Many people in the US associate HIPAA with the rules required to protect medical data. It actually is a lot more than that, but the HIPAA laws do require some minimal standards for medical providers.

I recently came across an example of where HIPAA is ineffective. The medical providers are required to protect your data, but they are not required to allow you to protect your data!

I have vision insurance through a company called VSP ( To set up an account I needed to create a user name and password. So, I created a great password and was promptly told I could not use is because it contained “special characters”. That isn’t a smart approach to security, but I know I can overcome these restrictions by using a long password. I decided to use the password “VSP Security really sucks”. The password was rejected, not because their security does not suck, but because I can’t have spaces in the password. “vspsecurityisstupid” was a perfectly acceptable password, but I had to change it because I just posted it on a blog ?

Sometimes you really have to take security into your own hands. If you can’t use special characters then is becomes very important to use a very long password.

Next time I’ll write about a popular social networking site with stupid password requirements.

There is a reason that some sites don’t allow special characters. It requires more security work. The special characters can be security vulnerability for people who do not know how to use databases securely. More on that another time.

Randy Abrams
Director of Technical Education