Ranking no.7 on the OWASP’s Top 10, identification and authentication failures cover insecure practices in user authentication. If you aren’t properly verifying identities, attackers can slip in using stolen or guessed credentials. But what exactly falls under this category, how do attackers abuse it, and how can you prevent it?

–

01 – What are identification and authentication failures?

In a nutshell, flaws that let attackers impersonate other users or otherwise bypass the login process, i.e. the application fails to correctly identify or authenticate users.

Common examples include accepting weak or default passwords, lacking multi–factor authentication, improper session management, or other failures that make it easy for unauthorised users to gain access.

Some of the most common weaknesses are:

• Weak credentials – Allowing trivial or default passwords (like “password” or “123456”) and not enforcing password complexity or uniqueness.
• No brute-force defence – Unlimited login attempts with no lockout or throttling, allowing attackers to guess passwords freely.
• No multi-factor authentication – Relying only on passwords (often reused or stolen) with no second verification factor.
• Insecure session management – Session IDs that are predictable, not invalidated on logout, or not protected with secure attributes (HttpOnly, Secure).

Any lapse in properly verifying identity can quickly lead to unauthorised access and major breaches.

–

02 – How is it exploited?

Attackers often don’t need sophisticated tricks for this one – they simply use automated tools to try common passwords or lists of stolen credentials on sites without protections. They also exploit weak session handling; for example, if session cookies are not secured, attackers might hijack an active session.

A prime example you might remember is the 2014 “Celebgate” incident, where attackers brute-forced the passwords of celebrity Apple iCloud accounts. Apple’s system at the time lacked effective rate limiting, so the attackers were able to systematically guess passwords and gain access to private data.

More generally, credential stuffing attacks (using username/password pairs leaked from other sites) frequently succeed against systems that haven’t implemented multi–factor authentication or login attempt throttling.

–

03 – How do you prevent authentication failures?

Preventing identification and authentication failures requires strong controls throughout the login and session process:

• Enforce strong passwords – Require a minimum length and complexity, and block common or previously breached passwords.
• Implement multi-factor authentication (MFA) – A one-time code, authenticator app, or other second factor stops attackers who have only stolen a password.
• Throttle or lock out on failures – After a few failed login attempts, temporarily lock the account or use exponential backoff. Use CAPTCHAs or similar techniques to thwart brute-force bots.
• Securely store credentials – Hash passwords with a strong algorithm (bcrypt, Argon2, PBKDF2) and use salts. Never store or transmit plaintext passwords.
• Harden session management – Use secure, HttpOnly cookies for session IDs. Invalidate sessions on logout and implement short session timeouts or re-authentication for sensitive actions.

–

It sounds obvious, but don’t leave your front door unlocked! By embedding strong authentication practices and controls, you dramatically reduce the risk of unauthorised access.