On 8 November 2011 02:53, Stan Hoeppner <s...@hardwarefreak.com> wrote: > On 11/8/2011 1:13 AM, Geert Mak wrote: > >> We had a user account hacked (weak password) and our SMTP server was used >> for sending spam. We discovered it after our mail server IP began to show up >> in RBLs. We improved the passwords, however the question is how best to >> watch the server in case a similar thing happens again. > > 1. Create and enforce a minimum password complexity policy, preferably > on your web based account creation page, something like: > > http://www.webresourcesdepot.com/10-password-strength-meter-scripts-for-a-better-registration-interface/
For password strength, I'm not sure the conventional wisdom of numbers and punctuation are relevant any more. They help when the attacker is known to you, but password length is a much better indicator of entropy resistance. http://xkcd.com/936/ Simon
