On 28 October 2010 12:30, Tesco.com Support <support@tesco.co.uk> wrote:
Dear Mr Clark
Thank you for contacting me and please accept my apologies for the delay in replying to you.
I've had a word with my support team and asked them if they're stored with ‘one way encryption’ or any encryption and they say that although the information is not encrypted the level of security surrounding the password means that only the senior technical positions could access the information.
I'm sorry that you've decided to terminate shopping with us due to this issue as to my knowledge we've never been hacked and they've tried. The main issue with regard password theft is Phishing and there're a number of those emails going about at the moment.
If you’ve any further queries please don’t hesitate to contact me at support@tesco.co.uk quoting TES8404228X.
Kind Regards
Stephen Wood
Customer Service Manager
Tesco.com Support
----- Original Message -----
From: "Ben Clark" <bencoder@googlemail.com>
Date: 21 October 2010
Subject: Password security - why I'll no longer be using tesco online
Hello there,
This should probably be passed onto your web/IT team.
Today I used the forgot password link on your website and my original
password was sent in plain text via email. I am a professional web
developer who works and has worked on several high profile, security
conscious, e-commerce based websites. The fact that you sent me my
original password in plain text tells me that you are not storing the
password hashed (aka 1-way encrypted). This is a very basic level of
security that would protect your customers should your database get
compromised by preventing anyone from seeing your customers passwords.
It also prevents potentially malicious people within the organisation
from being able to see the password.
Knowing that you don't use this minimal protection of your customer
details tells me that I cannot trust the tesco.com website any longer
and will therefore cease using it and will shop with a competitor in
future.
I should also mention that I was initially impressed when first
signing up some time ago that my welcome email gave my username and
did not include my password but said: "Your password is known only to
yourself". This gave me confidence that the tesco.com software
engineers understood web security, that my password was probably
stored hashed and that they knew not to send passwords through an
insecure, unencrypted medium such as email. Unfortunately I discovered
the opposite today.
Yours,
Ben Clark