www.bbc.co.uk/news/technology-19316825
Tesco said its security was "robust".
What should have happen is that there should be some form of cryptographic storage - not in plain text."
Mr Hunt pointed out that as Tesco was able to email users their password in plain text, this showed the data was not being stored cryptographically.
I am astounded that their system is so bad and that no one has sorted it out.
|
I know of several systems that email plain text password reminders. The passwords are encrypted when they are stored and the decrypted password is sent when requested to an authorised email address.
There are risks but this has to be weighed with the cost of developing something more secure and avaunt the potential losses.
|
Sorry, Zippy, the system you describe is inherently insecure. The correct approach is to allow the user to create a new password (after proper identify verification *cough* Apple *cough*), and to store it in such a way that it can never be converted back into the original plaintext. For example, with minimal computer power a password like "Fgpyyih804423" can be cracked in about 2 minutes if stored in the way Tesco describe.
Tesco cannot guarantee that their password database will remain secure - no one can - so the only solution is to ensure that whoever does get hold of the database can never convert the stored data back into the original passwords, since people inevitably reuse passwords across the internet.
There is little to no added cost to developing a system that works in the way described above, and Tesco damn well know it.
Further reading:
* Rainbow tables
* Hash functions
* Salting
Last edited by: Fursty Ferret on Tue 21 Aug 12 at 12:46
|
FF
Spot on. No excuses Tesco !
Re password resetiing. I like the approach that some are adopting :-
At the start of using the system, the user supplied maybe up to 20 pieces of information that only they, in normal cicumstances, would know.
e.g What was/is the name of the road your first school was in.
name of first pet, second car you owned, and its colour etc.
When a user requests a password reset then a few of these questions are asked and correct answers verify a valid requestor.
Of course a temporary pasword is then supplied and prior to restored full access a new user password is mandated.
Every little elps!!!
|
It is a lunacy to store plain text passwords in database!
Most commercial databases offer built in functions to encrypt strings so that passwords can be stored safely.
Since most people use same password everywhere it can have a cascading effect if passwords (along with emails) are hacked.
|
>> I like the approach that some are adopting
>> At the start of using the system, the user supplied maybe up to 20 pieces of information that only they, in normal cicumstances, would know.
I don't. Because I work in IT, I have logins for dozens of systems at work, plus many others across the internet and so get asked variations on this all the time. It's not so bad when they ask you something specific like "name of first pet", but my bank asks me daft stuff like "memorable date or address". This is made worse by only phoning them very infrequently. Without giving too much away:
e.g. Having lived at countless addresses in my youth, and unable to use my current long-term location, I get memorable address wrong just about every single time.
For memorable dates, I can never remember whose birthday I chose as four members of my family have their birthdays within the space of 5 days, I get confused and get that wrong too.
So inevitably, I get locked out of my own bank account every time I try to call them...
And then there's the format of the questions. If I get asked a question like "what was your first car?" do I put in the make & model or just the model? Six months+ later when I get asked that question how do I remember?
I do agree that what Tesco is doing is rubbish. I moved my phone contract away from them because their IT was so poor. The service from their website was terrible. Fine on the phones though.
Last edited by: oilburner on Wed 22 Aug 12 at 10:00
|
Tesco - computer security - amazingly poor. - zippy
