The Computing Infrastructure Support Department, which administers the central servers providing email, calendar and other services, is getting tougher with passwords and has been notifying employees whose passwords are too easy to crack and therefore present a cybersecurity risk. In fact, the CIS checkers are using the same software often used by hackers to try to decode passwords.

In trying to make their passwords more secure, some employees have tried making a tricky change or two. These include:

• Substituting characters that look the same - such as a $ for an S or an @ for an a.
  
• Using words from a non-English dictionary
  
• Putting multiple words together.
  
• Adding numbers before or after the password.
  
• Changing case, from upper to lower case or vice versa.

Though well-intentioned, these changes don't fool hackers or their password-cracking software. What to do then? Follow the guidelines in the Lab's Regulations and Procedures Manual - the RPM.

Here are the rules as per the RPM:

• Passwords must contain at least eight non-blank characters;
  
• Passwords may not contain the user ID;
  
• Passwords may not include the user's own or (to the best of his or her knowledge) a close friend's or relative's name, employee number, Social Security number, birthdate, telephone number, or any information about him or her that the user believes could be readily learned or guessed;
  
• Passwords may not (to the best of the user's knowledge) include common words from an English dictionary or a dictionary of another language with which the user has familiarity;
  
• Passwords may not (to the best of the user's knowledge) contain commonly used proper names, including the name of any fictional character or place;
  
• Passwords may not contain any simple pattern of letters or numbers such as "qwertyxx" or "xyz123xx."