Broken authentication happens due to the poor implementation of application functions related to the session management and authentication. This allows the attackers to compromise passwords or session tokens
Most broken authentication attacks occur due to the continued use of passwords as a sole factor for authentication. password rotation and complexity requirements are viewed as encouraging users to useand and reuse weak passwords.
Attackers have to gain access to only a few accounts or just one admin account to compromise the whole system. Depending on the domain of the application this may allow social security fraud, or identity theft and disclose legally protected highly sensitive information.