Feeds

Tesco in unencrypted password email reminder rumble

Price check on salt

Mobile application security vulnerability report

Tesco's admission that it still merrily emails passwords to punters in plain text has alarmed anyone with a grasp of computer security.

The UK's supermarket behemoth reassured the world on Sunday that it stores passwords for online shopping accounts in an encrypted format, and only decrypts them when users forget their login credentials and request a reminder via email.

This cut little ice with many Reg readers, who contacted us in large numbers on Monday morning. They pointed out that the method is undesirable because it fails to meet the security industry's best practices. It would be far better if Tesco switched to a secure password reset process with salted hashes for users' login credentials.

One (unlikely) danger is that these unencrypted email password reminders could be intercepted and used by crooks. But the bigger issue is that the method implies that the grocer stores passwords in a way that could allow anyone who infiltrates the website to uncover the original plaintext credentials: if Tesco can decrypt stored passwords for reminder emails, hackers can too.

The password reminder issue was raised again at the weekend by developer Troy Hunt but the same issue was actually first reported five years ago, back in 2007.

It's poor practice to send out password reminders in the clear-text but Tesco is hardly alone in this, and it's hardly the most wretched of security sins. The tone and severity of criticism against Tesco would be justified had its systems had actually been hacked and the passwords exposed - as has happened to other and still more prominent organisations in recent times - but this doesn't appear to be the case.

The password reminder issue is just the most obvious in a security of security mistakes by the grocer, according to Hunt, who list the various flubs in a blog post here. Other problems include using unencrypted authentication cookies and mixing up encrypted and unencrypted content on a secure page, behaviour that likely to generate browser warnings that most users will find confusing. For good measure Tesco's website is insecurely configured and running IIS 6, a seven-year-old and twice superseded version of Microsoft's web server software.

We asked Tesco for a more substantive response covering these various concerns but at the time of posting we're yet to hear back from the retailer. We'll update this story as and when we hear more. ®

The Power of One Brief: Top reasons to choose HP BladeSystem

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.