back to article Tesco in unencrypted password email reminder rumble

Tesco's admission that it still merrily emails passwords to punters in plain text has alarmed anyone with a grasp of computer security. The UK's supermarket behemoth reassured the world on Sunday that it stores passwords for online shopping accounts in an encrypted format, and only decrypts them when users forget their login …

COMMENTS

This topic is closed for new posts.
  1. Ben Tasker

    One (unlikely) danger is that these unencrypted email password reminders could be intercepted and used by crooks. But the bigger issue is that the method implies that the grocer stores password hashes in an unsalted format. If there was any kind of breach that exposed these password hashes then the corresponding plain text passwords can be extracted from the stored hashes using a brute force attack and rainbow lookup tables.

    Not to be too pedantic, but these aren't hashes. Hashes are one way (salted or otherwise), these would actually be encrypted passwords. How is it the Reg calls hashes encrypted passwords, but when they could use the right term (even if by accident) they still cock it up.

    Pales in comparison to the cock-up by Tesco though. When it comes to security every little helps

    Getting me coat

    1. diodesign (Written by Reg staff) Silver badge

      Re: encryption, hashes, etc

      Hello,

      Yes, you're right - there was a misunderstanding at the editing stage. We do know the difference between encryption and one-way hashing functions. It's been fixed.

      C.

    2. This post has been deleted by its author

  2. GettinSadda
    FAIL

    Oh dear!

    "But the bigger issue is that the method implies that the grocer stores password hashes in an unsalted format."

    Very poor understanding, 1 out of 10

    1. Riccardo Spagni
      Thumb Up

      Re: Oh dear!

      Good reply. 9/10, would read again.

  3. Rod 6
    FAIL

    So....

    "But the bigger issue is that the method implies that the grocer stores password hashes in an unsalted format. If there was any kind of breach that exposed these password hashes then the corresponding plain text passwords can be extracted from the stored hashes using a brute force attack and rainbow lookup tables."

    But if they were hashed then Tesco would not be able to send you your forgotten password without them brute forcing their own database. Sounds like they are encrypted in which case it does not matter if they are salted or not.... Allen always has something to say on salting.... http://www.youtube.com/watch?v=HB-qNONoYN4

    1. Callam McMillan

      Re: So....

      You missed the point, you shouldn't be able to recover your old password. If you forget your password, it should make you reset it to a new one.

    2. Anonymous Coward
      Anonymous Coward

      Re: So....

      I really hope you don't work anywhere near programming, especially security, Rod.

      The only person that should know your password is you. Always. Never the system you've signed up for, barring a salted and hashed version (with a secure method) of it which even they can't brute force. Whenever a manager comes in saying I want to be able to log in to [x] account here they are told they are getting a sign in as button, and not plaintext passwords.

    3. I. Aproveofitspendingonspecificprojects

      Re: So....

      > http://www.youtube.com/watch?v=HB-qNONoYN4

      Interesting facial hair. It's visible through his microphone. I bet Groucho Marx never tried that idea.

  4. AndrueC Silver badge
    Meh

    To be fair to Tesco - they are one of the few eTailers(*) who have never leaked/sold my address to spammers. It's something I can track because I give everyone their own unique address. Frankly I've given up on the independents now. I got sick of having to blacklist their addresses.

    (*)Kudos also to: Amazon(**), Laithwaites and eBuyer.

    (**)A special award for Amazon given their use of resellers. There anonomising mailer is a bloody good idea.

    1. DrXym

      That's most likely because the data is too valuable to Tesco to just go off and sell it someone else. All those lovely metrics about how often you shop, what time of day you shop, how far you drive to shop, how susceptible you are to promotions, how often you spend points, how many kids you have, who you're married to, whether you have a garden or not, etc. Most stores with loyalty schemes are likely the same.

      If they sell data at all, it's the bare minimum, or they operate the database so the "preferred partner" has no idea how the data was mined out.

    2. Anonymous Coward
      Anonymous Coward

      I've had spam via Tesco Compare, although giving Tesco benefit of the doubt, this is portably down to the way the information is passed to various underwriters that has led them to leak the email address (which was unique to the quote for Insurance).

      But still fail on Tesco for not ensuring the "no I don't want to hear from you or partners" check box actually does what it says.

  5. Callam McMillan
    FAIL

    Funny you should say this!

    I had to order a replacement clubcard just the other night and I couldn't remember my password, so I was somewhat suprised after resetting it to find my password emailed directly to me... I then changed it to something secure but totally throwaway, because anyone who stores my password in plain text (Or as good as if it can be decrypted on demand) shouldn't be holding them in the first place.

