# Attacking password-based authentication ## What is it? Password-based authentication generally allows to register an account and set a password, or sometimes an account will be assigned to them by an administrator. Password-based authentication tends to be suseptible to brute-force attacks, account lockouts and credential stuffing attacks. **A simple example** * A vulnerable web application allows users to sign up and set a password. * After 10 failed login attempts, an account is locked. * If an attacker uses 9 common passwords against many user accounts, they will gain access to ones that chose weak or common passwords. Broken authentication can often lead to: * Account takeover * Sensitive data exposure **Other learning resources:** * PortSwigger: **Writeups:** *Have a good writeup & want to share it here? Drop me a message on LinkedIn.* ## Checklist * [ ] Can we enumerate user accounts? * [ ] Registration page * [ ] Login page * [ ] Password reset page * [ ] Is there any brute-force protection? * [ ] Check for account lockouts * [ ] Check for rate limiting * [ ] Check for CAPTCHA * [ ] Check for MFA * [ ] What is the password policy? * [ ] Check the strength requirements * [ ] Is the password stored securely? (E.g. if we reset, will it send us the cleartext password) * [ ] Is the password reset token sufficiently unique? * [ ] Are credentials predictable? * [ ] Check for default credentials * [ ] Check for username conventions (E.g. firstname.lastname) * [ ] Is autocomplete enabled on password fields? * [ ] Check the password reset functionality * [ ] Knowledge-based questions * [ ] Token leakage via Referrer * [ ] Token predictability * [ ] Is authentication happening client-side? * [ ] Are there any backups or leaked files with creds? * [ ] Is there remember me or auto login functionality? * [ ] Are the tokens for this predictable? * [ ] How long does the token remain valid? * [ ] Are tokens or credentials passed via the URL? * [ ] Are there CSRF tokens? --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.