[MILRETVET-INFO] You Need to Fix Your TSP Passwords This Weekend

• From: RETVET-INFO@xxxxxxxxxxxxx
• To: <RetVet-Info@xxxxxxxxxxxxx>
• Date: Thu, 8 May 2014 12:10:17 -0500

Feds: You Need to Fix Your TSP Passwords This Weekend 

Aliya Sternstein

08 May 2014

 

The website of the Thrift Savings Plan, the retirement program for 4.6 million
federal employees and retirees, gives identity thieves clues about how to crack
users passwords, some security analysts say. As it happens, TSP plans to change
its password policy this coming weekend to eliminate those clues, a spokeswoman
told Nextgov when asked about it this week.   

 

TSP ANNOUNCEMENT:    Coming soon: Stronger passwords - (May 8, 2014)  Within the
next few days, the TSP will implement its new stronger password policy.  All Web
passwords will have to be at least 10 characters in length.  Once we have
implemented the new policy, you will be instructed to change your password to
one of your choice using our new requirements the next time you log into My
Account. Please remember that the TSP does not email you to change your
password.  

 

TSP.GOV is the only legitimate web address for reaching the TSP online. Email
links indicating that you need to reset your password may send you to fraudulent
websites, and these websites may steal your login credentials when you enter
them. Visit the TSP Security Center for more information. If you ever suspect
your account credentials have been compromised, please call the ThriftLine at
877-968-3778 immediately so that we may take immediate actions to protect your
account.

 

More TSP-related news is available at
https://www.tsp.gov/whatsnew/plan/planNews.shtml 

 

Security has been a sensitive issue for TSP administrators after hackers in 2011
penetrated a contractor's computer exposing the Social Security numbers of
125,000 plan participants.

 

The problem with the TSP website, one expert said, is that crooks can use
details about creating logins to compose a convincing phishing email: 

"The fact that they publish that it's an eight digit password length for
changing your online contribution is unbelievable," NSS Labs Chief Technology
Officer John Pirc says.

 

Worse yet, they aren't following U.S. Government Configuration Baseline
<http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcb>  guidelines that recommend
agencies use passwords longer than eight characters, ideally at least 12
characters, he says. Based on recent tests, figuring out an eight character
password takes about 24 hours, Pirc says.  

TSP should rethink the use of eight-character passwords and change the language
on its website, which "provides cyber criminals with more information useful for
crafting a believable email link for individuals to click on," he says. 

 

When asked about Pirc's critique, TSP spokeswoman Kim Weaver, said in an email,
"Your question is particularly timely. On Saturday, May 10, we will be changing
the password requirements for our participants to access their account data. The
new password will be 10 to 32 characters long; upper case/lower case
alphanumeric with special characters."

 

She also pointed out that TSP is following NIST IT security guidelines
<http://dx.doi.org/10.6028/NIST.SP.800-53r4>  for agencies, which she said state
that password complexity requirements are an "organizationally defined
requirement."

 

You've been warned. (You should) Fix your passwords this weekend.  

 

 

NOTE:  The Kapersky Labs Password Check Website at
http://password.social-kaspersky.com/en is a good resource to use to check the
strength of passwords when using various upper\lowercase, numbers and characters
combinations

 

----------

SOURCES:  Nextgov Website at
http://www.nextgov.com/cybersecurity/cybersecurity-report/2014/05/feds-you-need-
fix-your-tsp-passwords/83965/?oref=govexec_today_nl and TSP Website at
https://www.tsp.gov/whatsnew/plan/planNews.shtml#password

 

 

 

NOTICE:  Links to archived copies of this and other mailing list messages,
subscribe\unsubscribe instructions and other useful information for active duty,
retirees and veterans, and their families, are available on the LINKS FOR
MIL\RET\VETS website at www.hostmtb.org

 

If you prefer not to receive future RETVET-INFO mailing list messages, click
here <mailto:retvet-info-request@xxxxxxxxxxxxx?subject=Unsubscribe>  to
unsubscribe.  If unsuccessful, please contact Mailing List Mgr
<mailto:milton.bell126@xxxxxxxxx?subject=RETVET-INFO%20Unsubscribe> .

 

Other related posts:

• » [MILRETVET-INFO] You Need to Fix Your TSP Passwords This Weekend - RETVET-INFO

1. Home
2. retvet-info
3. Archive
4. 05-2014

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---