Telling customers to change their password won't guarantee security

Telling customers to change their password

KPMG's Stephen Bonner advises organisations hosting sensitive information to fix their weak points first before panicking customers unnecessarily

Also on

As details emerge about a software flaw that allows attackers to steal information, including cryptographic keys, from servers, KPMG’s Stephen Bonner argues that panicking consumers into changing their passwords is not necessarily the right response. Instead, he suggests that organisations hosting sensitive information should identify the weak points in their web footprint and fix these, before advising customers on the appropriate action to take.

Bonner, a partner in KPMG’s Information Protection and Business Resilience team, says
: “Too much credence is being given to the idea that the Heartbleed Bug can be beaten if customers change the passwords they use to shop and communicate online. It’s an easy option, but one that ignores the real questions around what businesses should be doing to safeguard their internet footprint."

“The web is a world without borders, meaning that companies must map their entire online presence, identify where vulnerabilities exist and work with their software suppliers to ensure the Heartbleed Bug is blocked at any point of entry. After all, the software flaw may have a fix available, but it’s only when every gateway is guarded with the relevant patch that customer password changes will be effective. The fact remains that if passwords are changed beforehand they are just as vulnerable."

If a company identifies vulnerabilities, the next step should be to assess the impact and take action to protect any sensitive data. If they find that they are secure, logic suggests that customers should be assured this is the case. After all, having different passwords on each service and changing them on a regular basis makes good sense, but the rush to urge immediate action creates a sense of panic that helps no one.”


- ENDS -


Media enquiries:

Mike Petrook, KPMG Press Office

T: 020 7311 5271

M: 07917 384 576



KPMG Press Office: +44 (0) 207 694 8773


About KPMG

KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and operates from 22 offices across the UK with approximately 11,500 partners and staff. The UK firm recorded a turnover of £1.8 billion in the year ended September 2013. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. It operates in 155 countries and has 155,000 professionals working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. Each KPMG firm is a legally distinct and separate entity and describes itself as such.

This article represents the views of the author only, and does not necessarily represent the views or professional advice of KPMG in the UK.

Connect with us


Request for proposal



KPMG’s new-look website

KPMG’s new-look website