A flaw in authentication and/or session management can compromise the security of a software system. Attackers can find a flaw in authentication or session management manually and then use automated tools to exploit it.

Some of the topics we have explored in this chapter, such as hashing passwords with a salt, using multi-factor authentication, and being secure by default by not deploying with default credentials, can help secure your system from authentication related attacks.

Password policies should be put in place to enforce minimum password length and complexity requirements, as well as to ensure passwords are rotated periodically.

Applications should always provide a logout feature and session timeouts should ...