unencrypted password reminder

greenhouse1234

Hi All,

I requested password for my online account on tesco.ie. and they sent me my username and original password!!


What if their website is compromised, hackers will access to my details and passwords too.

I know no website is safe, atleast not almost all, but many do some kinds of encryption like MD5 etc. where passwords are hashed and could not be reverted to original password.

are these companies doing enough to protect the privacy of their customers in event like 'sony ps'?

Should I delete my account on the websites,

regards

Sigtran

In some EU countries it is illegal not to NOT have passwords available in an unencrypted form I think France, UK & Ireland are on that list not sure about any others tho. In any case, if they are saving it in an unencrypted form, then yes, if the site is compromised, you password/username/whatever else they have on that DB will be known to the attackers.

greenhouse1234

Sigtran thanx for clairty.

Atmost I ll delete my details from their website
I ll contact Tesco and see what they say about their "privacy policy".



regards

montreal2011

Sigtran wrote: »

In some EU countries it is illegal not to NOT have passwords available in an unencrypted form.

In some EU countries it is illegal to have passwords available in an unencrypted form.

Is this what you mean? If so,Tesco are not only lax but breaking the law. Good spot by greenhouse. I would expect that many companies are not taking proper care of data, such as an company that used the same developers as Tesco!

Sigtran

@montreal2011 no, its illegal to encrypt passwords and not have a decrypted version somewhere. In Ireland/UK there is a law that requires you to unveil you password, if asked (tho it doesnt say which way you should store it, it would be illogical to store both versions. P.S. I only store encrypted passwords and that is breaking the law). I wouldnt be able to point at the act itself, as I dont remember exactly where it can be found, but it is there. In France its illegal to even encrypt most of the traffic (*banking applications /etc are still encrypted). In US, If they pass Obama's wiretap bill, every Internet application, web site DB /etc will have to be decryptable (e.g. law enforcement either has to have a decryption key, or it has to be a weak cypher, or your company is going to be bum banged).

FSL

greenhouse1234 wrote: »

Hi All,

I requested password for my online account on tesco.ie. and they sent me my username and original password!!

You asked for your password. If they had sent you it in encrypted form it would have been of no use to you at all.

Sigtran

@bedlam thanks for giving clear reference I was close enough :P read these back in the day, so some things have changed, but not drastically.

@FSL there is usually a reset password form made :P

FSL

[QUOTE=S
@FSL there is usually a reset password form made :P[/QUOTE]

To use a reset password form you require to know your existing password otherwise anyone could reset your password.

Sigtran

@FSL nah, all you need is set it up, so it will send you a reset link to the registered e-mail, or ask for an answer to the secret question, or both. 100% tested and works just fine in 99% of cases (of course there people who dont know their e-mail address/passwords either, but come on!). What you are talking about is mostly used for changing password, not forgetting password forms.