Broken Authentication

When verifying "who you are" goes horribly wrong.

The idea

Authentication is the process of verifying identity (usually via username/password). "Broken Authentication" is an umbrella term for a broad class of vulnerabilities where the login process, session management, or password recovery flow is flawed, allowing an attacker to impersonate legitimate users.

Step 1: The application issues predictable session IDs.

How it works (Session Hijacking)

If you use predictable session IDs (like `SESSION_ID=1045`), an attacker can simply change their cookie to `1046` and take over the next user's account. Session IDs must be long, cryptographically random, and rotate frequently.

# VULNERABLE: Predictable Session IDs
def generate_session(user_id):
    # DANGER: Attackers can easily guess the next session ID!
    global last_session_id
    last_session_id += 1
    return last_session_id

# SECURE: Cryptographically Secure Randomness
import secrets

def generate_session(user_id):
    # Generates a massive, unguessable string like: 
    # 'a4f5c9e2b1d0...' (entropy is too high to brute force)
    return secrets.token_hex(32)

Watch out for

Worked example

A developer implements a "Forgot Password" feature. The user enters their email, and the server generates a 6-digit PIN and emails it to them. However, the server does not rate-limit the PIN verification endpoint. An attacker requests a password reset for `admin@company.com`, then writes a script to guess all 1,000,000 possible 6-digit PINs (000000 to 999999). It takes the script 5 minutes to guess the correct PIN and take over the admin account.

Check yourself

Why should you use `bcrypt` instead of `SHA-256` for hashing passwords in your database?

Incorrect. Both are cryptographic hash functions and neither can be reversed (decrypted).
Correct! Speed is the enemy of password hashing. `bcrypt` allows you to tune the "work factor" to keep it slow even as hardware gets faster.