Quiz Entry - updated: 2026.06.25
What does OWASP A2 (Broken Authentication) cover, and what are the standard counter-measures?
"Broken Auth" = the login subsystem is weak (bad passwords, no rate limiting, missing 2FA, insecure recovery). Counter: password policy, MFA, rate-limiting, secure storage, identical security in registration and recovery flows.
What "Broken Authentication" looks like in practice:
- Login isn't sufficiently protected against brute-force attacks (no rate limit, no account lockout).
- Weak passwords are accepted ("password123" goes through).
- 2FA is missing or implemented incorrectly.
- Insecure password recovery / reset (e.g. password reset via "security questions" with public answers).
- Passwords stored in plaintext or with weak hashes (unsalted MD5, SHA-1).
Counter-measures:
- Password policy that blocks short or common passwords (against haveibeenpwned, dictionary, etc.).
- All entry points (registration, credential recovery, OAuth flows) meet the same security bar as the main login.
- Multi-factor authentication where the asset value justifies it.
- Rate limiting / login delay — limit failed attempts per IP/account, slow brute-force to uselessness.
- Secure credential storage — salted slow hash (bcrypt/Argon2/scrypt), never plaintext.
Tip: Cross-reference the OWASP Authentication Cheat Sheet, the Forgot Password Cheat Sheet, and the Password Storage Cheat Sheet — they're the practical implementation guides.