Feds: You Need to Fix Your TSP Passwords This Weekend Aliya Sternstein 08 May 2014 The website of the Thrift Savings Plan, the retirement program for 4.6 million federal employees and retirees, gives identity thieves clues about how to crack users passwords, some security analysts say. As it happens, TSP plans to change its password policy this coming weekend to eliminate those clues, a spokeswoman told Nextgov when asked about it this week. TSP ANNOUNCEMENT: Coming soon: Stronger passwords - (May 8, 2014) Within the next few days, the TSP will implement its new stronger password policy. All Web passwords will have to be at least 10 characters in length. Once we have implemented the new policy, you will be instructed to change your password to one of your choice using our new requirements the next time you log into My Account. Please remember that the TSP does not email you to change your password. TSP.GOV is the only legitimate web address for reaching the TSP online. Email links indicating that you need to reset your password may send you to fraudulent websites, and these websites may steal your login credentials when you enter them. Visit the TSP Security Center for more information. If you ever suspect your account credentials have been compromised, please call the ThriftLine at 877-968-3778 immediately so that we may take immediate actions to protect your account. More TSP-related news is available at https://www.tsp.gov/whatsnew/plan/planNews.shtml Security has been a sensitive issue for TSP administrators after hackers in 2011 penetrated a contractor's computer exposing the Social Security numbers of 125,000 plan participants. The problem with the TSP website, one expert said, is that crooks can use details about creating logins to compose a convincing phishing email: "The fact that they publish that it's an eight digit password length for changing your online contribution is unbelievable," NSS Labs Chief Technology Officer John Pirc says. Worse yet, they aren't following U.S. Government Configuration Baseline <http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcb> guidelines that recommend agencies use passwords longer than eight characters, ideally at least 12 characters, he says. Based on recent tests, figuring out an eight character password takes about 24 hours, Pirc says. TSP should rethink the use of eight-character passwords and change the language on its website, which "provides cyber criminals with more information useful for crafting a believable email link for individuals to click on," he says. When asked about Pirc's critique, TSP spokeswoman Kim Weaver, said in an email, "Your question is particularly timely. On Saturday, May 10, we will be changing the password requirements for our participants to access their account data. The new password will be 10 to 32 characters long; upper case/lower case alphanumeric with special characters." She also pointed out that TSP is following NIST IT security guidelines <http://dx.doi.org/10.6028/NIST.SP.800-53r4> for agencies, which she said state that password complexity requirements are an "organizationally defined requirement." You've been warned. (You should) Fix your passwords this weekend. NOTE: The Kapersky Labs Password Check Website at http://password.social-kaspersky.com/en is a good resource to use to check the strength of passwords when using various upper\lowercase, numbers and characters combinations ---------- SOURCES: Nextgov Website at http://www.nextgov.com/cybersecurity/cybersecurity-report/2014/05/feds-you-need- fix-your-tsp-passwords/83965/?oref=govexec_today_nl and TSP Website at https://www.tsp.gov/whatsnew/plan/planNews.shtml#password NOTICE: Links to archived copies of this and other mailing list messages, subscribe\unsubscribe instructions and other useful information for active duty, retirees and veterans, and their families, are available on the LINKS FOR MIL\RET\VETS website at www.hostmtb.org If you prefer not to receive future RETVET-INFO mailing list messages, click here <mailto:retvet-info-request@xxxxxxxxxxxxx?subject=Unsubscribe> to unsubscribe. If unsuccessful, please contact Mailing List Mgr <mailto:milton.bell126@xxxxxxxxx?subject=RETVET-INFO%20Unsubscribe> .