→ Invalid email ≠ invalid password (define if email exist or not)
→ look at forgot password
<aside> 📗 Look for session fixation and test token reuse etc
</aside>
Permits brute force or other automated attacks.
Permits default, weak, or well-known passwords, such as “Password1” or “admin/admin“.
Uses weak or ineffective credential recovery and forgot-password processes, such as “knowledge-based answers”, which cannot be made safe.
Uses plain text, encrypted, or weakly hashed passwords (see A3:2017-Sensitive Data Exposure).
Has missing or ineffective multi-factor authentication.
Exposes Session IDs in the URL (e.g., URL rewriting).
Does not rotate Session IDs after successful login.
Does not properly invalidate Session IDs. User sessions or authentication tokens (particularly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a period of inactivity.