This is of course a rapidly changing situation, so the advice may well change.
The main Heartbleed blog entry has a bit of information about what to do about passwords, but to make it more plain …
In the case of your University account password, we are not currently recommending that you change your password. However we will be advising that those people who have used our vulnerable servers should change their passwords, but it currently appears to be a tiny minority of the entire population.
Unfortunately the information regarding Google is somewhat contradictory. Some of Google’s services have had this vulnerability, but would have been fixed very early – one of the researchers investigating this issue was part of Google’s Security Team. Some sites are indicating that Google users should change their account passwords.
However the unofficial advice from a Google engineer is that there is no need to change passwords at this time. They go on to suggest that regularly changing passwords is always recommended – as we do.
Other Web Sites
In the case of web site passwords (Yahoo, etc.), we recommend checking with the web site operators for advice. Most of the top 1000 web sites were not found to be vulnerable (for example Facebook was not), so changing passwords for these sites is unnecessary.
If a web site announces that it is advisable to change passwords, then we advise that you do so. Unfortunately the announcements may not be immediately obvious, and some sites collating information may contain misleading information.