No, I'm not trying to hack it, trying to beef it up as much as possible. I had enough of a nightmare integrating the user accounts and courses with our data warehouse that the last thing I need now is for some person to decide to get crash happy and try to bring the system down or get into other people's accounts. Our server manager does a good enough job at locking down the box with restricted IPs to anything other than the web port and I think a couple others, but I was looking into any potentials with exploiting the (IMHO) lousy programming behind the scenes to get into things or bug out the system.

In regards to passwords, that depends on the administrator's settings after the initial login. We make it a minimum of 8 characters and then its kind of in their hands on how "smart" to make the password. Thanks for the link by the way, I'm looking into some resources off that now.