Tesco has announced that although passwords are held internally in an encrypted form they are sent out to account holders who have lost or forgotten their passwords in plain text. This fact has been known since 2007 when it was first disclosed but to date Tesco has not acted to create a better and more secure platform for retrieving passwords.Those who manage IT security know that this poses a couple of potential problems, one more severe than the other. First it is possible, although unlikely considering he function of these passwords, that the unencrypted e-mails are intercepted by cyber criminals and used against the account holder. The larger danger highlighted by this unencrypted password sending is the fact that if Tesco can decode the passwords held in the account before sending, then hackers can as well. As far as IT support for Tesco is concerned this sending of plain text credentials is neither a sin which Tesco alone is guilty of nor that damaging to the account holder. The problem for Tesco lies in the fact that the internal infrastructure is highly outdated. They are running for example a running a seven-year-old and twice superseded version of Microsoft's web server software.
