Broken Authentication in Web Apps — What It Is and How to Test for It
Broken authentication isn't just weak passwords. It's non-expiring reset links, sessions that survive logout, MFA that can be bypassed, and remember-me tokens that last forever. Here's exactly what I test in every authentication implementation — and what I keep finding.
