When it comes to changing your passwords, the Heartbleed Bug is a better-safe-than-sorry bug.
This is not a case of hackers breaking into a bunch of sites and stealing all the sites' usernames and passwords; this is a vulnerability that allowed hackers to grab relatively small chunks of data as they flowed through sites. If you happened to be entering your username, password or credit card number as someone was making a grab, it's probably out there now.
You're playing the odds, in other words -- and we don't exactly know what the odds are. This bug has existed for a couple years but was just recently publicly disclosed, so there's no telling how extensive the damage may or may not be. Again, you're better safe than sorry.
Checking the Big Sites
A user over on GitHub has taken the liberty of checking the top 10,000 Alexa-ranked websites to see which ones are (or were) vulnerable to the bug. What's handy is that the first test was run two days ago, and a second test was run within the past eight hours, so we can see which sites have patched up the vulnerability.
The good news is that the first test returned 630 vulnerable sites, while the second test returned just 178 vulnerable sites -- so there's progress being made as it pertains to patching things up. And the majority of the vulnerable sites on the most recent list aren't exactly household names. I recognize only TinyURL, The Street and The Daily Caller.
Popular Sites Advocating You to Change Your Password
According to Mashable's list of popular Heartbleed-afflicted sites, here are some of the big sites where you should change your password:
Google actually claims your password is safe, but it's using the better-safe-than-sorry argument. Of note, Apple has stayed silent but the GitHub test-runs have shown that Apple's main site doesn't use SSL (the type of security protocol that's affected by this bug). Apple's online store (store.apple.com) is either fixed or unaffected, according to this Heartbleed testing site. But again: better safe than sorry. Have I mentioned that yet?
Sites That Weren't Affected
Other big sites that definitely weren't vulnerable, according to Mashable:
- Microsoft (including Hotmail and Outlook)
Also good news: it looks like none of the major banking sites Mashable checked were vulnerable.
How to Check If a Site Is Affected
Any time you see the little lock icon up in your address bar, you can use this tool right here...
...to check if that particular site is affected or not. Note that if a site is affected, you should not change your password for that site. Wait until the site has been patched up and then change your password. Changing your password before a site's been fixed only makes your new password vulnerable.
How to Create a Strong Password
As far as the Heartbleed Bug is concerned, the strength of your passwords may not have mattered much, as evidence has suggested that the data grabbed from certain sites revealed unencrypted credentials, but it's still a good idea to use strong passwords in the case of conventional security breaches.
Here's a quick video with a popular technique for creating strong passwords: