This flaw occurs when a hacker finds the user's identity, credentials (both username and password), or web session. This can happen when a system:
- Allows automated attacks, where the attacker can guess valid usernames and passwords
- Permits brute force or other automated attacks
- Allows default, weak, or well-known passwords, such as Password123
- Uses weak or ineffective credential recovery and forgot-password methods
- Uses plain text, encrypted, or weakly hashed passwords
- Exposes Session IDs in the URL
- Does not manage the Session properly after a successful login