Just When You Think You're Safe Online
Tesco.com got themselves in hot water this week on Twitter after claiming that sending users their passwords in plain text in reminder emails was done so securely.
It just goes to show you can't trust any company - no matter how "respectable" you feel they are - with your password.
At first I thought I didn't have a Tesco.com account (I boycotted them years ago) but I went there and tried to send a password reminder to the email address I would have used if I did have an account with them.
It turns out I do have a Tesco.com account!
Not only do I have an account but it's with the password I used to use with all sites I didn't care too much about. How embarrassing.
I now no longer use that Passw0rd (which I once used to think was relatively clever and strong - doh) and have now changed my Tesco password to something unique to them and completely random. So much so that it is un-remember-able without the help of 1Password.
It's been so long since I used that Tesco account that the home address they have for me is in Sunderland (I moved to Nottingham 8 years ago yesterday!) and any card details they have will be unusable. Nevertheless it's a stark reminder of how vulnerable you are online - even when you're all smug and think you're safe, like I do.
Skip to the 
You can subscribe to an individual
As Bilbo Baggins once said, "it's a dangerous business, going out your door." The same applies when you go online.
Any company who can "remind" people of their password in this manner must be storing it unencrypted. They are not a company worthy of trust. There is never any call for doing so.
Always, ALWAYS, in any application you ever write, store passwords at worst hashed, at best salted and one-way encrypted.
Reply
I read the title and immediately thought you'd received something similar to an email I had accusing me (well, to whom it may concern) with trade-mark infringement based on part of my company name. Funny thing was, it was citing a different but similar company name in the infringement. I've taken no action as yet as the threat rang fairly hollow.
The online world is becoming increasingly crass and litigious in addition to less safe. Anyone with a computer and enough intelligence to find the on-switch can get themselves into a fair spot of trouble, or reach out and mindlessly harass those of us just trying to make an honest living. It's enough some days to put me off the net entirely.
Reply
How well are you 'boycotting' Tesco when in your last blog you stated your 'main' phone was a Tesco Mobile one? It's not easy, boycotting Tesco.
http://www.guardian.co.uk/uk/2011/may/24/tesco-reopens-stokes-croft
Reply
Damn. I knew somebody would pick up on that. My getout is that I boycott the Tesco grocery/supermarket division.
Tesco's mobile price plans are just too hard to argue with.
Reply
Totally agree with the password strength part but it is probably a good thing that you're using a strong password now. The fact that they can actually send you the original password means that it's a website you should never trust and a company you should stear clear off. Storing the actual password in an unhashed form is soooooo bad form its embarassing.
Shame on them!!
Reply
I've been using LastPass (http://lastpass.com) for a few years now. It is a completly secure way of keeping track of all my web passwords through a plugin to my browsers. (You don't have to use the plugin, for example, if you're traveling. You can log into their web site too.)
Anyway it's free, it's convinent and it's secure. Now I use a different random string if characters for every account on the Internet.
Steve Gibson did a complete analsys of LastPass in episode #256 podcast. You can find the audio file and a complete transcript on this web page.
http://www.grc.com/securitynow.htm
It's also a useful podcast to listen to each week.
Stay safe out there. Rob:-]
Reply