Plain Text Passwords at Tesco

Update 31st July 2012: Welcome, new visitors from The Register, Information Age, etc. If you like this post, you may also like my related posts on security.

I am a PHP web dev with an interest in scripting, security (XSS, SQL injection etc) and WordPress. If you’d like to work with me, get in touch. In the mean time, don’t forget to follow me on twitter and like my blog on facebook.

– – –

I’ve become increasingly aware of passwords recently. Actually, that probably sounds like a stupid statement because everyone is aware of passwords. What I mean is, I’m becoming aware on just how useless they can be in the wrong hands.

A couple of weeks ago I wanted to order some new bedding, a fairly harmless task in itself. The cheapest route seemed to be ordering through Tesco. For those who don’t know, Tesco is a massive supermarket chain selling everything from frozen peas to the “deluxe brown leather padded bridle”. They also do various types of insurance, they’re a mobile phone provider, they’ve branched out into providing savings accounts.. basically they are trying to run the world little by little. They also sell cheap bedding, and so I hooked myself up online in their House & Home section.

After finding what I wanted, I tried to checkout but discovered I couldn’t for the life of me remember my password. I proceeded to the ‘Forgotten your password?’ page expecting to have to touch my nose with my left toe, scratch my eye with my elbow and remember 12 different facts about my life that I may or may not have made up when I originally created the account: because this is what any decent provider does as basic security measures. Usually this ends with me having to come up with a new password which I’ll no doubt forget again in a fortnight, but nonetheless is reassuring and theoretically secure.

Turns out, don’t do any of that. don’t even enforce a “please click this link to verify you want your password” policy which, while ultimately pointless if someone is in your e-mail account, shows some effort in terms of security. sent me my password in a plain text e-mail. My unprotected, visible password. This pisses me off because I know that the chances of Tesco having their own rainbow table hooked up to their user database is slim, and therefore they’re storing my password as plain text. That’s, a multi-billion pound company, storing passwords in a format visible to anyone who wants to break into their database. Might sound infeasible to you but shit happens all the time; oh look, didn’t the British government just accidentally lose the data of 25 million people?

For those not aware, most web-based services hash user passwords in their databases. This can be anything from the common MD5 hash (if you use WordPress, your admin password is md5-hashed in the database) to a salted hash (which, in its simplest use, is a random combination of characters applied to the password before it is hashed). Some use more complex hashing algorithms such as SHA-1. Either way, there is an extra level of protection to your password so if the worst happens and a hacker gets into a database, the passwords aren’t on plain view (except in’s case, they are).

Hashing is unfortunately not absolute. Dictionary words, for example, are extremely easy to “de-hash” and there are hundreds of pages out there dedicated to providing these services. They use what are known as rainbow tables (as briefly mentioned above). Even Google can accidentally facilitate the “de-hashing” of passwords, as in the case of Steven J. Murdoch and his hacker.

If you follow common sense and use numbers and special characters in your passwords, the chance of them being “de-hashed” is much lower. Still, I don’t hold out much hope for sites like keeping my plain text password safe and so in the mean time, I’ll be hashing my passwords myself. Of course, this only serves as a bloody big reminder to use a different password for every site you sign up to, however much of a pain in the ass it is.

Jem Turner +44(0)7521056376

17 comments so far

  1. Kim said:

    You would of thought that considering Tesco’s are such a huge company they’d take precautions to ensure the security of there consumers information… Evidently not. I always make sure my passwords have numbers and/or special characters in them anyway, so I *hope* I’m safe(r).

  2. Amber said:

    For a huge company Tesco are amazingly inefficient. I can honestly say that since my mother began working for them my respect has slowly declined. (Which is why I’m also applying for a job there…) I was reading an interesting article in The Independent today that referred to passwords and how, eventually, we could just need our thumb print.

  3. Katy said:

    most web-based services hash user passwords in their databases unfortunately I still think ‘most’ is wishful thinking…

  4. Grant said:

    Lol, Tesco! they had to skimp a bit on money for web designer, the are about receiving not giving! Every little help….them.

  5. Vasili said:

    I hash my passwords when I use cookies for logins. I would hash my passwords for files, but I don’t know how to unhash them xD Because I’m still bad at PHP X_x. And if someone would help me with the !important CSS thing. I used it, but it doesn’t work. My site works fine in Firefox, but in IE it’s 1px to the left. And not to be a pest Jem, but do you know when you can look at my code? The text to graphic one. So I can put it up on my site :]

  6. Dave said:

    Well they had to make a choice didn’t they? Risk losing a lot of business (coz if I forget my password and they don’t send me it I never go back to the site) or risk somebody getting into their (ultra secure?) database. They probably lose more money from the loss of business. Tens of millions of people shop from Tesco, if only a couple million of them shop online and a small percentage forget their passwords and security question answers they lose a lot of money. Gotta love corporations. Anyway, they may still encrypt the passwords and store the keys elsewhere.

