|
|
|
|
|
|
by dustinmoris
1397 days ago
|
|
|
A hijacked session is bad, but nowadays not nearly as bad as a leaked password: - Sessions can be linked to a user's location and/or browser finger print - Sessions are short(er) lived - Sessions can easily get invalidated (e.g. device wide logout) - Almost all critical actions are behind additional security (e.g. can't change password without 2FA or change billing information without confirming password and/or 2FA in order to apply changes, etc.) - Sessions are not shared across properties, whereas many users share their password across multiple internet sites/properties |
|
|
Does this still really happen??
I've given up that malpractice years ago.
Unfortunately it's very hard to gauge this in our company but I would hope users take their security training to heart.