****Fresh random image thread (with rule addition)Every post MUST contain an image!****

Status
Not open for further replies.
5UB said:
OcUK Energy Drink
Click to expand...

uPS7k.jpg
 
Reality|Bites said:
what's the joke about tesco? as long as you keep your email password safe what's the issue?
Click to expand...

It's to do with how websites and organisations store passwords.

What you should use is known as a one-way salted hash. Basically you take the password and run it through a whole bunch of maths to get something entirely different to your password. The code is written such that you cannot run the algorithm backwards to get the original password.

When you want to authenticate someone logging in, you run their password attempt through the same algorithm and compare the hashes.

Doing it this way means that if/when your database is compromised and it's contents stolen you cannot gain the user's passwords and so you cannot impersonate the user by logging in normally. You also don't get a password to tie up to the user's email address and then go poking around other sites such as banking or facebook or whatever.

This is basic stuff for password security and has been around for years, it's also easy to tell when companies aren't doing it, for example if they are able to email you your original password back. Another good sign is if their system places arbitrary maximum length requirements on the password, e.g. "no more than 12 characters".

Tesco's tweet is basically admitting that they are using reversible encryption to store their passwords and thus putting all their customer's security at risk.

NFSSw.jpg
 
It is also about sending the password in plaintext via a reminder email rather than sending a link that gets the user to do the recovery on the site itself.

azuLy.jpg
 
Last edited:
orderoftheflame said:
Regardless of how safe you keep it... Tesco aren't keeping it safe at all. ridiculous for a big company with tens of thousands of customers.
Click to expand...

Nonsense, that blog is one massive masturbatory hyperbole ridden scaremongering sack of rubbish - and then people like you come along and condense it into a sentence and misrepresent it even further.

So they store their passwords and they're just encrypted, big deal. It's a password for a supermarket it's not that important. If you're using the same password for anything else then it's not Tesco that are the weakest link, and if they do send you out a password reminder of your unencrypted password and by some chance someone can get access.. I can't see a way to easily monetise that given to spend any money with them you'd need the 3 digit security number, verified by visa or mastercard securecode.

There's far too much financial/password scaremongering goes on and irresponsible Hunts like Troy invariably have a vested interest in security hysteria.

kilmer.jpg
 
The Halk said:
So they store their passwords and they're just encrypted, big deal. It's a password for a supermarket it's not that important.
Click to expand...

Last time I checked, Tesco also do:
Pexb6.gif

2ORHA.jpg

SGRys.jpg

JubFq.jpg


and probably a lot more things that are exploitable with your Tesco.com password.
 
Your tesco.com password doesn't work on any of those sites - they have separate logins and they are far more secure than a simple password.

Honestly these hysterical internet password stories from security salesmen are intentionally deceptive at best, and downright libellous at worst.

When people do crime on the internet the weakest point in the chain is always the customer, and it's always the customer that gives their login details out.

go_apple.jpg
 
Status
Not open for further replies.
Back
Top Bottom