In simple terms, broken authentication refers to the vulnerabilities or weaknesses inherent in an online platform or application that allows hackers to bypass the login security and gain access to all the privileges that the hacked user enjoys. Authentication is what ensures that only a verified user can gain access to the information and privileges on the web application and this authentication is said to be ‘broken’ when an attacker can bypass the process and impersonate the user on the application.  These inherent weaknesses mentioned earlier can broadly be classified into two categories, poor session management, and poor credential management. 

Session management weaknesses can only be understood by comprehending how online authentication and browsing usually works. From a social media website or an online betting portal, each interaction that the user makes with the network is recorded and becomes part of a web session that can be tracked by the web application that is being used. There is also something called a session ID that is issued by the web application to the user for each visit which is important to allow for the application to communicate with the user and respond to requests.

The OWASP broken authentication recommendations have clearly stated that a session ID, when issued to a user who has already logged in using valid credentials, is temporarily equivalent to and is as strong as the login credentials of the user and can easily be used to impersonate the user on the application. Such session IDs therefore must be carefully managed and any weaknesses or loopholes are likely to be manipulated by hackers.

Credentials of valid users may also be stolen or hijacked to gain access to the application and therefore credential management is also of utmost importance in terms of Cybersecurity. A web application must ensure that very common or easy passwords such as ‘password1’ or ‘pass123’ and so on are not allowed. If very easy passwords without any special characters and predictable words are allowed to be used, it is a weakness in credential management. If the web application is unable to protect users from hackers trying to force their way in through stolen or hacked passwords, it is a form of broken authentication. 

In this article let us look at:

1) Broken Authentication Examples

To help understand what is broken authentication, here are several broken authentication attack examples of how hackers can exploit certain weaknesses to gain access to user information and privileges on a web application. 

  1. Session Hijacking: As explained in the introduction, verified Session IDs may be stolen or hijacked to impersonate user identities. If a user forgets to log off from a public computer, any individual can continue that session using the same Session ID that has already been created for the original user. If the same ID is issued before and after authentication, it may lead to Session Fixation attacks which is a type of broken authentication attack.  
  2. Session ID URL: Another example of broken authentication is when the Session ID appears in the website URL and any individual who gains access to the URL through a wired or wireless network can use it to impersonate the user’s identity. 
  3. Credential Stuffing: Sometimes, hackers may gain access to a database of users’ passwords that are unencrypted and may often employ tactics to determine if the passwords are valid and functional. This is called credential stuffing and a secure web application must have protocols that guard against such attempts. 
  4. Password Spraying: Password spraying refers to the use of the most common and weak passwords known to hackers to try and gain access to secure accounts. These are usually successful when users have extremely common or redundant passwords such as ‘password’ or ‘123456’ and so on. Minimum password requirements have been introduced mainly to avoid such attacks.
  5. Phishing Attacks: Hackers may choose to phish by sending users links to a website that resembles the original web application in an attempt to get users to divulge their login credentials. Phishing attacks can be easily prevented, however, with proper diligence and verifying the web application you are on.

2) How to Prevent Broken Authentication

Several broken authentication OWASP recommendations can help organizations understand how to prevent broken authentication and some of them are as follows. 

  • Regulate session length: The web application must be able to end web sessions after a period of inactivity that depends on the type of requirements of the user. A banking secure portal for example must log out the user after a few minutes because the risks of hijacked session IDs are very high in such circumstances. 
  • Improve session management: The web application must be able to issue a new Session ID after every successful authentication and these IDs must be invalidated as soon as a session ends to prevent misuse. 
  • Web URLs must be secure and must not include the Session ID in any form. 
  • Multi-factor Authentication (MFA): The first of the OWASP top 10 broken authentication tips is to implement Multi-factor Authentication to prevent attacks. MFA requires not just one but an additional credential to verify the user’s identity. An example of MFA would be a One-Time Password (OTP) mailed or messaged to the user that allows for verification.
  • Disallow weak passwords: Users must be required to set passwords that are of reasonable length and contain special characters, letters as well as numbers to prevent credential theft. Therefore, those passwords that do not meet the required complexity and length must be automatically rejected. 
  • Breached password protection: Employ a breached password protection mechanism that locks the accounts of users whose passwords have been compromised until they verify and change the password to a new one. This will ensure that if passwords are stolen, the organization is notified. 
  • Strict credential recovery process: The process to recover credentials must not be too easy and must necessarily involve multiple verification checks to ensure that such recovery options are not misused by attackers.  
  • Secure password storage: Passwords must be encrypted, hashed, and salted as it helps slow down brute-force attacks and other attempts to infiltrate password databases. 
  • Employ brute-force protection: A simple method to prevent brute-force and credential stuffing attacks is to set a maximum number of times that a user from a specific IP address can attempt to login to the application. Any user exceeding such limit must be disallowed from making any further attempts.

In addition to the above steps, it also becomes necessary to ensure that users are adequately trained and educated on the potential risks of broken authentication through phishing attacks or weak passwords. Organizations must employ strong Cybersecurity measures in line with the constantly evolving global standards and must ensure that they avoid broken authentication by all means possible.


In today’s day and age, Cybersecurity is a foremost concern, and protection and security against broken authentication attacks form a large part of this concern. In case, you are interested in Cyber Security then browse through our Master Certificate in Cyber Security (Blue Team), a 520 hours long program with preparation for 7 global certifications.


Are you ready to build your own career?