First, the heartbleed bug doesn't mean that your passwords have been compromised. It's a bug that allows memory overflow and could have been used by someone to mine spills for useful data. There's no reason to believe that anyone knew this was possible before this week - no hacker chatter - but there's no way to know for sure.
Think of it like this: You've been living in your house for two years, and one day while working in your garden, you find an extra house key under a gnome, hidden there by the realtor. You have no reason to think that anyone has used it to get into your house, but they could have gotten in and out without you knowing about it. Now the key is going to be locked up, but should you change your locks anyway, just in case someone found it and made a copy? To be really safe, yes.
But the greatest security issue with passwords isn't the heartbleed bug. It's the tendency for people to choose by patterns. These patterns are often English words, names or other patterns that make a password guessable within a range of only a few million possibilities - a manageable number for a computer.
Naturally, people like to use passwords that they can remember, but the problem with that is that our memories are pattern-based, and patterns are guides for hackers. There are only a few hundred thousand commonly known English words, and fewer if you're looking for a word that's easy to remember and spell. These are considered "weak" passwords. Hackers can use software to test for them.
But if you use a random combination of characters and numerals, the number of possibilities is exponentially larger. Using a mix of both upper and lower case, numeric and punctuation characters, an eight character password can have 576 trillion possibilities - that's literally about a billion times more "unguessable" than a known English word. "Strong" passwords are those that do not emulate known patterns.
(Use this link to make a strong password: http://steponebusinessservices.com/strongpassword)
The other major vulnerability is making all of your passwords the same - again, to make them easier to remember. The down-side of that should be obvious. The solution is to use a different strong password for each site, and keep a list of all of them in a safe place (more than one place). There are password managers (like LastPass and many others) that encrypt and store all of your passwords for you, so that you just have to remember the one for the manager - if you feel comfortable trusting a service like this with everything, it's an easy solution.
