MSE News: Tesco Clubcard holders: Consider changing password after breach 14 February 2014 at 5:42PM edited 14 February 2014 at 7:27PM in Food shopping & groceries 18 replies 3.7K views

Former_MSE_Helen

"Tesco Clubcard users should consider changing passwords, after 2,000 login details have been published by fraudsters..."

Read the full story:

Tesco Clubcard holders: Consider changing password after breach



Click reply below to discuss. If you haven’t already, join the forum to reply. If you aren’t sure how it all works, read our New to Forum? Intro Guide.

chardir

Tesco again proving they have no idea about web security.

Why on earth do they limit passwords to 10 characters, letters and numbers only?!

Miroslav

Done.

Thanks for the heads up.

geordie_joe

chardir wrote: »

Tesco again proving they have no idea about web security.

You didn't read the article, did you?

chardir wrote: »

Why on earth do they limit passwords to 10 characters, letters and numbers only?!

Because that was good security when the web site was developed. To try to change it now would involve 10 million people all trying to change their passwords at the same time and that would kill the system.

Anyway, if you read the article you will see that it probably would not help anyway.

haydes

hi there i just wondered if i should change my credit card login password too? or is it just clubcard? thanks

Browntoa

It's just clubcard but if you use the same password , perhaps wise

Teapot55

Just changed my Tesco Clubcard password successfully.Couldn't get my log-in to work but phoned their freephone number and they did something at their end to make it work.Then I couldn't log out and I phoned again and they helped again.

hjd

Read the existing thread at http://forums.moneysavingexpert.com/showthread.php?p=64697012

geordie_joe

hjd wrote: »

Read the existing thread at http://forums.moneysavingexpert.com/showthread.php?p=64697012

(Text removed by MSE Forum Team)

I've just been reading one long post from someone who got hacked twice. I'll call him a "he" to make things easier.

First he claims to be an "IT Security professional" and claims Tesco 10 digit passwords are to blame as they are not strong enough.

He got his voucher stolen, so he changed his password and got them stolen again.

He then goes on to blame Tesco security for it. He also tells the Tesco person on the phone that h knows you can only use 10 digits in the password because it tells you that on the page.

He then goes on to explain that he entered a 16 digit password, and the tesco system ignored the last 6 digits and just used the first 10 as his password. His account got hacked, so he changed his password, but he explains that he has a 10 digit "core password" and just changes the last 6 digits. So, in effect, he used the same 10 digit password again, and got hacked again. Well of course he did, he had the exact same password again!

He blames tesco security for not being strong enough. Well I'm sorry, security is only as strong as the numpty using it.

an "IT Security professional" who has a 16 digit password where the first 10 digits are a "core" password and only the last 6 digits change. Who then enters the 16 digit password into a 10 digit password box, knowing it can only take 10 digits. Then tries to change the password, after it has been hacked, by entering the same "core" 10 digits plus different last 6 digits.

How did he not know he was entering exactly the same password?

He was actually on the phone to tesco complaining that you can only have a 10 digit password, and actually tells the person that it says that in the instructions, when he entered a 16 digit password. He must have known the password he was entering was 16 digit, because he says he has a "core" 10 digit password which he adds another 6 digits to, to make it a new password.

redux

I can't log in.

I'm told the password is wrong.

So I arrange myself an email to change the password. The first attempt is rejected as I'm not allowed to use the same as a previous password. So I settle on a new one.

I can't log in.

I'm told the password is wrong.

So I arrange myself an email to change the password. The first attempt is rejected as I'm not allowed to use the same as a previous password. So I settle on a new one.

I can't log in.

I'm told the password is wrong.

So I arrange myself an email to change the password. The first attempt is rejected as I'm not allowed to use the same as a previous password. So I settle on a new one.

I can't log in.

I'm told the password is wrong.

So I arrange myself an email to change the password. The first attempt is rejected as I'm not allowed to use the same as a previous password. So I settle on a new one.

I can't log in.

I'm told the password is wrong.

So I arrange myself an email to change the password. The first attempt is rejected as I'm not allowed to use the same as a previous password. So I settle on a new one.

I can't log in.

I'm told the password is wrong.

Surely it's a paradox that on each of several trips around this loop a brand new password is accepted and then rejected only a couple of minutes later

I've emailed them about this, asking them to strike out all old passwords and enable a fully free choice to start again.

No reply

Beatlefan

Tried changing my password about a dozen times, making sure only to use 10 characters and a mixture of only letters & numbers.

However each time the system tells me in red writing that I have to use 6-10 character and only numbers and letters.

Exactly what I am doing.

So for now I'm stuck with my existing password. Fortunately I don't use it with any other account elsewhere.