I received this from DigitalOcean support:
Changing your account password will protect access to the control panel but will not affect your droplets themselves. Here is what I would recommend to secure your account and services:
1.) Change your account password
2.) Enable two-factor authentication (this will prevent any login to your account even with the password without your smartphone)
3.) Secure the droplet root account(s)
a.) If you are using ssh-key based authentication on your droplets check the /root/.ssh folder and any /home/user/.ssh folders for the authorized_keys file and remove the developer's key. (make sure your own key is there so you don't lose access).
b.) If you are using password authentication on your droplets log into each droplet as root and run the command "passwd" you can use the password reset option in the control panel to send a new temporary password if you do not have the current one but you should still log in immediately as you will be prompted on first login to specify a new permanent password.
4.) Check any services (CMS, Wiki, etc) that you are running on your droplets to ensure that you change the password for any administrative accounts inside those services.