TL;DR
Broken authentication is OWASP Top 10 #7. Common issues include weak passwords, credential stuffing, session fixation, and insecure password recovery. These prompts help you audit your auth system and fix the vulnerabilities attackers exploit most.
Authentication Audit
Perform a comprehensive authentication security audit.
Check these areas:
Password Security:
- Passwords hashed with bcrypt/argon2
- Minimum password length (8+ chars)
- Password not in common passwords list
- No password hints stored
Session Security:
- Session IDs are random (128+ bits entropy)
- Session regenerated on login
- Secure cookie flags set
- Session timeout implemented
Login Security:
- Rate limiting on login attempts
- Account lockout after failures
- No user enumeration
- Constant-time comparison
Additional:
- 2FA option available
- Secure password reset flow
- Logout invalidates session server-side
- Auth events are logged
Report findings with severity and fix recommendations.
Password Policy Enforcement
Implement strong password policy enforcement.
Current problem: Allowing weak passwords like "password123"
New requirements:
- Minimum 8 characters
- Not in top 10,000 common passwords list
- Not same as email or username
- No more than 3 repeated characters
- Show password strength meter
Implementation:
- Check on registration AND password change
- Download and use common passwords list
- Client-side feedback (UX) + server-side enforcement (security)
- Don't require arbitrary complexity rules (upper+lower+number+symbol)
Modern guidance (NIST):
- Length over complexity
- Check against breach databases (HaveIBeenPwned API)
- Allow paste into password fields
- Don't force periodic password rotation
Broken auth = full compromise: If attackers can log in as any user, they have access to everything that user can do. Authentication vulnerabilities are often the fastest path to a breach.
Credential Stuffing Protection
Add protection against credential stuffing attacks.
Credential stuffing: Attackers try username/password combinations from leaked databases.
Defenses:
- Rate limiting per IP and per username
- CAPTCHA after suspicious activity
- Device fingerprinting
- Login anomaly detection
- Breach password checking
Implementation:
- Track failed logins per username (not just IP)
- After 3 failures: add CAPTCHA
- After 10 failures: temporary lockout
- Detect new device/location and require verification
- Check password against HaveIBeenPwned on registration
Alerts:
- Unusual login volume
- Logins from new countries
- Multiple accounts from same IP
- Sequential username attempts
Session Fixation Fix
Fix session fixation vulnerability in my application.
Session fixation: Attacker sets victim's session ID before login, then hijacks after victim authenticates.
Attack flow:
- Attacker gets session ID from your app
- Attacker tricks victim into using that session ID
- Victim logs in, session becomes authenticated
- Attacker uses known session ID to access victim's account
Fix:
- Generate new session ID on every authentication
- Don't accept session IDs from URL parameters
- Don't accept session IDs from POST data
- Only accept session ID from cookie
Implementation: // After successful login session.regenerate((err) => { // Old session ID is now invalid // New session ID issued in cookie session.userId = user.id })
Also: Regenerate on privilege escalation (user -> admin)
Pro tip: Use established auth libraries or services. Clerk, Auth0, NextAuth.js, and Supabase Auth have teams dedicated to security. Rolling your own auth is where most auth bugs come from.
How do I test for broken authentication?
Try: logging in with SQL injection in username, using old session after logout, accessing protected pages without auth, and brute forcing with no lockout. Tools like Burp Suite can help automate testing.
Should I build my own auth or use a service?
For most apps, use a service or library. Auth has too many edge cases to get right. Build your own only if you have specific requirements that services can't meet AND have security expertise.