Lousy Password Security on Tesco Website

Good post, not because it picks on Tesco but because it's filled with good advice on how not to do it wrong.

Posted on August 15, 2012 at 2:23 PM • 29 Comments


Carl 'SAI' MitchellAugust 15, 2012 2:53 PM

I must take exception with his dislike of the XKCD "Correct horse battery staple" comic. While the method proposed in the comic is bad (try to think of common but unrelated words randomly) the related method (use a random source and a wordlist, a la diceware) is good. Passwords (and passphrases) should be memorable, at least the ones used to get into one's password storage system.

The comic was bad not because of the style of passphrase advocated, but because the method to create such a passphrase is insecure.

Per ThorsheimAugust 15, 2012 3:17 PM

The truly sad part of the UK Tesco case (so far) is that they are refusing to admit any wrongdoing, still claim to be secure and nothing has apparently been done to fix it so far.

you may be interested in reading this paper when it is published:
"Kirsi Helkala, Nils Kalstad Svendsen, Per Thorsheim and Anders Wiehe. Cracking Associated Passwords", to be presented here: https://www.bth.se/com/nordsec2012.nsf/pages/publications

Focusing on users ability to memorize and recall advanced passwords, it also reveals some new insight into how users uses various associations to a service when generating their password. A not-so-scientifically blog post describing the use of colors in the Linkedin leak as an association element can be found here:

Martin PotterAugust 15, 2012 4:00 PM

My Firefox browser tells me that Tesco's sign-in page is not to be trusted either, even though it is https, because their security certificate is invalid.

scottAugust 15, 2012 4:02 PM

And a site call gradeguru does the same and even cites you as to why that's fine.


MishehuAugust 15, 2012 8:30 PM

Sad to say that to this day there are credit card companies - major ones - in the USA that have at least part of the security deficiencies that Troy outlines in this article. Basically any time a website restricts me to a subset of the types of characters that I can input into a password element, I have to immediately assume that the site is insecure - if they were hashing and maybe salting it, they wouldn't have to not let me use a punctuation mark. GE / Sam's Club Discover suffers this character-type limitation insecurity-by-design (please feel free to correct me if they have fixed this deficiency). And to think that they suffered a sizable data breach within the past 12 months that required that they re-issue a non-trivial number of customers new cards...

Jeff HAugust 16, 2012 3:27 AM

What annoys me the most is that, as a Tesco customer, they keep asking me how they might improve their website, and I keep pointing stuff like this out (as well as the fact that it is incredibly slow and badly designed from a UI perspective). I'm not sure why they keep asking as they clearly have no intention of fixing it.

StradAugust 16, 2012 4:02 AM

I believe that Tesco have done an update in the last couple of weeks - so anyone looked to see if it's better?

BruceKnowsAugust 16, 2012 5:32 AM

On April 12th Tesco announced 'Internet investment increasing rapidly across the Group' and their 'Clicks & Bricks' activity would be one of the 6 areas sharing £0.4Bn of capital investment to enhance customer experience! Let's hope this is an early part of the project.

TimDGAugust 16, 2012 7:34 AM

I'm taking evening classes at a local adult education center and wanted to order a student licence of the software we use in class. When they printed me a certificate of registration, I was stunned to see my credentials printed at the bottom, both username and password.

This is a document I'm supposed to send to some stranger to prove that I'm eligible for the student discount on my software package.

DaveAugust 16, 2012 8:22 AM

I'm a Tesco customer and the stupid 10-character password limit has pissed me off for ages. How can you implement a sensible password strategy when faced with such infuriating restrictions?

I'm hoping there'll be a lot of publicity about this and Tesco will be forced to pull their socks up.

A Nonny BunnyAugust 16, 2012 9:07 AM

The thing that bothers me is the insistence you should use upper and lower case in a password; sorry but that hardly adds any extra entropy. A 16 character password with upper- and lowercase is no better than an 18 character password in lower case. And I find that 2 extra characters are a lot easier to remember than where to use uppercase. (Unless you just do the first or last letter simply to satisfy a ridiculous password requirement.)

Dave (again)August 16, 2012 9:07 AM

Although, further to my above post, the prize for Comically Stunted Passwords must go to National Savings & Invesmtments (NS&I). They limit the password to just 8 characters.

curtmackAugust 16, 2012 11:33 AM

At one point, my bank required that passwords be exactly 6 characters, containing at least 2 lowercase letters, at least 2 uppercase letters, and at least 2 numbers. And yes, it does require EXACTLY 6 characters, I even tried a longer password, it said it was too long.

That's about 4 billion possible passwords.

tedAugust 16, 2012 11:56 AM

Virgin-Mobile is equally terrible. No password, just a pin. It is 6 numbers, no shorter or longer and no letters. And when you change the PIN they email it to you.