    In this case the fail icon is truely justified!

  6. Andrew James

    Tesco isnt great at security. They've been sending sms monthly bill reminders to my wife for over a year that go along the lines of "Dear [password], your Tesco Creditcard statement is online". Same everytime. She's phoned and told them more than once, makes no difference.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dear [password]

      Ah - sounds like she has accidentally entered her name in the "Name" field and password in the "Password" field.

      If she enters her password in the "Name" field and name in the "Password" field, this issue will be resolved.

      We randomise the fields to increase your security. Or hide our mistakes. Remember: every little helps....

      Tesco Web Security Support (deceased)

  7. Steve Jeffery

    Glad this is finally going mainstream

    This issue has been known by Tesco, and by the tech community for years. I have been having a two year dialogue with Tesco about it myself.

    Maybe the scrutinity of the media might overcome Tesco's resistance to even trying to understand the problem.

  8. Harry

    What are we talking about here?

    If its Tesco Bank, then yes, emailing passwords which could allow a third party into your bank account is improper and there is cause for concern.

    But if it is just access to your grocery list, then its a storm in a tea cup. Is anybody really going to break in to your account just to look at your clubcard points and order you a milliion teabags?

    1. Anonymous Coward
      Anonymous Coward

      Re: What are we talking about here?

      No it's not a storm in a teacup, it has been shown time and again that people reuse passwords on multiple sites. A a security breach at one site can potentially compromise accounts at other websites which may be far more serious than viewing clubcard points and teabag orders.

      There are also far more issues here than just the passwords, Tesco's frankly embarrassing use of SSL, obsolete platform and most worrying to me their total disregard for their customers security (apparently they've been aware of these problems for years, done nothing and if fact still deny they exist).

    2. Chris 3

      Re: What are we talking about here?

      Post your Tesco login credentials up here for us will you?

    3. lmontrieux

      Re: What are we talking about here?

      They also have online shopping - yep, including your credit/debit card number if you've decided to let them store it.

    4. Ben Tasker

      Re: What are we talking about here?

      Given some of the miscreants on the net nowadays, yes they might well break in and order you 20,000 cans of beans for 'Teh Lulz'

      And as others have said, it's not just your grocery account that may be at risk

  9. JimmyPage Silver badge
    FAIL

    Epic fail

    passwords should be stored via a one-way hash. Forgotten passwords need to be reset.

    1. Paul Anderson

      Re: Epic fail

      That's the bottom line, Jimmy.

      PS: Can you tell Robert Plant he still owes me a fiver ?

      1. JimmyPage Silver badge

        Re: Epic fail

        If you know what his 1969 Christmas present to the entire Zeppelin road crew was, you'd know why you haven't got it

        (It was a bottle - singular - of scotch).

  10. Irongut

    What happened to the death of El Reg icon?

    "One (unlikely) danger is that these unencrypted email password reminders could be intercepted and used by crooks."

    Because no one has ever had their email hacked. Oh no.

    1. Wize

      Re: What happened to the death of El Reg icon?

      These days they go for the whole database.

      Would be advisable to any Tesco customers who reuse their password on other sites to go round changing them before it gets hacked. Can see it being a valuable target to hackers now that the word is out.

      1. Andrew James

        Re: What happened to the death of El Reg icon?

        If someone wants to hack my Tesco grocery account, and have them deliver me 120 cucumbers and a boat load of cooking apples, they're more than welcome. hell, i'll give them my password. Its worth it to see the look on teh wifes face.

        1. Chris 3

          Re: What happened to the death of El Reg icon?

          Go on then - post the details.

        2. LinkOfHyrule
          Joke

          Re: What happened to the death of El Reg icon?

          Someone hacked my account once for a joke - they change my order from a weekly shop to 120 cucumbers, 60 pots of Vaseline, 80 pairs of Marigold rubber gloves, 40 bottles of Johnson's Baby Oil, 140 cans of squirty cream, 50 packs of rubber johnnies, 20 packs of 200 clothes pegs and one copy of What HiFi Magazine.

          I was fucking well embarrassed! Not by the obvious orgy supplies but by the hifi mag!

      2. Anonymous Coward
        Anonymous Coward

        Re: What happened to the death of El Reg icon?

        Sure, they go for the whole database... it makes sense. With a little investigation Mr Hacker discovers that Tescos store passwords as plain text, after doing a password recovery.

        Considering MD5 passwords, non salted, are ripe for the brute force... a nice plaintext database with an email address is a goldmine. Especially for someone as large as Tesco.

