a site vulnerability checker (page) and just added it to its Security Challenge: https://lastpass.com/heartbleed/ ChromeBleed is a chrome extension to identify vulnerable sites: https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic

– BillR – 2014-04-10T16:14:59.170

Asked: 2014-04-10T00:32:44.123

Viewed: 170 times

Active: 2014-04-10T14:49:31.940