What is broken authentication and how do you prevent it?
Answer
Broken authentication (OWASP #7 in 2021) encompasses flaws in authentication mechanisms that allow attackers to compromise passwords, keys, or session tokens. Common issues: Weak passwords, credential stuffing (using leaked username/password lists — billions available from data breaches), brute force (no rate limiting), session fixation (attacker sets session ID before login), session tokens in URLs, session not invalidated on logout, insecure "remember me" tokens. Prevention: (1) Implement MFA. (2) Rate limit and lockout after failed attempts (with progressive delays). (3) Check passwords against known-breached lists (HaveIBeenPwned). (4) Use secure session management: regenerate session ID on login, expire sessions, invalidate on logout. (5) Never expose session tokens in URLs. (6) Use HTTPS everywhere. (7) Implement account lockout policies. (8) Use HttpOnly; Secure; SameSite cookie attributes.