Leaving aside that your Instagram password is probably one of the least interesting things an attacker might get through Heartbleed, changing your password will only help you until the next time a security breach leaks a (hopefully) hashed password database.
What I only recently realized is that plenty of other sites, Facebook, Hotmail, this blog, and many more have implemented the same one-type password standard that Google Authenticator uses, complete with QR codes to scan.
The app is used to verify that you have a specific smart phone after you’ve confirmed that you know a password. Those are the “two factors” in “two-factor authentication.”
Once you’ve used the authenticator app once on a given browser, you can usually check a box to not prompt you again from that browser. But if someone else managed to get your password, they’ll be prompted to get a code from your smartphone: something they don’t have.
Given the increasing sophistication of attacks, setting up a two-step verification system is absolutely necessary to keep your information and identity secure. And now that we have easy-to-use tools like FreeOTP or Google Authenticator, there’s no reason not to.
So do it! When you’re going around resetting all your passwords again, do yourself a favour and set up two-factor authentication too.