100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Security

Broken Authentication Risks

Understand how authentication mechanisms fail in practice — from credential stuffing to weak session handling — and how OWASP frames these risks.

Auth & SessionIntermediate9 min readJul 10, 2026
Analogies

What Is Broken Authentication?

Broken authentication refers to a class of vulnerabilities where the mechanisms that verify a user's identity — login forms, password reset flows, session tokens — can be bypassed or subverted. OWASP has historically listed this among its Top 10 risks (as 'Identification and Authentication Failures' in the 2021 revision), because a single flaw here can unravel every other control in an application, since most authorization checks assume the user has already been correctly identified.

🏏

Cricket analogy: It's like a stadium letting anyone through the players' gate without checking accreditation badges — once inside, MS Dhoni's dressing room is just as reachable as the stands, because the first checkpoint failed.

Common Attack Patterns

Credential stuffing is the most prevalent real-world attack: attackers take breached username/password pairs from one site (often sourced from dumps on criminal forums) and replay them against another, exploiting the fact that most users reuse passwords. Because the requests look like normal logins, rate limiting and CAPTCHA are the primary defenses — without them, automated tools like Sentry MBA or OpenBullet can test thousands of credential pairs per minute against a login endpoint.

🏏

Cricket analogy: It's like a scalper trying the same stolen ticket barcode at every gate of Eden Gardens during an IPL final, hoping one turnstile scanner hasn't synced with the central database yet.

Beyond credential stuffing, weak authentication implementations often fail on brute-force protection, allowing unlimited login attempts against a single account; on predictable or missing account lockout, which itself can become a denial-of-service vector if misused; and on insecure 'remember me' or password-reset tokens that are guessable, non-expiring, or leaked via the Referer header. OWASP's ASVS (Application Security Verification Standard) V2 catalogs these controls in detail, including requirements like enforcing a minimum entropy on passwords and invalidating reset tokens after a single use.

🏏

Cricket analogy: It's like a bowler being allowed unlimited no-ball reviews with no umpire ever calling time — without a cap, the batting side (attacker) can keep testing forever until something works.

javascript
// Express.js: basic rate limiting + lockout to mitigate credential stuffing
const rateLimit = require('express-rate-limit');

const loginLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5,                   // 5 attempts per IP per window
  standardHeaders: true,
  legacyHeaders: false,
  message: 'Too many login attempts, please try again later.'
});

app.post('/login', loginLimiter, async (req, res) => {
  const { email, password } = req.body;
  const user = await User.findOne({ email });

  if (!user || user.lockedUntil > Date.now()) {
    return res.status(401).json({ error: 'Invalid credentials' });
  }

  const valid = await bcrypt.compare(password, user.passwordHash);
  if (!valid) {
    user.failedAttempts += 1;
    if (user.failedAttempts >= 5) {
      user.lockedUntil = Date.now() + 15 * 60 * 1000;
    }
    await user.save();
    return res.status(401).json({ error: 'Invalid credentials' });
  }

  user.failedAttempts = 0;
  await user.save();
  // issue session/JWT here
  res.json({ token: issueToken(user) });
});

Never reveal whether the username or the password was wrong in error messages (avoid 'Invalid password' vs 'User not found'). This user-enumeration leak lets attackers build a valid-account list before ever attempting a credential-stuffing run.

Defense-in-Depth Controls

Effective mitigation layers multiple controls rather than relying on one: multi-factor authentication (covered separately) prevents stolen credentials alone from granting access; device fingerprinting and IP reputation scoring flag anomalous logins for step-up verification; and passwordless or FIDO2/WebAuthn-based flows remove the reusable-secret problem entirely by binding authentication to a hardware-backed key pair. OWASP's Credential Stuffing Prevention Cheat Sheet also recommends checking submitted passwords against known-breach corpora such as the Have I Been Pwned Pwned Passwords API before accepting them at signup.

🏏

Cricket analogy: It's like a franchise using DRS, on-field umpires, and a match referee together rather than trusting a single umpire's call — layered checks catch what one alone would miss.

OWASP's ASVS Level 2 requires that authentication failure responses take a similar amount of time regardless of whether the username exists, to prevent timing-based user enumeration — a subtle but real broken-authentication vector.

  • Broken authentication covers any flaw that lets an attacker impersonate a legitimate user, including weak login, session, and reset flows.
  • Credential stuffing exploits password reuse across sites using breached credential lists, not brute-force guessing.
  • Missing rate limiting and account lockout let automated tools test thousands of credential pairs quickly.
  • Error messages that distinguish 'wrong password' from 'unknown user' enable user enumeration attacks.
  • Insecure password-reset tokens (predictable, non-expiring, or leaked via Referer headers) are a common bypass path.
  • Defense-in-depth — MFA, device fingerprinting, breach-password checks, and WebAuthn — reduces reliance on passwords alone.
  • OWASP ASVS V2 and the Credential Stuffing Prevention Cheat Sheet are the primary reference standards for these controls.

Practice what you learned

Was this page helpful?

Topics covered

#Security#WebSecurityOWASPStudyNotes#CyberSecurity#BrokenAuthenticationRisks#Broken#Authentication#Risks#Common#StudyNotes#SkillVeris