I just received an excellent, basic computer/security glossary from the SANS Ouch! Mailing List. Ouch! is a security awareness newsletter, perfect for those who aren't geeks, but want to stay safe online. The edition reprinted below has its permanent online home in the Ouch! Archives as Issue #1 for 2007

***********************************************************************
OUCH!
SANS Institute Security Newsletter for Computer Users
Volume 4, Number 1 January 2007
***********************************************************************
Special Holiday Edition: OUCH Glossary
In This Issue
1. The Internet and the World Wide Web 2. Getting Connected
3. Your Computer 4. Malware 5. Bad Guys
***********************************************************************

Sometime back, [I mentioned a great little program for Windows called KeePass](http://www.allensonthe.net/2005/09/30/too-many-passwords/). If you don't use it now, you would if you had to follow [these rules](http://support.microsoft.com/default.aspx?scid=kb;en;276304)!

>Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords.
Please type a different password. Type a password that meets these requirements in both text boxes.

(via [SecGuru](http://www.secguru.com/node/622))

The first rule of security is:

>If the bad guys get physical access to your box, your finished.

So, when the [Sumitomo Mitsui Banking Corporation](http://en.wikipedia.org/wiki/Sumitomo_Mitsui_Banking_Corporation "Wikipedia article on SMBC"), one of the largest banks in the world, narrowly avoided the [biggest bank heist in history](http://www.cioupdate.com/trends/article.php/3600126 "CIO Update.com"), they decided they needed better physical security.

[Microsoft Official: Malware Recovery Not Always Possible](http://www.foxnews.com/story/0,2933,190544,00.html "Foxnews.com")

> In a rare discussion on the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

A table of [Password Recovery Speeds](http://www.lockdown.co.uk/?pg=combi&s=articles)

Keep in mind, the reported speeds are using the "dumb" approach to breaking passwords: [Brute force](http://en.wikipedia.org/wiki/Brute_force_attack "Brute Force password cracking")

A good password cracker will use a [Dictionary Attack](http://en.wikipedia.org/wiki/Dictionary_attack "Wikipedia's definition of a Dictionary Attack") which would yield *considerably* faster times, especially with fast hardware.

So, what _is_ a good password?

This short story came across my Bloglines account today: Password overload plagues US.biz.

It seems that it's becoming harder and harder to remember all the passwords we have. And it's even harder if they were good passwords to begin with!

Enter KeePass, the Open Source password manager for Windows.

In the past month or so, I've learned a great deal about password security, which has reminded me to go back and _finally_ post this security gem I found last February.

I have many friends and relatives who come to me when they have a computer problem. And, many times, their problems stem from virii (yes, I know it's really viruses) or spyware or something of the sort.

Well, this *"checklist":/checklist.html* should go a looong way to help reduce the number of problems to begin with.

I found this checklist and _stole_ it (practially verbatim) from "A Home User's Security Checklist for Windows":http://www.securityfocus.com/columnists/220 over at "SecurityFocus.com":http://www.securityfocus.com

*Please print this out!!* Then fill it out and copy it and file one away in a very safe place and post the other one beside your computer (preferably without any password information -- see below).

A note on writing passwords down: for the most part, I agree with the author when he says...

A couple of notes about the checklist. Yes, I know that I provided space for folks to enter their passwords below. I thought long and hard about that, and it seems to me that the problem of lost or forgotten passwords, especially if it's a home computer with a limited user base, outweighs the problem of someone's wife or husband seeing a password. If it really bothers you, then don't fill those blanks in, or have someone fill in two copies of the checklist: one with passwords that is filed away in a safe place, and one without passwords that is posted on the wall next to the computer. Be flexible - you know the situations of your friends and family better than I do.

I _really_ don't like the idea of writing down passwords. At all. *Especially at work.* However, if you're at home, and you create good passwords[1] then *if* you write your passwords down, *please keep whatever you wrote your passwords down on in a really safe place.* Like locked up somewhere. I know it sounds like I'm being paranoid, but... it really is important.

BTW, if you have questions about any of the items on the checklist (that the links don't explain well), feel free to call me. That is, if you know my number. :-) Otherwise, ask whoever your PC geek friend is for help. I'm sure when s/he sees what you're doing, they'll be more than happy to walk you through it.

(P.S. A great resource for learning how to not run Windows as an admin user is "Aaron Margosis' Weblog":http://blogs.msdn.com/aaron_margosis/ I've followed his instructions and am succesfully running as a 'mortal' user on my laptop at work. Maybe in the future I'll jot down some more thoughts on how that all works, like how much harder it is for spyware to infect your PC if you aren't admin....did that get your attention?)

fn1. A good password generator for "Firefox":http://www.mozilla.org/products/firefox is "Secure Password Generator":http://mozmonkey.com/securepassword/ and for IE you can use "this bookmarklet":http://angel.net/~nic/passwdlet.html (also works in Firefox -- you *are* planning on moving to "Firefox":http://www.getfirefox.com, right? :-) )

"WinSCP(SourceForge)":http://winscp.sourceforge.net/eng/

From the site:

bq.. WinSCP is an open source SFTP (SSH File Transfer Protocol) and SCP (Secure CoPy) client for Windows using SSH (Secure SHell). Its main function is safe copying of files between a local and a ["remote computer":http://winscp.sourceforge.net/eng/about.php#remotehost]. Beyond this basic function, WinSCP manages some ["other actions with files":http://winscp.sourceforge.net/eng/about.php#fileoperations].

p. Has to be __the__ best tool for securely transferring files from a Linux box to your Winblows machine.

"Security Tango":http://www.securitytango.com/

"Prevx Home Edition":http://www.prevx.com/prevxhome

Free (and good) "Host intrusion prevention for the Enterprise and Home"