Heartbleed: What Is The Correct Response?

My friend Stephen emailed me and said he’s changing all of his passwords in the wake of the Heartbleed bug.

I thought about that and wondered to myself “what is the appropriate response to this?”. So I thought I’d blog about it today and generate a discussion. I am sure I will learn something from it. And hopefully all of us will.

Is the correct response, as Stephen suggests, to change passwords on every site and app you have a stored password for? Is that even possible? What about that podcasting service I signed up for eight years ago? I can’t even recall what is is called anymore.

Or is it correct to respond to password change requests from the services that recommend that? I just did that on a bunch of services that notified me via email that I should do that.

Or is it correct to scour the Internet for suggestions, like this post on Mashable, and follow their advice?

Or is this the time we should all move to 1password, or something like that, to manage our passwords?

If you use two factor auth, as I do on many services, does that mean you don’t need to change those passwords?

There are a ton of super smart and technical folks who read this blog. What are you doing and what would you recommend we all do?