Insecure password reset
About A07:2021 — Identification & Auth Failures
Authentication is hard to get right and easy to get subtly wrong. Common failures: storing passwords with weak hashes, not invalidating sessions on logout, allowing unlimited login attempts, accepting JWTs without verifying the signature. AI tools sometimes invent auth code that looks correct but skips the verification step.
Impact: When auth breaks, every user account is potentially compromised. Brute force on login becomes credential stuffing at scale. Session fixation lets one user steal another's session. Accepted-without-verification JWTs let anyone forge any identity.
How to fix it: Use a battle-tested auth provider (Clerk, Auth0, NextAuth, AWS Cognito) instead of building from scratch. If you must build it: bcrypt or argon2 for passwords, account lockout after N failed attempts, MFA support, signed and expiring session tokens, full JWT signature verification.
Common patterns in this category:
- JWT decoded without verifying the signature
- No account lockout after repeated failed logins
- Passwords hashed with MD5 or SHA-1 instead of bcrypt/argon2
- Session IDs that don't rotate on login or privilege change
- Password reset tokens that don't expire or aren't single-use
Compliance coverage
Findings from this rule map to the following framework controls:
See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.
Scan your code for VC125 and 157 other rules
Free, no signup. Drag and drop a zip or run npx xploitscan scan .