Broken Authentication
detect, understand, remediate
Broken authentication encompasses weaknesses in login mechanisms (weak brute-force protection, predictable tokens, insecure password recovery) that allow attackers to compromise user accounts.
No credit card required. Free plan available forever.
What is broken authentication?
Broken authentication refers to weaknesses in login mechanisms, session management, and password recovery flows that allow attackers to compromise user accounts. When authentication controls are improperly implemented, attackers can exploit them through brute-force attacks, credential stuffing, session hijacking, and token manipulation to gain unauthorised access.
Authentication is the front door to every application. A single flaw (such as the absence of account lockout, predictable session tokens, or an insecure "forgot password" flow) can give an attacker full control of any user account, including administrator accounts. The consequences range from data theft and privilege escalation to complete application takeover.
Despite widespread awareness, broken authentication remains one of the most exploited vulnerability classes. Credential stuffing attacks leverage billions of breached username/password pairs, and automated tools make it trivial to test thousands of combinations per minute against applications that lack adequate protections.
How it works
Identify auth endpoint
Attacker locates the login page, password reset flow, session management endpoints, or API authentication routes.
Test for weak controls
Probes for missing account lockout, predictable session tokens, weak password requirements, or insecure cookie flags.
Exploit weakness
Launches brute-force or credential stuffing attacks, steals session tokens via XSS or network interception, or abuses password reset logic.
Gain account access
Successfully authenticates as the victim, accessing their data, permissions, and potentially escalating to administrative privileges.
Common causes
No rate limiting on login
Login endpoints that accept unlimited attempts allow attackers to brute-force credentials or run large-scale credential stuffing campaigns.
Weak session tokens
Session identifiers that are short, predictable, or generated with insufficient randomness can be guessed or forged by attackers.
Insecure password recovery
Password reset flows that use guessable tokens, send passwords in plaintext, or lack proper identity verification before allowing resets.
Missing MFA and session invalidation
Absence of multi-factor authentication leaves accounts vulnerable to credential theft, while sessions not invalidated on logout or password change allow persistent access.
How to detect it
Automated detection
- SecPortal's authenticated scanner evaluates session management, JWT implementation, and cookie security flags (Secure, HttpOnly, SameSite)
- Checks for brute-force protections including account lockout policies and rate limiting on authentication endpoints
- Detects weak session token entropy, insecure transmission of credentials, and missing multi-factor authentication enforcement
Manual testing
- Test account lockout by submitting multiple failed login attempts and verifying the account is temporarily locked
- Analyse session token randomness by collecting multiple tokens and checking for patterns or low entropy
- Verify session lifecycle by checking that tokens are invalidated on logout, password change, and after idle timeout
How to fix it
Implement rate limiting and account lockout
Apply progressive delays or temporary lockouts after repeated failed login attempts. Use CAPTCHA to mitigate automated attacks.
Use strong random session identifiers
Generate session tokens with a cryptographically secure random number generator, ensuring sufficient length and entropy to prevent guessing.
Enforce multi-factor authentication
Require MFA for all users, especially privileged accounts. Support TOTP, hardware tokens, or push-based verification as a second factor.
Secure password recovery flows
Use time-limited, single-use tokens for password resets. Require identity verification and never send plaintext passwords via email.
Invalidate sessions properly
Destroy server-side session data on logout and password change. Implement idle and absolute session timeouts to limit exposure.
Compliance impact
Test authentication security automatically
SecPortal checks session management, JWT handling, cookie flags, and brute-force protections. Start scanning for free.
No credit card required. Free plan available forever.