This morning, I came across a very interesting post by Troy Hunt on Tesco’s security measures (or lack thereof) when it comes to storing passwords securely. His blog post gives a very detailed account of the problem as well as the outcome of his discussion with Tesco’s customer support. In short, Tesco stores its users’ password in plain text. Yes, plain text. You can check by yourself, if you have a Tesco account: just use the password recovery option on their website, and they will email it to you.
If only it was “just” that. But no. Troy details a series of other amazingly insecure practices, such as ridiculous password requirements (6 to 10 characters, letters or digits, case insensitive), old (and misconfigured) version of IIS, old version of .NET, mixed secure and insecure content delivery, etc. What he describes is pretty much a textbook example of what NOT to do when developing a web application – especially when you’re dealing with customers debit/credit card information.
The last nail in the coffin of Tesco’s credibility when it comes to their website’s security is the answers provided by their customer service, both on twitter and by email. These show that they have no idea of what the problem is (or rather, what the problems are), and sheds a bright light on the extend of their incompetence.
Thinking of deleting your account? You can’t do it automatically. Instead, you need to contact the support team. Which I will do right now. Next time I want to order groceries online, I’ll go to Sainsbury’s instead. At least they don’t send you your password in plain text, in an email.
If you don’t want to delete your account, you should at the very least make well sure that the password you’re using on Tesco’s website is not used anywhere else. And don’t save your debit/credit card information on their website. Really. Don’t.
Unfortunately, and even though it is a well-known, widely accepted best practice to store passwords hashed and salted, Tesco isn’t the only company falling that sort of elementary security measures. There is even a website, plaintextoffenders.com, that lists website that obviously fail to meet the minimal level of security for their users’ password. If you come across an offending website, please submit it!