“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
– Randall Munroe
“Humans are actually the biggest problem,” says Craig Savolainen, Head of Engineering at Planswell. “Sure, there’s the occasional hacker with a supercomputer hiding in a bunker somewhere, but a more common problem is the millions of people out there with weak passwords, or passwords written on a Post-It note that could fall into the wrong hands.”
One study said the most popular password of 2016 was “123456.” Second place was, “123456789.” Some of us think we’re being clever by replacing certain letters with numbers or symbols, such as, “Pas5w*rd,” but Craig isn’t buying it.
“First of all, it’s not really that easy to remember. Do you replace the first ‘s’ or the second ‘s’ with a ‘5?’ And secondly, it’s only eight characters long with some common character substitutions that a computer would be able to guess within a few hours or days.”
So how do you make a password that’s so easy to remember that it doesn’t need to be written down, but still so hard to guess that nobody will crack it? Craig’s advice is surprisingly simple:
“There are 473,000 words in the English language. You can create a great password by linking any four of them together with a dash or a dot between them. Something like, ‘lamp-carpet-earphones-zeppelin’ is easy to remember — you can even make a little story in your head to help — but ridiculously hard to guess. There are 473,000-to-the-fourth-power possible word combinations, and that could take a computer centuries to guess.”
OK, so let’s say you have a really amazing password for all your online accounts, including Planswell. What are we doing to keep you secure? There are several measures in place, but Craig highlights three of the big ones:
Craig adds that Planswell takes all of these steps by choice, not by decree. “There aren’t a ton of regulations that tell us what to do. We have chosen to set the bar this high because protecting our clients is essential to the success of our business. We also have a partnership with Lyrical Security, whose job is to constantly test us to make sure our guard stays up.”
“Yes, we keep a scorecard on Planswell,” confirms Alex Hosking, Director of Managed Cloud Operations at Lyrical, a Toronto-based cybersecurity company.
“Part of what we do is run a monthly vulnerability test where we look for any new viruses or other threats that could affect the system. The Wannacry virus recently hit 90 countries, including the UK’s National Health System, but Planswell was protected. We also run quarterly penetration tests, where a team of hackers and scanners take a calculated approach to trying to break into the system. So far, no luck.”
Alex adds that “A lot of what others consider ‘security measures,’ we consider foundational. The National Institute of Standards and Technology is a non-regulatory agency of the US Department of Commerce and a global thought leader on how to make the Internet more secure. We point to them to make sure Planswell follows the highest standards.”
Security concerns will probably always be a fact of life, but the layers of protection at Planswell should be enough to put anyone at ease.
“My first choice would be to eject all the bad guys from planet Earth,” Craig says wistfully. “But until that day, the answer is to have better passwords and a well-designed system like ours.”