What Is Broken Authentication?
Broken authentication refers to a class of vulnerabilities where the mechanisms that verify a user's identity — login forms, password reset flows, session tokens — can be bypassed or subverted. OWASP has historically listed this among its Top 10 risks (as 'Identification and Authentication Failures' in the 2021 revision), because a single flaw here can unravel every other control in an application, since most authorization checks assume the user has already been correctly identified.
Cricket analogy: It's like a stadium letting anyone through the players' gate without checking accreditation badges — once inside, MS Dhoni's dressing room is just as reachable as the stands, because the first checkpoint failed.
Common Attack Patterns
Credential stuffing is the most prevalent real-world attack: attackers take breached username/password pairs from one site (often sourced from dumps on criminal forums) and replay them against another, exploiting the fact that most users reuse passwords. Because the requests look like normal logins, rate limiting and CAPTCHA are the primary defenses — without them, automated tools like Sentry MBA or OpenBullet can test thousands of credential pairs per minute against a login endpoint.
Cricket analogy: It's like a scalper trying the same stolen ticket barcode at every gate of Eden Gardens during an IPL final, hoping one turnstile scanner hasn't synced with the central database yet.
Beyond credential stuffing, weak authentication implementations often fail on brute-force protection, allowing unlimited login attempts against a single account; on predictable or missing account lockout, which itself can become a denial-of-service vector if misused; and on insecure 'remember me' or password-reset tokens that are guessable, non-expiring, or leaked via the Referer header. OWASP's ASVS (Application Security Verification Standard) V2 catalogs these controls in detail, including requirements like enforcing a minimum entropy on passwords and invalidating reset tokens after a single use.
Cricket analogy: It's like a bowler being allowed unlimited no-ball reviews with no umpire ever calling time — without a cap, the batting side (attacker) can keep testing forever until something works.
// Express.js: basic rate limiting + lockout to mitigate credential stuffing
const rateLimit = require('express-rate-limit');
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // 5 attempts per IP per window
standardHeaders: true,
legacyHeaders: false,
message: 'Too many login attempts, please try again later.'
});
app.post('/login', loginLimiter, async (req, res) => {
const { email, password } = req.body;
const user = await User.findOne({ email });
if (!user || user.lockedUntil > Date.now()) {
return res.status(401).json({ error: 'Invalid credentials' });
}
const valid = await bcrypt.compare(password, user.passwordHash);
if (!valid) {
user.failedAttempts += 1;
if (user.failedAttempts >= 5) {
user.lockedUntil = Date.now() + 15 * 60 * 1000;
}
await user.save();
return res.status(401).json({ error: 'Invalid credentials' });
}
user.failedAttempts = 0;
await user.save();
// issue session/JWT here
res.json({ token: issueToken(user) });
});Never reveal whether the username or the password was wrong in error messages (avoid 'Invalid password' vs 'User not found'). This user-enumeration leak lets attackers build a valid-account list before ever attempting a credential-stuffing run.
Defense-in-Depth Controls
Effective mitigation layers multiple controls rather than relying on one: multi-factor authentication (covered separately) prevents stolen credentials alone from granting access; device fingerprinting and IP reputation scoring flag anomalous logins for step-up verification; and passwordless or FIDO2/WebAuthn-based flows remove the reusable-secret problem entirely by binding authentication to a hardware-backed key pair. OWASP's Credential Stuffing Prevention Cheat Sheet also recommends checking submitted passwords against known-breach corpora such as the Have I Been Pwned Pwned Passwords API before accepting them at signup.
Cricket analogy: It's like a franchise using DRS, on-field umpires, and a match referee together rather than trusting a single umpire's call — layered checks catch what one alone would miss.
OWASP's ASVS Level 2 requires that authentication failure responses take a similar amount of time regardless of whether the username exists, to prevent timing-based user enumeration — a subtle but real broken-authentication vector.
- Broken authentication covers any flaw that lets an attacker impersonate a legitimate user, including weak login, session, and reset flows.
- Credential stuffing exploits password reuse across sites using breached credential lists, not brute-force guessing.
- Missing rate limiting and account lockout let automated tools test thousands of credential pairs quickly.
- Error messages that distinguish 'wrong password' from 'unknown user' enable user enumeration attacks.
- Insecure password-reset tokens (predictable, non-expiring, or leaked via Referer headers) are a common bypass path.
- Defense-in-depth — MFA, device fingerprinting, breach-password checks, and WebAuthn — reduces reliance on passwords alone.
- OWASP ASVS V2 and the Credential Stuffing Prevention Cheat Sheet are the primary reference standards for these controls.
Practice what you learned
1. What is the primary mechanism exploited by credential stuffing attacks?
2. Why is it risky for a login form to return 'Invalid password' versus 'User not found'?
3. Which OWASP document specifically catalogs authentication control requirements like password entropy and reset token invalidation?
4. What is a key advantage of WebAuthn/FIDO2 over traditional password authentication?
Was this page helpful?
You May Also Like
Secure Password Storage
Learn why passwords must never be stored in plaintext or reversible form, and how modern hashing algorithms like bcrypt and Argon2 protect credentials at rest.
Session Management Security
Explore how web sessions are created, maintained, and terminated securely, and the common pitfalls — like session fixation and token leakage — that break them.
Multi-Factor Authentication
Understand the categories of authentication factors, how TOTP and WebAuthn work under the hood, and why MFA dramatically reduces account-takeover risk.