OWASP #7 (2021) – Identification and Authentication Failures

This category used to be called “Broken Authentication.” It now covers all failures in how users are identified and authenticated.

Common problems: - Weak or guessable passwords. - No rate-limiting on login attempts (brute force risk). - Exposed session tokens or poor session handling. - Insecure password reset mechanisms. - Not verifying user identity before sensitive actions.

These flaws can lead to unauthorized access, account takeover, and stolen sessions.

Best practices include: - Enforcing strong password policies and multi-factor authentication (MFA). - Limiting login attempts and monitoring login patterns. - Proper session management: short-lived tokens, secure cookies, logout handling. - Avoiding password hints and insecure reset flows.

If authentication fails, nothing else matters - the wrong person can become the right user.