  11. Derichleau
    Thumb Down

    It's not just bad practice that Tesco are guilty of in my opinion. Tesco's Clubcard is likely to be incompatible with our statutory rights as data subjects because they are unable to separate the marketing from card; if you want a Clubcard then you must have the associated marketing. But section 11 of the DPA98 entitles data subjects to opt-out of ALL direct marketing from an organisation. However , when I asked Tesco to comply with my section 11 request they informed me that they would have to cancel my account. So I can't have an account unless I have the marketing which means that Tesco must have civil law terms - either actual or implied, that are incompatible with my statutory rights. The ICO are investigating.

    1. Ben Tasker

      But section 11 of the DPA98 entitles data subjects to opt-out of ALL direct marketing from an organisation.

      I suppose they'd argue that the fact you don't have to have a clubcard and can cancel at any time is probably giving you that option.

      Wouldn't expect the ICO to do anything either to be honest, not necessarily because Tesco are right, but because the ICO are, well useless when it comes to big business

      1. Vic

        > the ICO are, well useless when it comes to big business

        That sentence is six words too long...

        Vic.

  12. DrXym

    Just this morning

    I registered my kid for an online game on Nickelodeon's website. After filling my email and password in, the first thing it did was email the plaintext straight back to me. Stupid websites are stupid.

  13. lmontrieux

    Tone and severity of criticism

    "The tone and severity of criticism against Tesco would be justified had its systems had actually been hacked and unsalted password hashes or plaintext passwords exposed - as has happened to other and still more prominent organisations in recent times - but this doesn't appear to be the case."

    What? So we're only allowed to complain about poor security once something bad has actually happened? It doesn't matter whether or not Tesco's server have been hacked. What matters is that they're falling short of the most basic security standards, and should do something about it *now*, instead of waiting until something blows up.

  14. Anonymous Coward
    Anonymous Coward

    PCI-DSS anyone?

    Rather astonishingly Tesco are represented on PCI Security Standards Council Board of Advisors https://www.pcisecuritystandards.org/organization_info/board-of-advisors.php but seem unable to adhere to the development standards set out for PCI-DSS.

    1. Kubla Cant

      Re: PCI-DSS anyone?

      Peripheral Component Interconnect? What have Tesco got to do with that?

      1. Anonymous Coward
        Anonymous Coward

        Re: PCI-DSS anyone?

        The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical

        and operational system components included in or connected to cardholder data. If you are a merchant

        who accepts or processes payment cards, you must comply with the PCI DSS.

        https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf )

        Pretty sure the card payment and storage of your payment card is very secure on the Tesco website and meets those requirements.

        The hashing of user accounts is a separate issue IMO but needs resolving as it allows access to that individuals card payment details so potentially they could be seen as not doing everything to protect the card from misuse.

        1. Anonymous Coward
          Anonymous Coward

          Customary expansion of initialism

          as Peter didn't know, or maybe feel it was relevant:

          Payment Card Industry Data Security Standard

  15. apricot13
    Meh

    Ocado do it too. Although they claim to have encrypted it after they emailed it to me when I contacted them.

    But when I forgot my password the forgotten password reminder that was emailed to me was was my unencrypted password and not the sentence I had set when I registered. I'm not so stupid as to have set my password reminder to my password!!

  16. Anonymous Coward
    Anonymous Coward

    You have to remember that IT is not Tesco's core business, and therefore they employ the cheapest staff possible, and have done for some time, and they don't invest in leading edge technology or in unnecessary training. Many of their IT staff aren't "up to date" with IT good practise as all they do is "keep what's there running". A lack of new blood leads to stagnation and a failure to innovate, especially if the middle management don't change.

    This is NOT just a dig at Tesco. This is a dig at OUR INDUSTRY, and the lack of support it receives. It's easy for us to sit here and snipe about "how bad is that", but in reality IT is expensive and mostly a cost - for most businesses it is at best an enabler, and it isn't generating revenue.

    We ALL need to work together to bring more focus on the minimum expected standards. And we need to listen to the rest of the IT world and be open to changing how we operate to keep ahead of the game.

    It sounds like Tesco is close to a security breach.

    They aren't the only one.

    It is just a matter of time.

    Unless they learn some new sports

    1. James Chaldecott

      "You have to remember that IT is not Tesco's core business, and therefore they employ the cheapest staff possible, and have done for some time, and they don't invest in leading edge technology or in unnecessary training."

      True to some extent, I'm sure, but getting people to use their online shopping (as opposed to Ocado, Asda, etc) IS their core business.

      Note that they sometimes do invest in "leading edge" technology (or at least half-decent R&D). See the archives of http://techfortesco.blogspot.co.uk It's been a bit quiet, recently, but they've done a few interesting things along the way.

