What is Broken Authentication?

Definition

Broken authentication is a vulnerability class covering flaws in authentication mechanisms and session management that allow attackers to compromise user credentials, session tokens, or authentication keys — and thereby assume users' identities. It appears as "Identification and Authentication Failures" (A07) in the OWASP Top 10 2021.

Authentication is the first line of defense in any application. When it fails, every subsequent access control and authorization check is undermined — an attacker with a compromised session has full access to everything the victim user can access.

Common Broken Authentication Patterns

Weak or default credentials

Applications that allow weak passwords, use default credentials after deployment, or fail to require credential rotation for privileged accounts are vulnerable to brute force, dictionary attacks, and credential stuffing.

Missing brute-force protection

No rate limiting, account lockout, or CAPTCHA on login endpoints allows automated attacks to test thousands or millions of credential combinations.

Credential stuffing

Attackers use lists of known compromised credentials (from breach databases) to authenticate against other services. Users who reuse passwords across sites are compromised when one site is breached.

Insecure session management

• Session tokens that are predictable or insufficiently random
• Sessions that do not expire after logout or inactivity
• Session fixation — allowing session IDs set by the client before authentication
• Session tokens transmitted in URLs (exposed in logs, referrer headers)

Insecure "remember me" and password reset

Password reset tokens sent via email with no expiry, predictable reset tokens, or reset flows that do not invalidate existing sessions after a password change.

Missing or bypassable MFA

Multi-factor authentication not required for privileged operations, or MFA implementations with race conditions, backup code weaknesses, or MFA-bypass flows.

Impact

Broken authentication leads to account takeover — the attacker gains complete access to the victim's account, including all data, transactions, and actions available to that user. For privileged accounts, this often means full application compromise.

Prevention

Use a proven authentication framework

Do not implement authentication from scratch. Use established identity providers, authentication libraries, or managed identity services. Auth0, Okta, Cognito, and similar services handle credential security, session management, MFA, and breach detection correctly.

Enforce strong password policies

Minimum length (12+ characters), no maximum length, check against known-breached password lists (HaveIBeenPwned API). Do not require frequent mandatory rotations — they produce weak, predictable passwords.

Require MFA for sensitive operations

Multi-factor authentication is the single most effective control against credential-based attacks. Require it for login and step-up authentication for sensitive operations.

Secure session management

Use cryptographically random session tokens of sufficient length. Expire sessions after inactivity and on logout. Invalidate all sessions on password change. Never put session tokens in URLs.

Rate limit authentication endpoints

Apply exponential backoff, account lockout after N failures, and IP-based rate limiting to login, password reset, and MFA endpoints.

Broken Authentication and Autonomous Code Governance

Hydra detects broken authentication patterns in application code: weak session token generation (Math.random() instead of cryptographically secure random), missing rate limiting on authentication routes, session tokens in URL parameters, missing session invalidation on logout, and insecure password hashing (MD5, SHA1 without salt). Fixes replace weak patterns with correct implementations — cryptographically secure random generation, bcrypt/argon2 password hashing, proper session invalidation flows.