A few points: This is a discovered vulnerability in some software that encrypts data sent to "https:", which can be pretty well anything that involves financial transactions. At this point, it is a hypothetical threat, although it doesn't require a virus to be installed on the compromised server, so we really don't have any way of knowing if this vulnerability has been exploited for evil yet. It doesn't retrieve stored passwords, but if someone can get a copy of the data you send over the Internet to "secure" webpages, that data (including any passwords you entered) can be decrypted and read; so a hacker has to have access to both the server and the network the server is connected to. Which, unfortunately, is not as difficult as you might think.
Most, if not all, of the popular web services have been compromised in the past, including Facebook and Hotmail, and there is a good probability that the password(s) you use to access those services is in the hands of someone else. If you want to be able to access services from a variety of computers and devices, password vaults are a real PITA, so you need to keep your passwords in your head or within reach. My suggestion is pick a password that you don't use for any banking or automatic credit card billing, and set every social network password to it. It will probably get stolen, but we all need a good excuse for slanderous and embarrassing Facebook posts, so when your account gets hacked, it's not the end of the world. Then change your password for every bank account and automatic online payment to something you haven't used in the past. Use at least two different passwords for web services where there is real money at risk, so only half of your accounts are vulnerable at a time. Finally, pick another password that you have never used before, and never use it where spouses, kids, co-workers, etc. can see your fingers on the keyboard. Save that password for when one of your other passwords have been compromised, and you need to fix the damage. Trust absolutely no one with that password. No matter how honest or reliable someone is, they can still be careless. That means you only have to remember four passwords, so you shouldn't need to write down your passwords on a sticky note, and if you get in an emergency where you need to access an online account, you don't need to worry about keeping that note with you at all times.
---------- Post added 04-10-14 at 10:39 AM ----------
Originally posted by wombat2go openssh is said to not be affected
OpenSSH and OpenSSL are used for different purposes, and the exploitable code in OpenSSL isn't used in OpenSSH. OpenSHH is used for "tunnelling" of data between two computers, so a user at one computer can act like they are operating the other computer. OpenSSL also "scrambles" data sent between computers, but doesn't give users the ability to operate the other computer. There are alternative programs for both OpenSSH and OpenSSL, but they are both available to use and modify without paying royalties, and both are being updated and maintained on a regular basis, so both are very common on network servers.