Now that dust has settled somewhat on the Heartbleed incident, and you must surely have by now changed your passwords — presumably using best practices of unique passwords for each account, “strong” passwords using mixed case, mixed alpha and numerics, no dictionary words, no simple character substitutions, etc. AND assuming that your site/service provider passes the Heartbleed test or has notified you that they have taken measures to fix the vulnerability — this might be a good time to think about even more safeguards.
Best Practices
Just google for the many, many sources of good information on choosing strong passwords and employing other measures. Here is one of the latest I have seen, this one from NPR.
LastPass
If you are still trying to test the vulnerability of “secure” sites that you use, LastPass has a nice checking tool at https://lastpass.com/heartbleed/ that will identify the actual server software used by the site, if it can. That may not mean too much to everyone, but it is very useful to know if you are in the business of maintaining a server or SSL certificates yourself. And if you are a LastPass (imho, one of the best cloud-based password managers out there) user, LastPass will check your accounts for vulnerability and give you suggestions for action.
Two-Factor Authentication
This is a security approach that we use in our workplace (actually in some cases using multi-factor authentication, a close relative, where appropriate for even more levels of security). Without going into too much technicality, we can think of this approach as a two-step scheme of verification that addresses both the factor of possession (is the user in possession of something unique, such as an ATM card?) and the factor of knowledge (does the user know the PIN number that is associated with, but separate from, the possession factor?). Almost all banks will use two- or multi-factor authentication, and they should.
Many sites/service providers give you a two-factor authentication option that first requires that you know and submit a unique username and password combination (this addresses the knowledge factor). To address the possession factor piece of this authentication scheme, a typical implementation would require you to register your cellphone with the host site/service provider. Then, to complete your login successfully, even though you have done the usual username/password input, you would have to fill in a newly-generated, one-time password to gain entry. The special, extra password you need would be generated as a one-time, short-lived (perhaps only 30 seconds or whatever) code appearing as a text/SMS message to your phone (representing the possession factor).
Don’t have a cellphone? In a variation, Google, for example, would let you use a special application or program (such as the Google Authenticator app) that has been previously installed and registered with your account and generates a new, random passcode for you to use at certain intervals, typically every 30 seconds. (Btw, this scheme goes back many years: when I worked at UCLA, access to certain servers and systems was available only if you first ran an online login application in a “traditional form” that also prompted for a separate, additional password that you would only know by pulling a credit-card-sized device from your pocket — something like the old-school pagers — and use the moving passcode that it would generate and display at 30 second intervals after power-up.)
If you carry a laptop around with you almost everywhere, I would strongly consider using two-factor authentication.
Phishing Scams
This is one to be watchful for. Heartbleed will provide an exceptional opportunity for the unscrupulous to try to coax your passwords out of you by masquerading as one of your real sites. Better to be proactive and go to the site(s) in question on your own and change your password that way. Don’t fall for the trick of sending your password off to somebody who asks for your credentials “to keep you safe” from Heartbleed or anything else unless you are absolutely sure that it is legit and that you are being directed to the site’s real URL/Web address. If you think you may have been duped this way, browse directly to the site(s) where you have an account and change your password again.
Okay, good luck to us all.