LOGBOOK

HELP

Quiz Entry - updated: 2026.06.25

What does OWASP A2 (Broken Authentication) cover, and what are the standard counter-measures?

"Broken Auth" = the login subsystem is weak (bad passwords, no rate limiting, missing 2FA, insecure recovery). Counter: password policy, MFA, rate-limiting, secure storage, identical security in registration and recovery flows.

What "Broken Authentication" looks like in practice:

  • Login isn't sufficiently protected against brute-force attacks (no rate limit, no account lockout).
  • Weak passwords are accepted ("password123" goes through).
  • 2FA is missing or implemented incorrectly.
  • Insecure password recovery / reset (e.g. password reset via "security questions" with public answers).
  • Passwords stored in plaintext or with weak hashes (unsalted MD5, SHA-1).

Counter-measures:

  • Password policy that blocks short or common passwords (against haveibeenpwned, dictionary, etc.).
  • All entry points (registration, credential recovery, OAuth flows) meet the same security bar as the main login.
  • Multi-factor authentication where the asset value justifies it.
  • Rate limiting / login delay — limit failed attempts per IP/account, slow brute-force to uselessness.
  • Secure credential storage — salted slow hash (bcrypt/Argon2/scrypt), never plaintext.

Tip: Cross-reference the OWASP Authentication Cheat Sheet, the Forgot Password Cheat Sheet, and the Password Storage Cheat Sheet — they're the practical implementation guides.

From Quiz: ISF / Access Control | Updated: Jun 25, 2026