A little more than a week ago I wrote about the Heartbleed vulnerability.

The security hole was announced on April 7. Most online services you’re likely to be using patched things up pretty quickly. Other smaller sites, not so much.

Here’s the thing. In all the hype about the issue, nearly everyone was talking about changing passwords. You might have changed your passwords back then. I didn’t recommend that when I wrote about it on April 10. But a lot of news people did. It was bad information.

If you changed your passwords back when it was first announced, you actually did it too soon.

Your may have fixed your password on all your major sites after they’d patched. But more than likely  you “fixed” your password before the patch was forwarded around to all the other places and devices that access the major sites.

How’s that?

You’ve probably got sites accessing one another. You know, when you’ve allowed other sites to “Log in Using Facebook.”

If all those little sites (and you can’t even remember how many or which ones) weren’t patched yet, they’ve exposed your shiny new password. Sorry. It’s just as toast as your old one.

Now that the dust has settled, and all those little sites have had time to catch up — NOW it’s time to change your password. Now. Even though you changed them the night you heard about it on the news. Even if you already did it, do it again. Just do it.

And don’t use “123456” or your dog’s name.

Get a password manager so you can use 20-character long strings of randomness for your passwords and not worry about forgetting them.

I use and recommend Dashlane. It’s free. 1Password and LastPass are also good.

Now that you have your password manager, you’re ready to change your passwords.

Here’s the list of passwords you have to change.

Go do it. Now.