Traditional authentication schemes see users needing to create, and remember, separate login details for each service or system they use. With the average organisation using over 1000 distinct cloud services, the burdening of users to remember countless different passwords raises the security risk through password re-use, or the increasing use of less complex passwords as users become fatigued with their overwhelming number of credentials. Further, these credentials are most often stored in an abstracted, remote datastore that is unique to each application or service; there must be an implicit trust that the service is correctly and securely storing these passwords, and that any compromise is disclosed quickly enough to act.
Injection vulnerabilities are the most common result of mixing user input with system control. An injection vulnerability can have catastrophic results for a system, potentially leading to a full database dump, and laying the groundwork for a remote shell. In layman's terms, this means an attacker controls the entire system and has access to all data.
In Part 2, the importance of a well-maintained and well-structured hardware and software inventory and the benefits of vulnerability management was explained. The next step in the process of getting on top of security basics is gaining control of the environment. This step should be easier and more efficient if the earlier steps of creating a comprehensive inventory were completed.
Passwords are obviously required to keep your online accounts and data safe, but how strong is your password? The idea of a strong password can be hard to quantify and most places require your passwords to meet some requirements. It's common to see "Your password must contain characters from three of the following categories" to be able to set your password. These requirements are in place to raise the entropy of a password and make it much harder for an attacker to guess your password.
Multi-factor, or two-factor, authentication (MFA, 2FA) has seen increasing adoption and public awareness. What is it? What benefits does it provide? Is it really worth all that hassle? And how can I justify the time spent implementing and maintaining a MFA solution?