OWASP Broken Authentication

Broken Authentication sits under A07 Identification and Authentication Failures in the OWASP Top 10. Authentication is the process of proving who you are. When an application implements this process poorly, attackers bypass it and take over accounts without ever knowing the real password.

The Hotel Key Card Analogy

A hotel gives every guest a key card programmed for one room. Broken authentication is like a hotel that gives every guest the master key by accident, never checks if the card expired, and accepts handwritten cardboard cards as valid. Anyone who knows the system can walk into any room.

Common Authentication Weaknesses

Weak Password Policies

Applications that allow passwords like 123456 or password invite attacks. Attackers run lists of the most common passwords against login forms at high speed.

No Brute-Force Protection

A login form with no limit on attempts lets an attacker try millions of passwords automatically.

  Attack tool tries:
  admin / password     -->  fail
  admin / 123456       -->  fail
  admin / letmein      -->  fail
  admin / admin123     -->  SUCCESS

  1 million attempts takes seconds with automation.

Insecure Password Reset

Password reset flows that rely on security questions ("What is your mother's maiden name?") are weak. Answers to these questions often appear in social media profiles or can be guessed.

Credential Stuffing

Billions of username and password pairs from past data breaches are publicly available. Attackers feed these lists into login forms hoping users reused the same credentials on multiple sites.

  Breach database contains:
  alice@email.com : SunnyDay99

  Attacker tests the same pair on:
  Banking site      -->  SUCCESS (Alice reused her password)
  Shopping site     -->  SUCCESS
  Email provider   -->  fail

Weak Session Tokens

After login, the server gives the user a session token — a unique identifier that proves they are logged in. If the token is predictable (e.g., a simple counter: 1001, 1002, 1003), an attacker guesses other users' tokens and hijacks their sessions.

No Session Expiry

A session token that never expires stays valid forever. If someone leaves a computer without logging out, anyone who finds the browser can access their account weeks later.

Session Token in URL

Putting session tokens in the URL is dangerous because URLs appear in browser history, server logs, and are included in the Referer header when clicking external links — all places where attackers can find them.

Attack Flow: Account Takeover via Credential Stuffing

  Step 1: Attacker downloads leaked database (available on dark web)
            Contains: 500,000 email + password combos

  Step 2: Attacker runs automated tool against target login page
            Tests all 500,000 combos at high speed

  Step 3: 3,200 pairs succeed (users reused passwords)

  Step 4: Attacker logs into those 3,200 accounts
            Extracts payment data, personal info, sends spam

How to Prevent Broken Authentication

1. Enforce Strong Password Requirements

Require a minimum length of 12 characters. Check passwords against a list of known-compromised passwords at registration and allow passphrases.

2. Implement Multi-Factor Authentication (MFA)

Even if a password is stolen, MFA requires a second proof — a code from an authenticator app or SMS. Stolen credentials alone no longer grant access.

  Without MFA:
  Stolen password --> Full account access

  With MFA:
  Stolen password + missing phone code --> Access denied

3. Add Rate Limiting and Account Lockout

Lock an account after 5–10 failed login attempts. Add CAPTCHA after repeated failures. This stops automated brute-force and credential stuffing attacks.

4. Use Secure Session Management

Generate session tokens with a cryptographically secure random number generator. Store tokens in cookies with HttpOnly and Secure flags. Never put tokens in URLs.

5. Invalidate Sessions Properly

Destroy session tokens on logout. Expire idle sessions after a reasonable time (15–30 minutes for sensitive applications). Issue a new session token after login.

6. Secure the Password Reset Flow

Send a time-limited, single-use reset link to the registered email. Do not use security questions. Do not reveal whether an email exists in the system.

Quick Prevention Checklist

  [✓] Enforce strong passwords and check against breach lists
  [✓] Enable MFA for all users, especially admins
  [✓] Rate-limit login attempts
  [✓] Use cryptographically random session tokens
  [✓] Set session expiry and invalidate on logout
  [✓] Use time-limited, single-use password reset links

Key Takeaway

Authentication failures let attackers in without a valid password. MFA, rate limiting, and proper session management are the most effective countermeasures. Implement all three — relying on passwords alone is not sufficient security.

Previous lessons
Back to courses
Next lessons

Leave a Comment