“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
– Randall Munroe
“Humans are actually the biggest problem,” says Craig Savolainen, Head of Engineering at Planswell. “Sure, there’s the occasional hacker with a supercomputer hiding in a bunker somewhere, but a more common problem is the millions of people out there with weak passwords, or passwords written on a Post-It note that could fall into the wrong hands.”
One study said the most popular password of 2016 was “123456.” Second place was, “123456789.” Some of us think we’re being clever by replacing certain letters with numbers or symbols, such as, “Pas5w*rd,” but Craig isn’t buying it.
“First of all, it’s not really that easy to remember. Do you replace the first ‘s’ or the second ‘s’ with a ‘5?’ And secondly, it’s only eight characters long with some common character substitutions that a computer would be able to guess within a few hours or days.”
So how do you make a password that’s so easy to remember that it doesn’t need to be written down, but still so hard to guess that nobody will crack it? Craig’s advice is surprisingly simple:
“There are 473,000 words in the English language. You can create a great password by linking any four of them together with a dash or a dot between them. Something like, ‘lamp-carpet-earphones-zeppelin’ is easy to remember — you can even make a little story in your head to help — but ridiculously hard to guess. There are 473,000-to-the-fourth-power possible word combinations, and that could take a computer centuries to guess.”
OK, so let’s say you have a really amazing password for all your online accounts, including Planswell. What are we doing to keep you secure? There are several measures in place, but Craig highlights three of the big ones:
- Control access. Currently, Craig is the only person in the world with unlimited access to Planswell client data. Other select employees can access the data they need to do their jobs, but nothing more. And everyone’s activity is logged so we can see who has accessed which data, and when.
- Encrypt data. When you make a financial plan, all of the data coming and going from our web server is protected by an RSA2048-bit encryption key. This is bank-level encryption, with one important difference: banks sometimes lower their encryption standards to accommodate users with older browsers, and we do not.
- Separate network. Let’s say someone did do the “hacker thing” and gained access to the web servers at Planswell. They would still have to penetrate another layer of security to get from the web server to the separate, private network where the data is actually stored. This is difficult to the point of being extremely unlikely.
Craig adds that Planswell takes all of these steps by choice, not by decree. “There aren’t a ton of regulations that tell us what to do. We have chosen to set the bar this high because protecting our clients is essential to the success of our business. We also have a partnership with Lyrical Security, whose job is to constantly test us to make sure our guard stays up.”
“Yes, we keep a scorecard on Planswell,” confirms Alex Hosking, Director of Managed Cloud Operations at Lyrical, a Toronto-based cybersecurity company.
“Part of what we do is run a monthly vulnerability test where we look for any new viruses or other threats that could affect the system. The Wannacry virus recently hit 90 countries, including the UK’s National Health System, but Planswell was protected. We also run quarterly penetration tests, where a team of hackers and scanners take a calculated approach to trying to break into the system. So far, no luck.”
Alex adds that “A lot of what others consider ‘security measures,’ we consider foundational. The National Institute of Standards and Technology is a non-regulatory agency of the US Department of Commerce and a global thought leader on how to make the Internet more secure. We point to them to make sure Planswell follows the highest standards.”
Security concerns will probably always be a fact of life, but the layers of protection at Planswell should be enough to put anyone at ease.
“My first choice would be to eject all the bad guys from planet Earth,” Craig says wistfully. “But until that day, the answer is to have better passwords and a well-designed system like ours.”