Identification and Authentication Failures(N/A)
Vulnerabilities that allow attackers to impersonate other users or gain access to their accounts.
What are Authentication Failures?
In one sentence: When login system is weak, hacker can pretend to be you and get into your account!
Imagine you have a secure building. Guard should check who enters. If guard is asleep, or doesn't check cards, anyone can get in! Authentication is this — you must make sure the user is really who they say they are.
Types of Authentication Failures:
1. Weak Passwords:
You allow user to put password 123456. Hacker easily guesses!
2. No Brute Force Protection: User can test password infinite times. Hacker tests all combinations with tools!
3. Wrong Session Management: Session ID doesn't change after login. Hacker steals your Session ID and gets into your account!
4. Credential Stuffing: They test stolen passwords from one site on your site. Many people use the same password everywhere!
5. No 2FA: Only password is enough. If password leaks, account is lost!
6. Weak Password Recovery: Reset link has long expiry, or is in URL, or security question is weak.
Real Example:
Imagine your site logs in like this:
- User enters password
- If correct, gives Session ID
- Session ID doesn't change after login
- No Rate Limiting
Hacker can:
- Brute Force (because you have no Rate Limiting)
- Steal Session ID (because it doesn't change)
- Get into user's account
Why is it important for security?
Because it's number 7 in OWASP Top 10 2021! If authentication is weak, hacker can get into other users' accounts, steal their data, or do bad things in their name.