
Shocking Poor Security at the Social Security Administration - watchdogtimer
https://plus.google.com/108802066605702131048/posts/hrkjwaCUZgD?sfc=true
======
patio11
They also have more than 60 million lines of COBOL in production.

Cite:
[http://oig.ssa.gov/sites/default/files/audit/full/pdf/A-14-1...](http://oig.ssa.gov/sites/default/files/audit/full/pdf/A-14-11-11132_0.pdf)

~~~
rootme
At this point 5 inch diskettes are more secure.

------
GICodeWarrior
What login rate-limiting, account lock-out, and password expiry policies do
they have though?

Based on the password requirements, they have something like 2.6 trillion
possible passwords. If your account is locked out after 3 failed login
attempts, if they limit to one attempt per second, or if they have a forced
password change every month, etc. there are a number of ways to tighten this
up.

Their password policy is anachronistic, and this /could/ be a symptom of other
issues. However by itself, it seems more like a usability issue than a
security issue.

In fact, they could be attempting to discourage password reuse with other
sites. That would be a security bonus if it worked (I doubt it works).

~~~
forgotpwtomain
> If your account is locked out after 3 failed login attempts, if they limit
> to one attempt per second,

The point of effective passwords isn't that someone is going to guess it on
login - it's that if the database gets dumped all the passwords aren't
recoverable from the hashes.

~~~
GICodeWarrior
The security of passwords at rest depends on how they are stored. Further, if
an SSA database is dumped, passwords won't be the data exposure people are
upset about.

~~~
forgotpwtomain
> The security of passwords at rest depends on how they are stored.

Insecure passwords are insecure at rest no matter how they are stored..

------
RichardHeart
This sounds like someone tazering a guard at the SSA. *shockingly

If you're mad about 8 char mandatory case insensitive password rules maybe
leaking data, you'll probably be super mad when they just lose the whole db on
their end to hacks. Perhaps they should code a 2fa option through one of the
many useful api's, as so many other companies have.

------
tomschlick
This is why the government desperately needs to keep 18F/US Digital Service so
they can keep modernizing these sites.

~~~
noobermin
You misunderstand. The current party in power _wants_ this dysfunction so they
can justify further cuts. See the with-holding funds from Obamacare and
forcing the post office to save for healthcare decades before those who would
use it could require it.

~~~
tomschlick
Oh I know. I'm sure there are shady back-room deals lined with kickbacks from
shitty contractors who will overcharge the government (tax payers) for systems
that don't do what they need to and will have to be redeveloped every 5 years.

~~~
GFK_of_xmaspast
That's essentially all for-profit contractors.

------
tomohawk
What else would you expect? They can't go out of business. They are so sacred
that they appear immune to any sort of political reform. There's no chance of
anyone getting fired for keeping things as they are. To change things would
paradoxically be more risky.

------
loopbacker
Some banks do this too. They store the password in the clear then at login ask
for the Nth character of your password (rather than the whole password).

That obviously means that the whole password is rarely sent over the network.
It also means that they can use the same validation system over the phone for
telephone banking.

The system is however far from ideal of course.

------
coldcode
Bad security no longer shocks me at all.

