Broken Authentication
What is Broken Authentication?
Broken AuthenticationA category of vulnerabilities where flaws in authentication or session management let attackers impersonate legitimate users or take over accounts.
Broken authentication covers any failure that lets an attacker bypass or subvert how an application verifies identity. Examples include accepting weak passwords, missing brute-force protection, predictable or non-expiring session tokens, insecure password reset flows, lack of MFA, JWT signature flaws, and storage of credentials in plaintext. It is repeatedly featured in the OWASP Top 10 and is the foundation for credential stuffing and account takeover. Defences include enforcing strong unique passwords, MFA, rate limiting and lockout, secure password storage (Argon2/bcrypt with salt), short-lived signed session tokens, and audited reset and recovery flows.
● Examples
- 01
An app that issues session IDs in the URL and never rotates them after login.
- 02
Password reset that uses a 4-digit numeric token sent over email.
● Frequently asked questions
What is Broken Authentication?
A category of vulnerabilities where flaws in authentication or session management let attackers impersonate legitimate users or take over accounts. It belongs to the Vulnerabilities category of cybersecurity.
What does Broken Authentication mean?
A category of vulnerabilities where flaws in authentication or session management let attackers impersonate legitimate users or take over accounts.
How do you defend against Broken Authentication?
Defences for Broken Authentication typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Broken Authentication?
Common alternative names include: Identification and authentication failures, Authentication bypass.