[GICodeWarrior]

What login rate-limiting, account lock-out, and password expiry policies do they have though?

Based on the password requirements, they have something like 2.6 trillion possible passwords. If your account is locked out after 3 failed login attempts, if they limit to one attempt per second, or if they have a forced password change every month, etc. there are a number of ways to tighten this up.

Their password policy is anachronistic, and this /could/ be a symptom of other issues. However by itself, it seems more like a usability issue than a security issue.

In fact, they could be attempting to discourage password reuse with other sites. That would be a security bonus if it worked (I doubt it works).

[forgotpwtomain]

> If your account is locked out after 3 failed login attempts, if they limit to one attempt per second,

The point of effective passwords isn't that someone is going to guess it on login - it's that if the database gets dumped all the passwords aren't recoverable from the hashes.

[GICodeWarrior]

The security of passwords at rest depends on how they are stored. Further, if an SSA database is dumped, passwords won't be the data exposure people are upset about.

[forgotpwtomain]

> The security of passwords at rest depends on how they are stored.

Insecure passwords are insecure at rest no matter how they are stored..

[jlgaddis]

From the screenshot, it looks like they enforce password changes every 90 days.