I’ve been writing software for a living for over 30 years and can tell you that the recent heartbleed security hole is very very serious. Here are the steps that I am taking to mitigate my own risk - I suggest others do the same.
Make a list of all the sites you use that require passwords, and that your smartphone or tablet uses. Keep it around for the next time this sort of thing happens (although a bug of this magnitude is rare). My list has about 50 different sites on it - yours is probably shorter. Yes, this is tedious, but it is important. It may also be good to look at this list - to really see what definitely needs changingvs. those you might change to be consistent.
Figure out a strategy for your passwords so you can use a different password on every site. For example, I might use “John5694Apple!” on iTunes and “John5694Google!” for GMail (where “5694” is a number that is easy to remember, like the last 4 digits of my phone number). This way, if one site loses all its passwords, the attackers don’t get immediate access to the other web sites you use. Alternatively, you can use a tool such as LastPass or 1Password.
This step is somewhat optional, since most major sites have already closed the barn door on this security hole. But if you’re not sure, check each site against a tool that tries to see whether it is vulnerable or not. Beware that the results are sometimes inconclusive so check the site’s FAQ page or blog to see what they say about HeartBleed - if they don’t say anything then you should be worried.
Change each password to one that matches your strategy. Now you never have to write down your password or use the same one twice - just follow your strategy.
HINT: if you keep your list in a spreadsheet it might autolink the domain name to the website - which slightly simplifies the tedious process of changing a long list of passwords.
I suspect this bug will get worse before it gets better. In addition to all the web servers that had this bug, there is other hardware and software that cannot be patched as easily as a web server - hardware and software that is so ubiquitous that we could be using it without even realizing it. So we’ll continue to get additional cyber-theft and identify-theft until we close all these holes. But in the mean time, we may need to change our passwords multiple times after we realize yet another avenue where our passwords might have been stolen. Some will tell me I’m wrong and alarmist - I really hope they’re right and its not as bad as I fear.