Neil Turner's Blog

Blogging about technology and randomness since 2002

Unexpected plain text password in the bagging area

Mini Pineapple

If you have a few spare minutes, have a read of this blog post by Troy Hunt regarding Tesco’s poor password security. Tesco, for the uninitiated, is the UK’s largest supermarket who also sells groceries online, and is presumably used by hundreds of thousands (if not millions) of British people.

Good password practice should mean that passwords are hashed, using a one-way algorithm, and ideally salted as well. Tesco claims its passwords are stored in an encrypted format, but presumably this is a symmetrical encryption method because if you forget your password, Tesco will email it to you, in plain text. Remember, email isn’t encrypted so anyone who is snooping your emails will be able to retrieve your password, and log in to your Tesco account.

What makes this worse is that Tesco doesn’t allow for particularly strong passwords, either. They have to be a maximum of 10 characters, and can only contain letters or numbers. Even worse is that passwords aren’t case sensitive, and top it off, the web site uses very old versions of Microsoft’s IIS and ASP.Net, which are potentially more vulnerable to security attacks.

If you have a Tesco account, I’d therefore strongly suggest that you ensure the password you use is unique (this is good advice for any web site but especially applies here) and that you don’t store your credit card details with Tesco. If you don’t use Tesco anymore, then you could contact them to ask them to delete your account, citing fears about their security.

Of course, Tesco are far from being the only offenders here, and Plain Text Offenders collects various emails from web sites who will also send you your password in plain text.

Comments are closed.