Back in August 2018, I saw a presentation by bestselling author Chris Mathers at the Cybersecurity Summit in Toronto. Chris speaks from his real-world experience posing undercover as a gangster, money launderer and drug trafficker for the RCMP, DEA and US Customs—roles that taught him a lot about human character, organizational culture and the ways weaknesses in security can be exploited. Chris covered several subjects in his talk, but one shareable takeaway was his formula for creating a strong but memorable password. Here it is.

STEP 1: Think of a favourite phrase.

This could be your favourite line from a movie, a quotable quote from a book or words of wisdom from your mom. It needs to be at least eight words long (the longer, the better). I asked a colleague for his favourite movie line and he immediately shot back, “We are going to need a bigger boat.” (Cue those two infamous musical notes that tell us the shark is approaching: Du-nuh. Duh-nuh.) Write the phrase somewhere you can find it easily.

STEP 2: Write down the first letter of each of the words in the phrase.

For the Jaws quote, it would be wagtnabb.

STEP 3: Change one of the letters to uppercase.

Most passwords need to have a mix of uppercase and lowercase letters. If you're like me, it's easiest to remember that the first letter is capitalized. Now the password becomes Wagtnabb

STEP 4: Turn one or more of the letters into a special character

e.g. $, @ or &. It helps if there is a visual similarity between the letter and the special character, to help with recall. For the Jaws quote, we could turn the ‘A’s into @ symbols. The password so far: W@gtn@bb. (We could also have just turned the first A into an @, but we might forget which A we converted, so better to do both.)

STEP 5: Turn one or more of the remaining letters into a number.

Most passwords need at least one number. Again, it helps for recall if there is a good reason to substitute that particular number for that particular letter, for example they look similar. One of the common substitutions is '8' for 'b' or 'B', but there are many more common substitutions.

Final password: W@gtn@88

Ta-da! A password that’s easy to remember (for you) and very difficult to crack (for hackers).

Why does a strong password matter? Someone committing a brute force attack on your account will first try obvious passwords based on real words, which are published in databases. If none of these work, they’ll use an automated system to run through different alpha-numerical combinations. If you have a one-letter password (‘P’ for example), it’ll be a cinch to break in. As you increase the number of characters, however, it gets exponentially more difficult to get the right combination. It’s not impossible, but chances are the hacker will move on to the next person—the one whose password is “password”—rather than spend any more time on your difficult password.

A strong password isn’t a one-shot deal. You should change your password every 60 to 90 days just in case there’s been a breach—which is even more reason to have a simple and easy-to-recall system for creating one.

Share this post with your team to make sure everyone is using strong passwords to log in to your organization’s systems and to any accounts where they use their work email as their username.