Blog: How Tos

Analysis of reported Tesco account and password data

Joe Bursell 14 Feb 2014

Following the finding of supposed Tesco customer account data on Pastebin we thought we’d do some analysis of our own, and share it.

The surprise is the complete lack of strength or complexity we found in so many of the passwords. Sure, the supposedly compromised data found is likely to have been cracked, meaning that complex passwords are not represented in the list of 2000 or so passwords, as cracking is limited.

It’s also possible that the passwords were taken from another source and used against Tesco, but it’s hard to be sure which was more likely.

Either way, what we found gives us an insight into user password behaviour. Here are some headlines to give you an idea:

  • Less than 40% had seven characters or less, which seems pretty bad, until you see the next stat.
  • 73% had between eight characters and one character- that’s right, where people aren’t forced into a minimum character limit some will choose to use JUST ONE CHARACTER.
  • 48% used all lowercase letters (alpha)
  • 39% used lower case letters and mixed it up with some numbers (alpha numeric)
  • Nearly 90% of all those passwords did not contain a capital letter.
  • Less than 0.5% had used a special character such as £ # & $ % etc.

So, in one sample, of one retailer’s customers we found one measure of a “truth” about just how weak some people’s passwords are. Weak is probably too good a word for it, I think you get my drift.

To try and prevent this kind of nonsense here are some tips for creating a decent password:

Think of a phrase that you can remember, e.g.
mynameismichaelcaine

Capitalise some letters:
MynameisMichaelCaine

Then add an unusual character:
$$MynameisMichaelCaine$$

And there you have a password with around 25 x 10104 combinations, yet you can still remember it.

Be careful though – password cracking tools such as Hashcat can be used to create huge wordlists, simply scraping every single word written on a source like Wikipedia. Using intelligent rules, words can be concatenated and padded with other characters, which provides a route to crack even long, word based passwords like the above.

That said, length and complexity will always make a password harder to crack, as evidenced in the Tesco data.