|
|
|
|
|
|
by dandarie
1836 days ago
|
|
|
Yes, he can steal the cookies and new passwords, but still won't have access to user accounts and/or passwords for more than an hour. So, after Edward is discovered, all sessions are remotely logged off and all accounts created during that hour are blocked, asked to confirm their email, phone or even identity, or deleted. So, after one hour, Edward is left with nothing more than braggable rights. And personal data of billions, but not their passwords. |
|
|
tialaramex's criticism of passwords was that Edward can use the stolen ones eternally. But if your actions are followed, with Facebook resetting all those users' passwords and forcing them to reconfirm via email or phone, then tialaramex's criticism doesn't really apply anymore. The criticism only applies to users who reused their passwords on other sites, because Edward can still attack those other sites.