Tesco have known about their password security issue for TWO years!
It's been revealed that Tesco were informed of their password security issue TWO years ago but have yet to make any inroads in to dealing with the problem. A post on Pastebin includes an email response from 'Customer Service Manager', Stephen Wood, who claimed: "I've had a word with my support team and asked them if they're stored with ‘one way encryption’ or any encryption and they say that although the information is not encrypted the level of security surrounding the password means that only the senior technical positions could access the information."
So, there we have it - it's OK to store passwords in clear text if the surrounding security is strong... Only, the problem is we KNOW it isn't in the case of Tesco's website. Outdated web server and code, insecure elements on secure pages and ORIGINAL PASSWORDS being send in CLEAR TEXT which can be intercepted by any script kiddy with a packet sniffer.
So NOT encrypted at all and sent via unsecure emails - but don't worry, only 'senior techinical positions' can see your password! Sorry Tesco - not good enough - NO ONE should be able to see our passwords full stop. Passwords should be salted and hashed as a bare minimum; anything that can be reversed is not acceptable for password storage and for that reason we'll reiterate our earlier advice - change your Tesco password now if it matches any you use elsewhere. Either that, or contact Tesco and ask for your account to be permanently deleted from their system.
Last updated: 18/04/2018 08:04:48