Broken authentication is an ongoing issue, identified in the OWASP Top 10 2013 and 2017 (A2 in both). While broken authentication can span multiple topics, this presentation focuses mainly on attacking single factor authentication using usernames and passwords, however other authentication/authorization flaws will be touched on. Methods and techniques will be discussed to perform reconnaissance/scanning, username enumeration, account lockout bypass, various password attacks, and more.