Friday, 3 August 2012

Sharing passwords with Tesco

"Every little helps," says the Tesco motto. Well, it seems that the UK's largest supermarket needs a little help with securing online customers' passwords.

Tesco's online shopping site does not protect customer passwords as thoroughly as it should. This in turn puts customers at risk because they probably use the same password with Tesco and other online services.

It is not realistic to expect people to have a unique password for every online service that they use. Normal people are not interested in security and have neither the time nor the energy to maintain (let alone memorise) a long list of strong passwords.

There are all sorts of clever solutions to this problem, including software that generates passwords that are impossible to memorise and then handle the passwords for you, providing access to the password-protected web sites. LastPass is just one example.

Realistically, though, the vast majority are going to use a handful of passwords for everything that they do. Quite likely some of these passwords will be on the list of common passwords published by ZDNet.

Another problem with managing passwords using applications is that increasingly people are accessing websites with multiple devices, such as smartphones. Windows and Mac applications and browser plugins don't transfer easily to all of the available mobile handsets.

If you have a small selection of passwords then I have some urgent advice for you.

  • Do you have a Tesco online shopping account?
  • Do you have any other online accounts for which you have used the same password as your Tesco account?
  • Are these accounts in any way connected to important personal information or services, such as your email account(s) and financial services?
If you answered 'yes' to all of the above questions then it would be wise to log into every one of those services, except the Tesco site, and change your password immediately.

It is completely understandable, if not advisable, that you might want to use the same password for all of these services. If you do, do not then change your Tesco password to match this new one.

The reason for this urgent advice is that Tesco does not handle passwords in a particularly secure way. This has been publicised by Troy Hunt, who highlighted some problems with Tesco's website on his own site a few days ago.

There is an interesting list of sites that send users' passwords over email in cleartext on the Plain Text Offenders website.

---

If you are concerned about this type of problem you could create a short list of passwords, including some very strong ones as well as some very easy to remember ones. Use the strong ones for your most important services, possibly using a small variation for each. Use the less strong versions for less important services.

Is this ideal? Definitely not, but until online security moves away from simple username and password authentication regular users have little other choice.