UK retail giant Tesco is under fire for its long-standing practice of emailing customers’ passwords via email in plain text form.
The fact that Tesco is able to send plain text passwords suggests that the company itself can access the passwords in unencrypted form. This means that if a hacker gained access to Tesco’s systems, they could access customer passwords relatively easily.
When confronted about the matter by security blogger and author Troy Hunt, an official Tesco Twitter account responded that "passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder email."
As many Twitter users pointed out, this still falls short of security best practice, because if Tesco can access the unencrypted passwords, so too could a hacker.
"It does look as though Tesco is not following industry best practice," said Graham Cluley, senior security consultant at Sophos, this morning. "Any company that can email you your password is doing something wrong."
"It would be much better if they sent you a link where you could reset your password if you forget it," he added.
This security flaw alone does not make it any more likely that Tesco’s systems could be compromised (although Troy Hunt has published a blog post criticising many of Tesco’s online security practices). However, it does mean that the risk to customers would be greater if one occurred.
"Bearing in mind the recent incidents at LinkedIn and Yahoo!, every company should be taking a good long hard at password security," said Cluley. He added that customers should use different passwords for every site they use.
It seems that Tesco has been emailing customer passwords in plain text since at least 2007, when web developer and blogger ‘Jemjabella’ highlighted the issue.
Tesco has yet to respond to an invitation to comment.
See also: Ubisoft’s password security questioned following data breach