Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

TSP Epic Password Fail

chill (34294) writes | more than 2 years ago

Government 2

TSP stands for Thrift Savings Plan. This is the 401(k)-equivalent that gov't employees can utilize. It is popular.

TSP stands for Thrift Savings Plan. This is the 401(k)-equivalent that gov't employees can utilize. It is popular.

In April of 2012, the Federal Bureau of Investigation (FBI) informed the FRTIB (FEDERAL RETIREMENT THRIFT INVESTMENT BOARD) and Serco that in July of last year, a computer belonging to Serco, a third party service provider used in support of the TSP, was subjected to an unauthorized access incident. This incident resulted in the unauthorized access to the personal information of 123,201 TSP participants and payees. When the TSP learned of the cyber attack, we took immediate steps to investigate and notify our participants and other affected individuals.

The TSP notified their customers on June 1 of 2012 of the hack that occurred on July of 2011, but they only learned about sometime in April of 2012.

So off I go to change my password and what to my wondering eyes should appear? The following constraints:

1. Contain exactly 8 characters
2. Contain both letters and numbers
3. Not match any of your last four passwords
4. Not contain special characters.

And for "security tips" they have:

1. Create words or phrases by combining letters and numbers (golf4fun)
2. Substitute letters for numbers (5 for S or 3 for E)

Screencap of password page: https://plus.google.com/photos/108320036461391153047/albums/5752480492680965105

TSP announcement: https://www.tsp.gov/whatsnew/plan/planNews.shtml#pii

I'm on a password changing kick, using 12-20 character snippets from GRC's Perfect Passwords. Needless to say, TSP choked -- and so did I.

It sounds to me like it is tied directly to an old mainframe account, but there is no excuse for this level of sloppiness.

I thought you all would find it entertaining -- or frightening if this is where you have a chunk of your retirement funds set up.

cancel ×

2 comments

frightening (1)

Bill Dog (726542) | about 2 years ago | (#40278383)

I don't get why some intermediary system couldn't be propped up in front of the old one, supporting and demanding more secure passwords, and then map them to the old insecure ones, log the user in on their behalf, and then redirect to the home page or whatever.

And that the "database" of user info is stored across files, that a subset of it can be copied outside the system and taken home on a laptop or whatever had happened, makes me cringe in the thought of this enterprise system being an MS Office solution or something similarly hokey.

Re:frightening (1)

chill (34294) | about 2 years ago | (#40278651)

I sent a fairly nasty feedback note thru their web-based form saying exactly that. The database is most likely MS-SQL, Oracle or Sybase ASE and not something as simple as Access. All three are popular in gov't.

The "Employee Express" site, where you can control where your paycheck gets deposited, etc. just recently changed so it didn't use your SSN for a login ID.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...