Broken Authentication: How to Prevent It, Examples and More


In simple terms, broken authentication refers to the vulnerabilities or weaknesses inherent in an online platform or application that allows hackers to bypass the login security and gain access to all the privileges owned by the hacked user.  Authentication ensures that only a verified user can access the information and privileges on the web application. It gets ‘broken’ when an attacker bypasses the process and impersonates the user on the application.  These inherent weaknesses mentioned earlier can broadly be classified into two categories -namely, poor session management and poor credential management. 

Session management weaknesses can only be understood by comprehending how online authentication and browsing usually works. On social media websites or online betting portals each interaction that the user makes with the network is recorded and included in  a web session that can be tracked by the web application  being used. The web application issues a session ID to the user for each visit. This ID is essential to allow the application to communicate with the user and respond to requests.

The OWASP broken authentication recommendations have clearly stated that a session ID issued to a logged-in user is temporarily equivalent to the user’s original login credentials. Additionally, it can easily be used to impersonate the user on the application. Such session IDs, therefore, must be carefully managed. Any weaknesses or loopholes are likely to be manipulated by hackers.

Credentials of valid users may also be stolen or hijacked to access the application. Therefore credential management is of utmost importance to Cybersecurity. A web application must ensure that very common or easy passwords such as ‘password1’ or ‘pass123’, are not allowed. If such passwords are allowed to be used, they will contribute to a weak in credential management. If the web application is unable to protect users from hackers who force their way in through stolen or hacked passwords, it is a form of broken authentication. 

In this article let us look at:

1) Broken Authentication Examples

To help understand us now try to answer- what is broken authentication?, Several broken authentication attack examples are listed below. Let us have a look at them.

  1. Session Hijacking: As explained above, verified Session IDs may be hijacked impersonate user identities. If a user forgets to log off from a public computer, any other individual can continue that session using the same Session ID that was previously created for the original user. If the same ID is issued before and after authentication, it may lead to a type of broken authentication attack, known as Session Fixation attacks.  
  2. Session ID URL: In this example, the Session ID appears in the website URL, and any individual who accesses the URL through a wired or wireless network, can use it to impersonate the user’s identity. 
  3. Credential Stuffing: Sometimes, hackers access a database containing users’ user-passwords that are unencrypted, and may often employ tactics to determine if the passwords are valid and functional. This is called credential stuffing, and a secure web application must have protocols that guard against such attempts. 
  4. Password Spraying: Password spraying refers to the use of the most common and weak passwords, such as ‘password’ or ‘123456’ by hackers trying to access secure accounts. Consequently, minimum password requirements have been introduced to avoid such attacks.
  5. Phishing Attacks: Hackers o phish by sending users links to a website that resembles the original web application, to get users to divulge their login credentials. Phishing attacks can be easily prevented, however, with proper diligence and by verifying the web application in use.

2) How to Prevent Broken Authentication

There are several broken authentication OWASP recommendations that can help organizations understand how to prevent broken authentication and some of them are as follows. 

  1. Regulate session length: The web application must be able to end web sessions after a period of inactivity that depends on the type of requirements of the user. A secure banking portal, for example, must automatically log out the user after a few minutes to avoid  any  risks of hijacked session IDs 
  2. Improve session management: The web application must be able to issue a new Session ID after every successful authentication. These  IDs must be invalidated as soon as a session ends in order to prevent any misuse. 

Web URLs must be secure and must not include the Session ID in any form. 

  • Multi-factor Authentication (MFA): Among the  OWASP top 10 broken authentication, the first tips is to implement Multi-factor Authentication to prevent attacks. MFA requires an additional credential to verify the user’s identity. An example of MFA would be a One-Time Password (OTP) mailed or messaged to the user that allows for verification.
  • Disallow weak passwords: Users must be required to set passwords of a specific length containing special characters, letters as well as numbers to prevent credential theft. Therefore, those passwords that do not meet the required complexity and length must be automatically rejected. 
  • Breached password protection: Employ a breached password protection mechanism that locks the accounts of users whose passwords have been compromised until they verify and change the password to a new one. This will ensure that if passwords are stolen, the organization is notified. 
  • Strict credential recovery process: The process to recover credentials must be strict, involving multiple verification checks to ensure that such recovery options are not misused by attackers.  
  • Secure password storage: Passwords must be encrypted, hashed, and salted as it helps slow down brute-force attacks or other attempts to infiltrate password databases. 
  • Employ brute-force protection: Applications should set a maximum limit for user-login attempts from a specific IP address, to prevent brute-force and credential stuffing attacks. Any user exceeding this limit must be disallowed from making any further attempts.

In addition to the above steps, it also becomes necessary to ensure that users are adequately trained and educated on the potential risks of broken authentication through phishing attacks or weak passwords. Organizations must employ strong Cybersecurity measures in line with the constantly evolving global standards and must ensure that they avoid broken authentication by all means possible.


In addition to the above steps, it also becomes necessary to corroborate that users are adequately trained and educated about the potential risks of broken authentication through phishing attacks or weak passwords. Organizations must employ strong Cybersecurity measures in line with the continually evolving global standards. They and must ensure the prevention of broken authentication by all means possible. In today’s day and age, Cybersecurity is a chief concern. Protection and security against broken authentication attacks form a large part of this concern. If you’re looking for an extensive course that thoroughly explains and discusses Cybercrimes, then Jigsaw Academy’s Master Certificate in Cyber Security (Red Team) is the perfect course for you! This online live session-based course’s duration is a good 600 hours. It is powered by HackerU, Israel’s Premier Cyber Security Training Provider, making it all-the-more appealing for you. 

Related Articles

Please wait while your application is being created.
Request Callback