Attacking password-based authentication

What is it?

Password-based authentication generally allows to register an account and set a password, or sometimes an account will be assigned to them by an administrator. Password-based authentication tends to be suseptible to brute-force attacks, account lockouts and credential stuffing attacks.

A simple example

  • A vulnerable web application allows users to sign up and set a password.

  • After 10 failed login attempts, an account is locked.

  • If an attacker uses 9 common passwords against many user accounts, they will gain access to ones that chose weak or common passwords.

Broken authentication can often lead to:

  • Account takeover

  • Sensitive data exposure

Other learning resources:


Have a good writeup & want to share it here? Drop me a message on LinkedIn.


Last updated