TSP Changes Login Procedure

by Ryan Guina

I must have missed the announcement because I just noticed that the Thrift Savings Plan has changed the login procedure on their website this month. This comes only a few days after myPay increased their security features by installing a virtual keyboard for PIN input. The TSP now requires an 8 digit password instead of the previous 4 digit PIN. To change your PIN to a password, go to the website, input your account number and PIN as normal, and you will be prompted to change your PIN to a password.

The TSP made the change to increase security. According to the TSP website:

“We now require you to log into the Account Access section of this Web site with a longer, more complex Web password – a unique combination of letters and numbers that you can choose yourself or have the TSP’s computer generate for you.”

I think it’s great that the TSP is taking measures to increase security, but the new password rules really aren’t that much better than the old PIN. The rules require the password contain exactly 8 digits, at least 1 number and 1 letter, and NO special characters. The last requirement goes against every recommendation I’ve heard for a “strong” password.

What’s even better (sarcastic), is that you still need to remember your PIN if you want to access your account through the ThriftLine, the telephone access center. Your password will not work for the phone system.

In my opinion, the TSP did not do as much as they could have done to increase security or ease of use. In my opinion, the virtual keyboard at myPay is far more secure than the 8 digit password at TSP. The myPay system is also better for the user because the PIN did not change. Now TSP users have to remember their password for computer access and their PIN for telephone access. Thanks TSP, for adding one more password to the list of 20+ that we have to remember for all of our other accounts.

Published or updated February 27, 2011.
Print or e-mail this article:
1 Jay

I agree about the “security” of the new passwords. For some reason I’ve been extremely keen on noticing sites that promote weak passwords recently: American Express (can’t even update the password using a Mac w/ Safari or FF), E*trade (6 to 32 characters with at least 1 number–no special characters!), Bank of America Military Bank IIRC, off the top of my head.

Most of the sites that I catch seem to be financial sites or professional (credit card company, banks, places that deal with money). When will they learn? You can pick a more secure password on most forums that are floating around. Closed source mentality vs. open source mentality maybe? I recall building a closed source custom web application for internal use and was steered away allowing from special characters. Now, I’d probably put up a bigger fight for it.

My other favorite is sites that force you to put in a specific format for phone or credit card numbers (no dashes, put dashes, etc.) Regular expressions make it easy to check on the programming side for correctly entered numbers and can standardize the format for insertion into the database. Rant for another day I guess…

Previous post:

Next post: