What's wrong is that, if a site doesn't patch the bug before your next log in, your password is again at risk and must "again" be changed. So, how do I know if a site is Heartbleed protected?
Well, many have already patched or fixed their vulnerability and have modified their login screens to indicate that fact. But, even if they do or don't, the biggest names in network security -- Norton, Symantec and McAfee -- have free online webpages that will "test" any login screen for the Heartbleed vulnerability. Those sites are as follows:
- Norton: http://safeweb.norton.com/heartbleed?om_sem_cid=hho_sem_sy:us:ggl:en:b|kw0000449110|38757638716|c&country=US
- McAfee: http://tif.mcafee.com/heartbleedtest?eid=14Q2NAMGSCSR1093
- Symantec: https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp?sl=QWHND-0000-01-00
So, go ahead and change your passwords. But, before you log in again, do the test. If the site fails, then either don't log in at that time or, if you must, change your password again before you leave.