They also have more than 60 million lines of COBOL in production.<p>Cite: <a href="http://oig.ssa.gov/sites/default/files/audit/full/pdf/A-14-11-11132_0.pdf" rel="nofollow">http://oig.ssa.gov/sites/default/files/audit/full/pdf/A-14-1...</a>
What login rate-limiting, account lock-out, and password expiry policies do they have though?<p>Based on the password requirements, they have something like 2.6 trillion possible passwords. If your account is locked out after 3 failed login attempts, if they limit to one attempt per second, or if they have a forced password change every month, etc. there are a number of ways to tighten this up.<p>Their password policy is anachronistic, and this /could/ be a symptom of other issues. However by itself, it seems more like a usability issue than a security issue.<p>In fact, they could be attempting to discourage password reuse with other sites. That would be a security bonus if it worked (I doubt it works).
This sounds like someone tazering a guard at the SSA. *shockingly<p>If you're mad about 8 char mandatory case insensitive password rules maybe leaking data, you'll probably be super mad when they just lose the whole db on their end to hacks. Perhaps they should code a 2fa option through one of the many useful api's, as so many other companies have.
What else would you expect? They can't go out of business. They are so sacred that they appear immune to any sort of political reform. There's no chance of anyone getting fired for keeping things as they are. To change things would paradoxically be more risky.
Some banks do this too. They store the password in the clear then at login ask for the Nth character of your password (rather than the whole password).<p>That obviously means that the whole password is rarely sent over the network. It also means that they can use the same validation system over the phone for telephone banking.<p>The system is however far from ideal of course.