We see it all the time. We log in to a web site but after not doing anything on the site for a while — sometimes as little as 10 minutes — the site reports “your session has timed out, please log in again.”
And you get the login screen. Which offers, along with the ability to log in, a link marked “Forget your password?” which offers the ability to reset (OK) or recover (very bad) your password via your E-mail account.
The same E-mail account you are almost surely logged into in another tab or another window on your desktop. The same e-mail account that lets you go a very long time idle before needing authentication again — perhaps even forever.
So if you’ve left your desktop and some villain has come to your computer and wants to get into that site that oh-so-wisely logged you out, all they need to is click to recover the password, go into the E-mail to learn it, delete that E-mail and log in again.
Well, that’s if you don’t, as many people do, have your browser remember passwords, and thus they can log-in again without any trouble.
It’s a little better if the site does only password reset rather than password recovery. In that case, they have to change your password, and you will at least detect they did that, because you can’t log in any more and have to do a password reset. That is if you don’t just think, “Damn, I must have forgotten that password. Oh well, I will reset it now.”
In other words, a lot of user inconvenience for no security, except among the most paranoid who also have their E-mail auth time out just as quickly, which is nobody. Those who have their whole computer lock with the screen saver are a bit better off, as everything is locked out, as long as they also use whole disk encryption to stop an attacker from reading stuff off the disk. read more »