Back in January I blogged about a shortcoming of HIPAA. HIPAA legislation is, in part, supposed to help protect our privacy when dealing with health care providers. Unfortunately there is a hole in the legislation that you can fly a Boeing 747 through. May of us have to log on to a web site to use our health insurance benefits. And yes, I am grateful to have those benefits. It is a blessing many people do not have. HIPAA does not specify that the password policies of health insurance providers allow the user to have reasonably good passwords.
I mentioned the specific example of VSP (www.vsp.com), my vision insurance provider. The password policy prohibited me from using a space or any special characters in my password. This alone does not prevent me from making a good password, it simply requires that I make the password much longer in order to achieve the same quality of a password. In short, it is not a good policy from a security point of view.
Shortly after the post, I received a comment from Kyle Kelt, the IT Director for VSP that the deficiency would be fixed. I am very happy to report that the deficiency has been fixed. I can now use spaces and special characters. In fact users are now required to change their passwords when they visit the site. It is strange wording that they say you have to change it because it does not comply with their security policy, after all, the password users had chosen were not allowed to comply with their more current security policy! My former password actually was more secure than the minimum required to meet their new policy, it just didn’t have the required combination of character sets. What it lacked in complexity it more than compensated for in length! My new password if even stronger though. Kudos to Kyle and VSP for a meaningful improvement in password policy.
Now, if VSP, and so many other websites, would drop the silly pre-defined challenge question for forgotten passwords and let users choose their own challenge questions, it would greatly enhance the security around passwords. Unfortunately, the practice of using useless challenge questions is an industry wide problem with the web sites doing it correctly being few and far between.
Director of Technical Education
Author ESET Research, We Live Security