Not sure about that. DOD Instruction 8500.2 (2003) says 8, but the construction requirements are exactly the same as we did it. There are differences based on the information found on the system. The Windows Server 2000/3 wouldn't even allow more than 14 characters if I remember right.

My students using 300 nodes of a computing cluster were able to crack 57K DOD spec passwords (7 characters, upper, lower, symbol, number) in a few hours (Windows 2003 enterprise server). The goal was to crack 450K passwords in 24 hours but we had to call off the last run due to finals. Nothing about this project was hard. Using F/OSS and a lot of computing cycles cracking them was a piece of cake. Simple two-factor authentication is horrible. Especially when you give up the userid as an email address, or use a standardized naming scheme. Yes this would have required basically physical access to the server. Still as a test with enough horsepower and some tuning you can break even tough passwords quickly. We were basically trying to up the ante on a previous example where a person did 400K passwords in a few months using commodity hardware.

There are a variety of good posts here (among the chaff). The post by @bigjeff5 and the anonymous coward post amendment. For standards and an understanding of the risk metrics Sandia labs has a great set of documents for SCADA security http://www.sandia.gov/ccss/ , never mind all the FUD. You'll have to decide on whether you want a best in class, good enough, or what you can afford and wherever the three vectors meet at a solution. Technically there is no reason for SCADA to be a risk. Experience though tells us there are plenty of reasons to push the SCADA operational component into the risk category. Not being able to afford to keep the utility operational engineers employed because the technical SCADA solution cost three times your budget is the risk I usually see. What you'll need is an experienced person to act as a trusted third party and there are a lot of them out there in the real world. Be wary of people who talk about security, technical issues, operating systems, and other elements in black and white terms. They rarely have the real world experience to understand real world issues in implementation. Since you appear to be talking about water and in the United States (pardon if not) you are likely highly regulated. You will also need to balance the new requirements and regulations for implementing SCADA devices too.

In the 1970s a court case in California during an evidence hearing had an interesting discussion. The evidence of an intellectual property case was bounced as the evidence was all digital in nature. How can you have a theft when you still possess the original? Several avenues were considered and the result were the first computer laws detailing crimes that happened on computers versus normal property thefts. Much abridged version, but this is basically a United States issue that isn't necessarily found in other countries as their property rights are considered differently. Though, the United States has managed to export many of the concerns along with the Internet. Much of this is detailed by Thomas Whiteside in a book called "Computer Capers" circa 1978,

As a technology professor I'm going to say it. Tech in the classroom can be as debilitating as boring lectures. PowerPoint can be a crutch. Poor teaching can't be fixed by cool tech. I've got a million dollar lab full of tech, but if I put my students to sleep who cares?

I use AdobeConnect, instant messenger, a blog, CITRIX, a variety of open source tools, and a bunch more but I am a technology professor. I don't use powerpoints with bullets (presentation zen?) and I hate snore fest lectures more than my students.

Telling professors to use tech is like telling a mechanic to use a crescent wrench. What is the context of the learning environment and what are the learning outcomes? I tailor my educational strategy to the educational outcomes. Critical thinking skills, don't need flashy graphics if linear processes are the desired result.

Heck. I'd be happy if my students simply read the text book, and additional reading. When I assign a reading on the web half the time I get complaints that I didn't print it and pass it out in class. Some of my students say 100 pages of reading a week is to much homework. These are the same students bragging before class that they spend 50-60 hours a week play the latest MMORPG.

I think it is funny that people say "you don't have those rights at border crossings", and yet that isn't even the government contention. The government believes that laptops and other electronic devices are open containers that can be examined at will after they've been seen. In other words if this stands as a principle and you're walking down the street and they can see your iPod they (meaning police) can seize and examine the iPod. This is a principle of incremental legislation and enforcement. Case studies of similar expansions are found in seat belt laws, and punishment for driving under the influence. As to people saying you don't have the rights accorded to the Constitution when crossing borders they are completely wrong. Administrations have held that point of view. They have also held that your rights (and responsibilities) apply wherever you are found. So, you have those rights, but can be charged for crimes from the United States even when where you are the incident is not illegal (e.g. child porn, gambling, etc..).