|
|
|
|
|
|
by graemep
288 days ago
|
|
|
I agree. However you use them less often, so its far harder for someone to time it right. If you use username instead of email address attackers have to guess that too. One quite serious problem I see quite often is using email plus password for login, and notifying on failed login that the email is not in the system, letting attackers validate which emails are logins. |
|
|
And this is exactly the kind of phishing attack that is most effective, as this particular incident shows. So I'd say it's actually a worse phishing vector than magic links.