- Dictionary attack
- leaked credentials
- attacker gains access then causes identity theft, frauds, money, card, data frauds.
- Confirm users identity and session management
- implement multi-factor authentication.
- no default credentials ( or credential standards)
- Implement weak password checks
- length, complexity, history check,
- limit failed logins
- log every activity regardless of success or failure
- SERVER-SIDE SESSION IDENTIFIER.
Probably implement something using https://haveibeenpwned.com/