Journal chill's Journal: TSP Epic Password Fail 2
TSP stands for Thrift Savings Plan. This is the 401(k)-equivalent that gov't employees can utilize. It is popular.
In April of 2012, the Federal Bureau of Investigation (FBI) informed the FRTIB (FEDERAL RETIREMENT THRIFT INVESTMENT BOARD) and Serco that in July of last year, a computer belonging to Serco, a third party service provider used in support of the TSP, was subjected to an unauthorized access incident. This incident resulted in the unauthorized access to the personal information of 123,201 TSP participants and payees. When the TSP learned of the cyber attack, we took immediate steps to investigate and notify our participants and other affected individuals.
The TSP notified their customers on June 1 of 2012 of the hack that occurred on July of 2011, but they only learned about sometime in April of 2012.
So off I go to change my password and what to my wondering eyes should appear? The following constraints:
1. Contain exactly 8 characters
2. Contain both letters and numbers
3. Not match any of your last four passwords
4. Not contain special characters.
And for "security tips" they have:
1. Create words or phrases by combining letters and numbers (golf4fun)
2. Substitute letters for numbers (5 for S or 3 for E)
Screencap of password page: https://plus.google.com/photos/108320036461391153047/albums/5752480492680965105
TSP announcement: https://www.tsp.gov/whatsnew/plan/planNews.shtml#pii
I'm on a password changing kick, using 12-20 character snippets from GRC's Perfect Passwords. Needless to say, TSP choked -- and so did I.
It sounds to me like it is tied directly to an old mainframe account, but there is no excuse for this level of sloppiness.
I thought you all would find it entertaining -- or frightening if this is where you have a chunk of your retirement funds set up.
frightening (Score:1)
I don't get why some intermediary system couldn't be propped up in front of the old one, supporting and demanding more secure passwords, and then map them to the old insecure ones, log the user in on their behalf, and then redirect to the home page or whatever.
And that the "database" of user info is stored across files, that a subset of it can be copied outside the system and taken home on a laptop or whatever had happened, makes me cringe in the thought of this enterprise system being an MS Office solution
Re: (Score:2)
I sent a fairly nasty feedback note thru their web-based form saying exactly that. The database is most likely MS-SQL, Oracle or Sybase ASE and not something as simple as Access. All three are popular in gov't.
The "Employee Express" site, where you can control where your paycheck gets deposited, etc. just recently changed so it didn't use your SSN for a login ID.