91 
An online security expert has been coughing up his Tesco Value Bran Flakes in horror at the security systems used by the shopping giant, with all signs pointing to its passwords being stored in plain text.
The discovery comes via Troy Hunt, who resurrected a decade-old Tesco shopping account to snoop around its systems. The requirement for a 10 character maximum password that doesn’t differentiate between upper and lower case is the key indicator of plain text password storage, an error multiplied many times by the way Tesco just emails passwords out to subscribers if they say they’ve forgotten.
Troy also discovered that Tesco is using nine-year-old ASP.NET 1.1. as part of its server framework, with plenty of other outdated, basic security errors and misconfiguration warnings popping up when its code was probed.
If you don’t want someone else ordering themselves all the necessary ingredients to assemble a slap-up meal using your Tesco Online account, it might be a good idea to change your Tesco password. [Troy Hunt via TDF]
Pain text passwords? Better stock up on Tesco Value Asprin!
(And, actually, the fact that they can email you your password at all is the biggest sign that it’s stored plain text – the whole point of storing passwords hashed and salted is that it should be as hard as possible, if not impossible, to take the value in the database and turn it back into the original password.)
They have said on twitter that it is stored encrypted and only unencrypted when pasting it into the email. Either way it’s pretty poor. Only time i’ve ever seen passwords stored in reversible encryption is when you need to impersonate a user on another system.
Tesco developers should know better really.
Surely there’s some laws/regulations regarding the storage of passwords.
I don’t think any passwords should ever be “retreivable”, you don’t need to see your password after you’ve typed it in. No one does.
If you forget it just reset it. 9/10 times you’ll probably set it to the same thing with a slight variation.
Ever since I built my first site I’ve hashed and salted passwords. I can’t see why huge companies responsible for creating these sites should be so lazy.
it’s not laziness… it’s just bad coding practices. Lots of developers who just picked up a “Learn .Net in 24 Hours” book don’t know any better. One of the pitfalls of .Net is the ease of development has brought about a lot of developers who are not properly educated or trained in good coding practices. Trust me, I’ve worked in companies where developers allowed SQL injection, javascript injection, plain text passwords, plain text credit cards, etc… Makes me want to cry whenever I see that at a company.
well the whole part about differentiating between upper and lower is not necessarily true. They may have simply converted to uppercase or to lowercase in the code before they either save or read passwords. They may use some sort of encryption, but they definitely don’t hash it with a salt which would make it impossible to retrieve the password. So it might not be plain text, but it definitely is not the most secure way to store the data.
and yes as benjymous pointed out. it’s PLAIN text not PAIN text.
Pain Text Password Storage But One of Tesco Online’s Possible Security Holes
The article was not what I was expecting after this title.
Hold on, Hold on, the passwords could be encrypted and then decrypted to send them out to users. They have actually said that in one of their tweets.
That is also a terrible thing to do btw and should never be done – but we shouldn’t assume that they are being stored in plain text.
They’re plain text, AND they’ve known about the problem for a couple of years… http://technology.thedigitalfix.com/content/id/94/tesco-have-known-about-their-password-security-issue-for-two-years.html
Amazing. An organisation the size of Tescos, with their resources and they can’t get their password storage right.