Tesco has come under fire for emailing users passwords in plain text.
According to research by Troy Hunt, Tesco does not salt or hash its passwords and at best they are encrypted, but the chances are that they are stored in plain text.
He also claimed that passwords are not protected in email and that pages on the website are loaded up over HTTPS, but embed resources loaded over HTTP, and that the HTTPS session was disrupted on the ‘Safe Shopping Guarantee' page. Also, the online shopping session is not in HTTPS, meaning that cookies are being sent over HTTP.
He began by tweeting with Tesco Customer Care, telling them that if they are emailing passwords to customers, "they are well short of industry standards on a number of fronts". Tesco responded by saying that "Passwords are stored in a secure way. They're only copied into plain text when pasted automatically into a password reminder mail" and that "all customer passwords are stored securely and inline with industry standards across online retailers".
A letter from Ben Clark in 2010 gained a response from Tesco, it was posted on Pastebin. He pointed out that his original password was sent to him in plain text and suggested that it was not storing the password in a hashed format.
He said: “This is a very basic level of security that would protect your customers should your database get compromised by preventing anyone from seeing your customers passwords. It also prevents potentially malicious people within the organisation from being able to see the password.”
Tesco responded to Clark by saying that its IT support team said that although information is not encrypted, the level of security surrounding the password means that only the senior technical positions could access the information.