"Just a word of warning about Tesco’s online shopping.
I’d forgotten my password, so I clicked the ‘Reset my password’ link.
Tesco send me an email, this email did not contain a link to reset my password.
It contained my password in CLEAR TEXT!
This would suggest to me that Tesco probably aren’t encrypting passwords at all.
If they ARE encrypting passwords, the passwords definitely aren’t hashed and salted...
After a quick delve around the site, I found their password policy:
The new password needs to be between 6 and 10 characters long
Oh good.....they don’t accept special characters in the password.
I’ve also noticed that I can log in successfully with caps lock on!
This is a bit worrying too. When you click on the Why it’s safe to shop at Tesco.com link the following occurs:
http://imageshack.us/photo/my-images/856/tescoa.jpg/
Right Tesco, so you’re linking to unsecured page content. This is scary, because the cookie that validates your identity and session (that Tesco insist you must have to use the site) will then be passed in clear-text. This will allow anyone to observe the cookie as it passes across the internet, capture it and re-use it to impersonate you.
....
I’d suggest you change your password frequently, and don’t allow Tesco to store your credit card details."
Some parts I have omitted here but he has mentioned that he attempted 20 fake passwords and it did not lock his account out which prompted him to removed his account. He said would not be using Tesco.com until this is sorted. On my part, I am no security expert, but this sounds SCARY!
I have emailed the above to customer service, No reply! I am not a Tesco.com user!
TapaJob.com - moishtech.blogspot.com
No comments yet.