    2. Anonymous Coward
      Anonymous Coward

      "isn't generating revenue"

      No, I'm pretty sure Tesco have significant revenues made from on-line shopping that they would be reluctant to give up.

  17. Rob Moir
    WTF?

    "The tone and severity of criticism against Tesco would be justified had its systems had actually been hacked and the passwords exposed - as has happened to other and still more prominent organisations in recent times - but this doesn't appear to be the case"

    -- so what's wrong with people trying to persuade Tesco that prevention is better than cure?

    If you're doing something stupid and dangerous, the fact that you've not hurt someone else *yet* doesn't make what you're doing any less stupid or dangerous. It just means that at least you're lucky as well. And any sensible organisation would realise how lucky they'd been and fix things up instead of defending the indefensible.

  18. Paul Anderson
    Megaphone

    "it's hardly the most wretched of security sins."

    Yes it is. I seriously believe this is a sacking offense. Any DB Administrator, developer or SysAdmin who creates a password store (database or otherwise) and doesn't employ proper encryption or hashing techniques needs to be shown the door without question. Hashing passwords before storing them and not e-mailing them but employing the password reset method is a fundamental necessity and common knowledge in IT. I've been e-mailed a few of my passwords myself and it does my head in.

  19. Anonymous Coward
    Anonymous Coward

    I don't have this problem

    Down ASsociated DAiries !

  20. Anonymous Coward
    Anonymous Coward

    Dear Tesco,

    Why is it that I, a UK citizen, can buy goods online from every fucking retailer on the planet, including Amazon US, using my Visa Electron card, except from Tesco.

    Luv,

    Mr. W. T. Fork.

    1. Ben Tasker

      Re: Dear Tesco,

      A guess, based on experience is as follows.

      With Cardholder Not Present (CNP) transactions, different providers have different requirements when it comes to who's liable when things go wrong (i.e. some git uses your card!). It may be that the Electron side of Visa mandates that the retailer accepts liability for any chargebacks, and Tesco's have decided it isn't worth the risk. I don't know for sure, but similar things happen elsewhere.

      For example, any business can still swipe your Chip n Pin card and check the signature. They key difference is, if they do then they are liable for any chargebacks, which is why most places will refuse to do it even if the chip is fried, again varies between providers though.

      The thing about banks, is they are always trying to shift potential liability onto someone else, and have two soft targets: us poor sods who have to use them, and retailers who have to use them. So perhaps that's why Tesco won't accept them online, though I'm sure Electron used Verified by Visa last time I had one (pushing liability back onto you). Of course, perhaps Tesco haven't/won't implement VbV which would push the liability square onto them AFAIK

  21. Jess--

    passwords on sites that I run are salted and then hashed as soon as they are entered,

    password reset is done via email containing a link along the lines of resetpassword.php?email=fred@email.address&id=3b76a20ec4c96105f8fc48c5d9dadab0

    the id section of the link is created by salting and hashing the current hash of their password, this way anything related to their password that leaves the server is salted, hashed, salted again and then hashed a second time (and no the 2 salts are not the same)

    another advantage is that if the password has been changed it is not possible to re-use an old password reset link

    1. Anonymous Coward
      Anonymous Coward

      zOMG that's cool I will copy that for my website MUHAHAAHAAAA

  22. theGaryHawkins
    FAIL

    What bothers me most...

    is their ignorant response when told they have a problem. For days they have been posting two canned responses to any challenge or question on Twitter:

    "We are never complacent and work continuously to give customers the confidence that they can shop securely"

    "We know how important internet security is to customers and the measures we have are robust"

    Despite plenty of evidence to the contrary they have stood by this head-in-the-sand attitude and bluntly refused to acknowledge the presence of a problem. I think the way a company handles an issue is of equal significance to the severity of the problem itself.

  23. Peter X

    MORE TH>N password policy

    The "More Than" insurance people have a kind of silly password policy also:

    "

    Please bear the following guidelines in mind:

    * Be between 8 and 14 characters

    * Not include more than 2 repeated characters in a row

    * Not include the word 'guest'

    * Not contain swear words

    "

    The first point isn't sooo terrible except for the top-end limit of 14 chars. The second point really doesn't help much with entropy. The third is kind of weird... firstly I wonder why? How can that upset the system, and secondly, what if my surname was "guest".. that'd be annoying. And the fourth point seems to indicate that they store things in clear text. That or their OS is easily offended.

