# Attacking password-based authentication ## What is it? Password-based authentication generally allows to register an account and set a password, or sometimes an account will be assigned to them by an administrator. Password-based authentication tends to be suseptible to brute-force attacks, account lockouts and credential stuffing attacks. **A simple example** * A vulnerable web application allows users to sign up and set a password. * After 10 failed login attempts, an account is locked. * If an attacker uses 9 common passwords against many user accounts, they will gain access to ones that chose weak or common passwords. Broken authentication can often lead to: * Account takeover * Sensitive data exposure **Other learning resources:** * PortSwigger: **Writeups:** *Have a good writeup & want to share it here? Drop me a message on LinkedIn.* ## Checklist * [ ] Can we enumerate user accounts? * [ ] Registration page * [ ] Login page * [ ] Password reset page * [ ] Is there any brute-force protection? * [ ] Check for account lockouts * [ ] Check for rate limiting * [ ] Check for CAPTCHA * [ ] Check for MFA * [ ] What is the password policy? * [ ] Check the strength requirements * [ ] Is the password stored securely? (E.g. if we reset, will it send us the cleartext password) * [ ] Is the password reset token sufficiently unique? * [ ] Are credentials predictable? * [ ] Check for default credentials * [ ] Check for username conventions (E.g. firstname.lastname) * [ ] Is autocomplete enabled on password fields? * [ ] Check the password reset functionality * [ ] Knowledge-based questions * [ ] Token leakage via Referrer * [ ] Token predictability * [ ] Is authentication happening client-side? * [ ] Are there any backups or leaked files with creds? * [ ] Is there remember me or auto login functionality? * [ ] Are the tokens for this predictable? * [ ] How long does the token remain valid? * [ ] Are tokens or credentials passed via the URL? * [ ] Are there CSRF tokens?