>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

A07Authentication Failures

>Control Description

Authentication Failures maintains its position at #7 with a slight name change to more accurately reflect the 36 CWEs in this category. Despite benefits from standardized frameworks, this category has kept its #7 rank from 2021. Notable CWEs included are *CWE-259 Use of Hard-coded Password*, *CWE-297: Improper Validation of Certificate with Host Mismatch*, *CWE-287: Improper Authentication*, *CWE-384: Session Fixation*, and *CWE-798 Use of Hard-coded Credentials*. When an attacker is able to trick a system into recognizing an invalid or incorrect user as legitimate, this vulnerability is present. There may be authentication weaknesses if the application: * Permits automated attacks such as credential stuffing, where the attacker has a breached list of valid usernames and passwords. More recently this type of attack has been expanded to include hybrid password attacks credential stuffing (also known as password spray attacks), where the attacker uses variations or increments of spilled credentials to gain access, for instance trying Password1!, Password2!, Password3! and so on. * Permits brute force or other automated, scripted attacks that are not quickly blocked. * Permits default, weak, or well-known passwords, such as "Password1" or "admin" username with an "admin" password. * Allows users to create new accounts with already known-breached credentials. * Allows use of weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers," which cannot be made safe. * Uses plain text, encrypted, or weakly hashed passwords data stores (see[ A04:2025-Cryptographic Failures](https://owasp.org/Top10/2025/A04_2025-Cryptographic_Failures/)). * Has missing or ineffective multi-factor authentication. * Allows use of weak or ineffective fallbacks if multi-factor authentication is not available. * Exposes session identifier in the URL, a hidden field, or another insecure location that is accessible to the client. * Reuses the same session identifier after successful login. * Does not correctly invalidate user sessions or authentication tokens (mainly single sign-on (SSO) tokens) during logout or a period of inactivity. * Does not correctly assert the scope and intended audience of the provided credentials.

>Prevention & Mitigation Strategies

  1. 1.Where possible, implement and enforce use of multi-factor authentication to prevent automated credential stuffing, brute force, and stolen credential reuse attacks.
  2. 2.Where possible, encourage and enable the use of password managers, to help users make better choices.
  3. 3.Do not ship or deploy with any default credentials, particularly for admin users.
  4. 4.Implement weak password checks, such as testing new or changed passwords against the top 10,000 worst passwords list.
  5. 5.During new account creation and password changes validate against lists of known breached credentials (eg: using [haveibeenpwned.com](https://haveibeenpwned.com)).
  6. 6.Align password length, complexity, and rotation policies with [National Institute of Standards and Technology (NIST) 800-63b's guidelines in section 5.1.1](https://pages.nist.gov/800-63-3/sp800-63b.html#:~:text=5.1.1%20Memorized%20Secrets) for Memorized Secrets or other modern, evidence-based password policies.
  7. 7.Do not force human beings to rotate passwords unless you suspect breach. If you suspect breach, force password resets immediately.
  8. 8.Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes (“Invalid username or password.”).
  9. 9.Limit or increasingly delay failed login attempts but be careful not to create a denial of service scenario. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected or suspected.
  10. 10.Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session identifiers should not be in the URL, be securely stored in a secure cookie, and invalidated after logout, idle, and absolute timeouts.
  11. 11.Ideally, use a premade, well-trusted system to handle authentication, identity, and session management. Transfer this risk whenever possible by buying and utilizing a hardened and well tested system.
  12. 12.Verify the intended use of provided credentials, e.g. for JWTs validate `aud`, `iss` claims and scopes

>Attack Scenarios

#1Hybrid credential stuffing and password spray

Credential stuffing, the use of lists of known username and password combinations, is now a very common attack. More recently attackers have been found to ‘increment’ or otherwise adjust passwords, based on common human behavior. For instance, changing ‘Winter2025’ to ‘Winter2026’, or ‘ILoveMyDog6’ to ‘ILoveMyDog7’ or ‘ILoveMyDog5’. This adjusting of password attempts is called a hybrid credential stuffing attack or a password spray attack, and they can be even more effective than the traditional version. If an application does not implement defences against automated threats (brute force, scripts, or bots) or credential stuffing, the application can be used as a password oracle to determine if the credentials are valid and gain unauthorized access.

#2Passwords as sole factor without MFA

Most successful authentication attacks occur due to the continued use of passwords as the sole authentication factor. Once considered best practices, password rotation and complexity requirements encourage users to both reuse passwords and use weak passwords. Organizations are recommended to stop these practices per NIST 800-63 and to enforce use of multi-factor authentication on all important systems.

#3Improper session timeout and SSO logout

Application session timeouts aren't implemented correctly. A user uses a public computer to access an application and instead of selecting "logout," the user simply closes the browser tab and walks away. Another Example for this is, if a Single Sign on (SSO) session can not be closed by a Single Logout (SLO). That is, a single login logs you into, for example, your mail reader, your document system, and your chat system. But logging out happens only to the current system. If an attacker uses the same browser after the victim thinks they have successfully logged out, but with the user still authenticated to some of the applications, then can access the victim's account. The same issue can happen in offices and enterprises when a sensitive application has not been properly exited and a colleague has (temporary) access to the unlocked computer.

>Related CWEs

CWE-346
CWE-1391
CWE-304
CWE-297
CWE-299
CWE-306
CWE-308
CWE-293
CWE-303
CWE-940
CWE-1390
CWE-1393
CWE-350
CWE-300
CWE-295
CWE-307
CWE-258
CWE-287
CWE-613
CWE-290
CWE-384
CWE-640
CWE-309
CWE-1392
CWE-941
CWE-289
CWE-298
CWE-291
CWE-302
CWE-620
CWE-798
CWE-288
CWE-294
CWE-305
CWE-521
CWE-259

>References

Ask AI

Configure your API key to use AI features.