  7. Jem said:

    @Dave: I don’t see why the options are *only* having plain text passwords OR losing lots of money. Even having hashed passwords that are then regenerated when you click ‘Forgot my password’ would be better than nothing at all. They could then send the new password before it’s hashed, and give a reminder for the person to change it on login. It wouldn’t stop the password being plain text in the email, but would decrease the risk for all those people who use the same password for multiple online accounts.

  8. Dee said:

    Might sound infeasible to you but shit happens all the time; oh look, didn’t the British government just accidentally lose the data of 25 million people? Actually, to be perfectly honest with you… it doesn’t. People -losing- physical data does (and this is more common in government than in the private sector, because bureaucrats usually have to physically tote data around more), but that’s a different kettle of fish to someone hacking passwords in a database, which in the wild is actually exceedingly rare. Storing passwords as hashes is really only a screen to protect your password against accidental looking by -administrators- of the system; and in an enterprise environment there theoretically should be other safeguards in place to prevent this. If someone wants to brute-force entry into a system the computational difference between cracking hashed and unhashed passwords in negligible. Someone can guess ‘5f4dcc3b5aa765d61d8327deb882cf99’ as easily as they can guess ‘password’. Salted hashes are harder (assuming people don’t know the salt), but again, they’re susceptible to brute-force. They -do- become more useful if someone manages to extract the raw data but — like I said — on an enterprise-level this isn’t as common as most people think it is. So Tesco is mitigating the risk of someone getting -inside- their system versus the inconvenience of users losing their passwords. The actual danger to the end user is probably negligible, IMO. I know this kinda flies in the face of conventional wisdom but, eh, I’ve been to conferences on this stuff, man! CONFERENCES! :P

  9. Jem said:

    someone hacking passwords in a database, which in the wild is actually exceedingly rare. Tell that to e-bay who’ve had their database compromised a gazillion times this year already. (That *might* be an exaggeration on my part..) I just don’t agree with this “it might not happen so lets not bother to protect against it crap”. It’s like having sex without a condom because hey, there’s a change you might not get pregnant. Except the consequences of unprotected sex? Waaaay worse. ;)

  10. Rachel said:

    Wow, I’m glad I’m not the only one who was a little upset by getting an email after I’d forgotten my password saying: “Your password is ######” Nothing as to a security question, click this link to go get your password or anything of that nature…And now I’m rather worried because the aforementioned site has bank info. :\

  11. Rilla said:

    My two main passwords are almost exactly the same as each other. I haven’t been hacked yet though. But for “important” sites like PayPal I do make slight variations. :P But I’ve also seen this online MD5/SHA1 decoder which works… Doesn’t that mean that encoding passwords is pretty much useless if someone has access to the password data anyway?

  12. Paddy said:

    You know, I think I’ve learnt more reading this than my whole 13 years of schooling? but: Oh, and it has other uses too. :D you gotta tell me because I’m not gonna figure it out by myself!

  13. SarahG said:

    To be fair they may have the stored password encrypted using their own formula or something like mcrypt. I think out of those I’ve ever requested my lost password from, about 50% have sent me the same password.

  14. Jem said:

    But I’ve also seen this online MD5/SHA1 decoder which works… That would likely be using a rainbow table as briefly covered in my entry. The longer (and more ‘random’) a password is, the less chance it has of being “de-hashed”. I’d recommend passwords of at least 8 characters, mixed numbers/letters and if allowed on the site special characters too. Of course, you could just take your favourite password and hash it, and then use the hash value as a password. You don’t need to remember anything but your original password and you end up with a 32 character string. If a site does use hashing it’ll end up double-hashed which reduces the chances of the original being found even more. @SarahG: Correct me if I’m wrong, but.. the problem with encryption is that you’ve got to store the key somewhere. If someone has broken into their server I’m sure they’re not going to have a problem finding the key, rendering the encryption useless.

  15. Dave said:

    @Jem: You’re right, they aren’t the only options. I’m just trying to look for some reasoning in what they have done. There has to be *some* kind of logic *somewhere*. Corporation logic is usually always money so that’s where I went. “I just don’t agree with this “it might not happen so lets not bother to protect against it crap”” – you’d me amazed at what the bigger companies do. That’s the EXACT thinking they have. They wont do it unless the law says they have to and unfortunately companies like Tesco have no governing body (not one that tells them they have to be secure anyway!). Dee actually made the point I was trying to make, only mine sounded nowhere near as intelligent. I may not comment here again, as I almost always make myself look stupid.

  16. Jem said:

    Aww Dave, you didn’t make yourself look stupid! You did bring about a point I hadn’t considered (the convenience of not having to fiddle with verification/etc). I disagree with Tesco’s methods, not the things you raised :)