"Virgin Mobile USA uses standard industry practices to safeguard the confidentiality of your personally identifiable information. Virgin Mobile USA treats data as an asset that must be protected against loss and unauthorized access. We employ many different security techniques to protect such data from unauthorized access by users inside and outside the company."

mrfoxAugust 16, 2012 12:53 PM

my favorite is Charles Schwab. they allow [a-zA-Z0-9]{6,8}. their example of a good password is "will1am". not like my financial data is worth protecting...

to their credit, they do offer RSA tokens, but only if you call customer service and complain.

blarghAugust 16, 2012 2:38 PM

If you think Tesco is bad, you should see Ulster Bank policy.

You are required to come up with a password and a pin. To authenticate you are required to give 4 random characters from each.

You will be asked for these random characters to
- log into internet banking
- use your credit card online
- call your bank
- and on.

Guess which bank does not hash customer passwords and gives their staff access to view said passwords....

BruceAugust 16, 2012 2:56 PM

I wrote to tell Tesco that they shouldn't send plain-text password reminders to the email address that constitutes the account name about ten years ago. I have a vague recollection that they always sent an email with the password in whenever it was modified. Just to make sure... They said that they had passed on they message to their software team, but I guess they ignored the suggestion.

Random832August 16, 2012 3:36 PM

Both of my (US) online banks have case insensitive passwords - though they at least aren't limited to 10 characters.

Random832August 16, 2012 3:37 PM

I should add, though, that they do have fixed length limits - just a bit longer than 10 characters... so it's still suggestive of possibly being stored in plaintext.

justinAugust 17, 2012 3:26 AM

These are big companies. Their goal is not to maximize the security of customer accounts, but to maximize profits. I'd guess they want to minimize the costs of supporting customers who would be confused or intimidated by the idea that a lost password may never be "recovered" and that a password reset can only be accomplished by generating or coming up with a new password.

I'm coming more and more to the conclusion that convenience trumps security. Every time.

confusopolyAugust 17, 2012 5:34 AM

My bank uses 2-factor authentication for transactions (chipTAN), but the password to just log into the online banking account, which allows you to view information but not start any transactions is a maximum 5-character "PIN" limited to latin-1 alphanumeric (so äöüß are allowed at least).

If the PIN is entered incorrectly 3 times they lock the account and I have to ask them to physically mail me a new PIN. The user name is the account number.

So everyone who knows my account number can trivially lock me out of my online banking account for at least 2 days by sending the wrong PIN 3 times.

Another DaveAugust 17, 2012 8:36 AM

BT, the very people that own you Bruce, are just as bad.

When setting up my account for online billing I went through various iterations of a username. Each one being rejected in turn as not being unique. Eventually I figured that the only unique BT idetifier was my account number.

I entered that and it got accepted only to find that BT actually consider the account number to be sensitive information as they asterixed out not the username but the title containing the account number.

So my question to BT was, why did the system not reject my account number as a user name if it is considered sensitive information? I never did get a reply.

DaveAugust 20, 2012 8:16 AM

@ A Nonny Bunny

"The thing that bothers me is the insistence you should use upper and lower case in a password"

Absolutely. As you mentioned, password length is indeed more potent than throwing in some extra characters.

This is something else that really annoys me about National Savings & Investments (NS&I) - they make you jump through hoops in that your chosen password must have at least one upper case letter and one special character. But then they limit the password length to eight characters. I really wonder what planet these people are on...

... then again, NS&I is a government concern. So maybe they've done it just to stick two fingers up at Joe Public!

Jeff HAugust 20, 2012 12:43 PM

When I rang my bank to ask why their Internet Banking system had a maximum of 15 character passwords, I was told it was for performance reasons. Apparently if it got much longer, the website would likely crash.

Then I remembered the horror stories about just what terribly ancient hardware underpins the banking system...

James SutherlandAugust 20, 2012 4:32 PM

Having recently ordered a new phoneline from Virgin, I saw an odd annotation on the installation document - it looked as if I was down to be unlisted, which I didn't want. I phoned customer services, on their premium rate number, and was asked for a password. After a few minutes, the agent helpfully told me what the password was, then proceeded to confirm the entry on the form was just a mistake, I wasn't really unlisted anyway. Impressive.

(150 would have been free and reached the same team, in fact, but for some strange reason they only mentioned the number which made them money. Can't think why.)

Clive RobinsonAugust 21, 2012 2:28 AM

It would appear Tesco.com are quite a "naught" company that is flaunting UK law...

On the BBC Radio 4 news was an item about how the UK imagration authority had after tip offs performed a major raid on the Tesco.con order forfilment center and found a lot of immigrants on restricted visas working there. Many of whom tesco.com were activly encoraging to work well beyond their visa restriction terms.

It will be curious to. hear what Tesco's Corporate has to say on the matter... What's the betting it will be the old discredited "a few bad apples" excuse that these large mainly tax fiddling corporates trot out to try and maintain the facade of their faux public image?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..