Plain Text Password Storage Is But One of Tesco Online's Possible Security Holes

By Gary Cutlack on at

An online security expert has been coughing up his Tesco Value Bran Flakes in horror at the security systems used by the shopping giant, with all signs pointing to its passwords being stored in plain text.

The discovery comes via Troy Hunt, who resurrected a decade-old Tesco shopping account to snoop around its systems. The requirement for a 10 character maximum password that doesn't differentiate between upper and lower case is the key indicator of plain text password storage, an error multiplied many times by the way Tesco just emails passwords out to subscribers if they say they've forgotten.

Troy also discovered that Tesco is using nine-year-old ASP.NET 1.1. as part of its server framework, with plenty of other outdated, basic security errors and misconfiguration warnings popping up when its code was probed.

If you don't want someone else ordering themselves all the necessary ingredients to assemble a slap-up meal using your Tesco Online account, it might be a good idea to change your Tesco password. [Troy Hunt via TDF]