The Open Web Application Security Project $($OWASP$)$ Top Ten is a list of web application security threats that is composed by a member$-$driven OWASP committee of application development experts and published approximately every $24$ months. The $2013$ OWASP Top Ten list includes $$broken authentication and session management.$$ Which of the following is not a practice$/$vulnerability that can lead to broken authentication and infringe on session management?

Session identification exposed in URLs

Unprotected stored credentials

Lack of session time$-$out

Failure to follow Health Insurance portability and accountability act guidance