Most break-ins do not start with a clever exploit. They start with someone typing a password that was easy to guess, or one that was stolen from a completely different website months earlier and quietly recycled. The login page is usually the plainest part of any web application, and that is exactly why criminals like it so much more than the flashier parts of your site.
The Password Problem Nobody Wants to Own
Ask any IT manager and they will tell you staff reuse passwords across dozens of accounts without a second thought. They know it, they have raised it in meetings more than once, and yet the underlying authentication system rarely gets rebuilt to compensate for that habit. A single reused password, leaked in an unrelated breach years ago, can still open the door to your customer database today because nothing forces a second check before access is granted. Training staff to choose better passwords helps only marginally, because the weakness sits in the system’s tolerance for guessing, not purely in human behaviour.
This is where thorough web application pen testing earns its keep, because a tester will actively try the things a real attacker tries: credential stuffing against your login form, weak lockout rules, and password reset flows that leak whether an account exists at all. Those findings rarely show up in a routine automated vulnerability scan, precisely because nothing on the page is technically broken.

Credential Stuffing Does Not Need Skill, Just Patience
Attackers buy lists of billions of leaked username and password pairs for a few pounds on criminal forums and fire them at login pages automatically, betting that a percentage will still work somewhere across the internet. No lockout after repeated failures, no CAPTCHA, no anomaly detection, and the tool just keeps going until it finds a live account worth taking over. It is unglamorous, entirely automated, and depressingly effective against sites that never tightened their login controls in the first place. The attacker does not need to know anything about your specific business; the same script runs against thousands of unrelated targets overnight, and yours simply becomes one more line in the results file.
William Fieldhouse has watched this play out enough times to have a clear view on where the fix actually sits.
“I have tested login pages that would happily accept ten thousand password guesses in an afternoon without so much as a warning email to the user whose account was targeted. Multi-factor authentication is the single change that stops that entire attack dead, yet it is still treated as optional on far too many customer portals I review.”
— William Fieldhouse, Director of Aardwolf Security Ltd
That gap between ‘optional’ and ‘essential’ is where most breaches of this kind actually live and fester unnoticed. Adding MFA does not require ripping out your existing system; it can sit alongside current logins and immediately shrink the value of every stolen password an attacker is holding, because a password alone stops being enough to get in once a second factor is required.
Fix the Front Door Before Anything Else
Authentication is unglamorous, which is precisely why it gets neglected while budget flows toward newer, shinier security controls that look better in a board presentation. But it remains the first thing any attacker probes, automated or otherwise, and the cheapest weakness to leave unpatched for another quarter. Small changes such as enforced MFA, sensible lockout thresholds, and generic error messages on failed logins close off most of this risk without a costly rebuild. If you want a clear, independent view of how your login defences would actually hold up under attack, request a penetration testing quote and find out before someone else does the testing for you instead.
