The website of the Thrift Savings Plan, the retirement program for 4.6 million federal employees and retirees, gives identity thieves clues about how to crack users passwords, some security analysts say. As it happens, TSP plans to change its password policy this coming weekend to eliminate those clues, a spokeswoman told Nextgov when asked about it this week.
Security has been a sensitive issue for TSP administrators after hackers in 2011 penetrated a contractor’s computer exposing the Social Security numbers of 125,000 plan participants.
The problem with the TSP website, one expert said, is that crooks can use details about creating logins to compose a convincing phishing email:
“The fact that they publish that it's an eight digit password length for changing your online contribution is unbelievable," NSS Labs Chief Technology Officer John Pirc says.
Worse yet, they aren't following U.S. Government Configuration Baseline guidelines that recommend agencies use passwords longer than eight characters, ideally at least 12 characters, he says. Based on recent tests, figuring out an eight character password takes about 24 hours, Pirc says.
TSP should rethink the use of eight-character passwords and change the language on its website, which “provides cyber criminals with more information useful for crafting a believable email link for individuals to click on," he says.
When asked about Pirc's critique, TSP spokeswoman Kim Weaver, said in an email, "Your question is particularly timely. On Saturday, May 10, we will be changing the password requirements for our participants to access their account data. The new password will be 10 to 32 characters long; upper case/lower case alphanumeric with special characters."
She also pointed out that TSP is following NIST IT security guidelines for agencies, which she said state that password complexity requirements are an “organizationally defined requirement."
You've been warned. Fix your passwords this weekend.