Soldato
****Fresh random image thread (with rule addition)Every post MUST contain an image!****
- Thread starter Gilly
- Start date
- Status
Soldato
zomg post a picture before winged monkeys snatch you from the sky and drop you over a cliff
I believe you got the order wrong
Last edited:
Soldato
Soldato
Soldato
Permabanned
- Joined
- 5 Apr 2006
- Posts
- 7,699
what's the joke about tesco? as long as you keep your email password safe what's the issue?
Last edited:
Soldato
Good story, shame about the swearies. QUICK - EDIT!
Soldato
It's to do with how websites and organisations store passwords.
What you should use is known as a one-way salted hash. Basically you take the password and run it through a whole bunch of maths to get something entirely different to your password. The code is written such that you cannot run the algorithm backwards to get the original password.
When you want to authenticate someone logging in, you run their password attempt through the same algorithm and compare the hashes.
Doing it this way means that if/when your database is compromised and it's contents stolen you cannot gain the user's passwords and so you cannot impersonate the user by logging in normally. You also don't get a password to tie up to the user's email address and then go poking around other sites such as banking or facebook or whatever.
This is basic stuff for password security and has been around for years, it's also easy to tell when companies aren't doing it, for example if they are able to email you your original password back. Another good sign is if their system places arbitrary maximum length requirements on the password, e.g. "no more than 12 characters".
Tesco's tweet is basically admitting that they are using reversible encryption to store their passwords and thus putting all their customer's security at risk.
Soldato
Regardless of how safe you keep it... Tesco aren't keeping it safe at all. ridiculous for a big company with tens of thousands of customers.
Soldato
Soldato
It is also about sending the password in plaintext via a reminder email rather than sending a link that gets the user to do the recovery on the site itself.
Last edited:
Nonsense, that blog is one massive masturbatory hyperbole ridden scaremongering sack of rubbish - and then people like you come along and condense it into a sentence and misrepresent it even further.
So they store their passwords and they're just encrypted, big deal. It's a password for a supermarket it's not that important. If you're using the same password for anything else then it's not Tesco that are the weakest link, and if they do send you out a password reminder of your unencrypted password and by some chance someone can get access.. I can't see a way to easily monetise that given to spend any money with them you'd need the 3 digit security number, verified by visa or mastercard securecode.
There's far too much financial/password scaremongering goes on and irresponsible Hunts like Troy invariably have a vested interest in security hysteria.
Soldato
Last time I checked, Tesco also do:
and probably a lot more things that are exploitable with your Tesco.com password.
Soldato
Your tesco.com password doesn't work on any of those sites - they have separate logins and they are far more secure than a simple password.
Honestly these hysterical internet password stories from security salesmen are intentionally deceptive at best, and downright libellous at worst.
When people do crime on the internet the weakest point in the chain is always the customer, and it's always the customer that gives their login details out.
Honestly these hysterical internet password stories from security salesmen are intentionally deceptive at best, and downright libellous at worst.
When people do crime on the internet the weakest point in the chain is always the customer, and it's always the customer that gives their login details out.
Soldato
Last edited:
Soldato
kd
- Status