7 expert Authentication Failures OWASP answers researched from official documentation. Every answer cites authoritative sources you can verify.
Previously 'Broken Authentication' - renamed to include identity failures. Allows attackers to compromise passwords, keys, session tokens, or exploit implementation flaws to assume users' identities. OWASP Top 10 A07:2021 category. Common vulnerabilities: credential stuffing, brute force, default/weak credentials, weak password recovery, plaintext/weak password storage, missing/weak MFA, session vulnerabilities. Compliance: NIST 800-63B, PCI-DSS 8.2, SOC 2 CC6.1.
Credential stuffing: Automated attacks using breached username/password lists (Have I Been Pwned has 12+ billion credentials). Attackers use leaked credentials from one site to access accounts on other sites (users reuse passwords). Prevention: Rate limiting (5 attempts per 15 min), CAPTCHA after failures, breach password detection (HaveIBeenPwned API to check if password appears in known breaches). Common in production - LinkedIn 2012 (6.5M passwords, SHA1 no salt), Yahoo 2013 (3B accounts, MD5 hashing).
Never plaintext/weak password storage: Passwords in database without hashing, weak algorithms (MD5, SHA1). Prevention: Argon2id (19 MiB memory, 2 iterations), scrypt, bcrypt (work factor 12+), never reversible encryption. Argon2id recommended (winner of Password Hashing Competition). Weak example: MD5 hashing (LinkedIn 2012 breach). Strong example: Argon2id with salt + pepper. Real-world breaches: LinkedIn (SHA1 no salt), Yahoo (MD5 hashing), Dropbox 2012 (68M passwords leaked).
Password requirements (2025 NIST 800-63B compliance): Minimum 12 characters (NIST 800-63B recommends 8+, but 12+ recommended for production), check against breach databases, NO periodic rotation (causes weak passwords), allow paste (password managers), Unicode characters allowed. Strong password policy: minimum 12 chars, complexity (uppercase, lowercase, numbers, symbols), breach detection via HaveIBeenPwned API. Avoid: forced periodic rotation, security questions with guessable answers.
MFA enforcement: Mandatory for admin accounts, recommended for all users, WebAuthn preferred (phishing-resistant), TOTP as fallback. MFA types: TOTP (Google Authenticator, Authy), WebAuthn/FIDO2 (hardware keys), SMS (least secure but better than none), backup codes. Prevention of account takeover: even if password compromised, attacker cannot access account without second factor. Missing/weak MFA is top vulnerability in A07:2021.
Session vulnerabilities: Session ID in URL (?sessionid=abc → leaked in logs/referrer), session fixation (attacker sets victim's session ID), no session invalidation after logout. Prevention: Session ID in HttpOnly cookie, regenerate session ID after login/privilege change, absolute timeout (24 hours), idle timeout (30 min), secure session storage (Redis, database). Session IDs: Cryptographically random (128+ bits), server-side storage, regenerate ID after authentication, logout invalidates session server-side. Testing tools: Burp Suite Intruder, OWASP ZAP.
Rate limiting prevents brute force attacks: Max 5 login attempts per 15 minutes per account, max 20 attempts per hour per IP, exponential backoff (delay increases with failures). Account lockout after failed attempts prevents automated password guessing. Monitoring: Alert on multiple failed logins, impossible travel detection (login from two countries in 1 hour), new device notifications. Framework implementations: Passport.js (Node.js), Django authentication (Python), Spring Security (Java), ASP.NET Core Identity.