    1. Ben Tasker

      Re: MORE TH>N password policy

      Try setting one to FuckFuckFuck and see if they contact you. Reminds me of the guy who had issues when he set his Barclaycard password to something like BarclayCardSucks a while back. No member of staff should ever be able to see his full pass and yet he was told he had to change it as it was inappropriate

      1. gaz 7

        Re: MORE TH>N password policy

        OT here, but I am sorely tempted to get one of those new Barclay personalised debit cards just to see how inappropriate an image I can get one it

        A big cock and a hand, or just the words "Barclays are thieving cheating bastards" would do

  24. RainForestGuppy

    I wonder how many people have considered if this was a business decision.

    I've had this very same argument regarding password resets. I would always recommend that it should be impossible to recover a customers password, however from the business persepective, emailing the password back to the user might be more attractive than using a password reset link, even if it is far less secure.

    Our role is to advise and protect the business in security matters, but if a senior management decide that improving completion rates outweigh the security concerns then we have go with their decision.

    Obviously Tesco Management are not going to accept liabilty when it all goes wrong, it's far easier to blame somebody else.

    1. Ben Tasker

      I wonder how many people have considered if this was a business decision.

      What's sad is the people that make these decisions don't seem to realise they are potentially causing grave harm to the business!

    2. LinkOfHyrule

      It's totally a business decision. They must get in the order of a hundred or more less customer service phone calls per day by sending out plaintext instead of resets from non tech savy customers I would say.

      Fucking idiots / clever bastards depending how you look at it - until they get hack in which case the first one applies only.

  25. Andrew Jones 2
    FAIL

    I can't believe a site that mostly specialises in the IT industry - has actually wrote something like this in an article:

    "The tone and severity of criticism against Tesco would be justified had its systems had actually been hacked and unsalted password hashes or plaintext passwords exposed - as has happened to other and still more prominent organisations in recent times - but this doesn't appear to be the case."

    This is like saying - it is OK for me to run around in a crowded shopping mall holding out a knife at arms length because I haven't accidentally stabbed anyone yet - sure the potential is there for people to be stabbed - but until I actually stab someone - then everything is OK?

    You could even go one step further and suggest that it is perfectly acceptable for me to attempt to hack into an online account - because until I guess the correct password - no harm has been done.....

    1. Chris 3

      Indeed - it's actually like saying "LinkedIn deserves no criticism for its lax password security because no passwords have escaped" the day before the passwords escaped.

      Horrible.

  26. despairing citizen
    FAIL

    Iceberg - and not a Lettuce

    Wish I could say I was (a) surprised or (b) it's rare....but I can't

    Other examples include several Licence consultation systems used by the police, local authorities, et al to vet and exchange information on whether a person or site/shop/pub (e.g. Tesco) is suitable to be licensed (e.g. sell alcohol, etc.), and the web sites run the login on HTTP in the clear across the internet.

    Think you can have fun ordering 120 iceberg's for someone, just imagine the fun you can have accessing a regulatory system pretending you're a police inspector!

    1. Vic

      Re: Iceberg - and not a Lettuce

      > the web sites run the login on HTTP in the clear across the internet.

      That's fucking disgustiong, in this age. There is no excuse for HTTP logins.

      I mean imagining logging into a site over HTTP, sharing your credentials with any random network sniffer. You wouldn't catch me doing that. In fact, no-one who comments here would even consider it.

      And now I've got to use pliers to get this tongue out of my cheek...

      Vic.

  27. Anonymous Coward
    Anonymous Coward

    If this article is correct and Tesco have such a poor level of security engineering in their web site and a low level of investment in their IT department. Then the question which should be asked is do they have the protective monitoring in place that would allow then to know if they've actually been hack anyway. As we know from history those who don't have a good approach to security engineering/design within their web sites sometimes don't have the capability to know when they've been hacked. There's been plenty of companies who have found out years after the event that they've been owned for a long time.

  28. Anonymous Coward
    Anonymous Coward

    Hmm

    One online place sent me a reminder about their service that I hadn't been using, sending me my password in cleartext just in case I'd forgotten it. I didn't think it was Tesco but maybe it was.

  29. fangster
    FAIL

    BT are the same

    Everytime I change something to do with my BT business broadband they email me (and anyone else connected to the account) my password in cleartext! They are still doing it. I've given up expecting anything more from BT...

  30. Rushyo
    WTF?

    "The tone and severity of criticism against Tesco would be justified had its systems had actually been hacked and the passwords exposed"

    So it's fine to completely screw up so long as you're lucky? Being irrational is fine so long as nothing happens this time? By the same logic it must be fine that the industry's standard's are abysmal so long as your company doesn't get hacked. You know - because that's how security works x.x

This topic is closed for new posts.

Other stories you might like