Well-designed sites will revoke existing auth tokens on password change, but some won't, and on those, you're screwed.
If you're changing passwords due to CloudBleed, remember, it's not the passwords that matter, it's the auth *tokens*.
-
-
-
Your passwords only get sent to CloudFlare when you log in, but the tokens get sent *on every single request*.
- Show replies
New conversation -
-
-
That doesn't necessarily revoke the login token on other browsers/devices, or even the current one.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@pimskeks you cant you blame Trump for this? -
Well his answer to infosec seems to be "don't use computers, computers bad" so it isn't going to get any better...
End of conversation
New conversation -
-
-
No, I'm talking about cookies and other tokens that don't change. TOTP/HOTP tokens are single use.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
so should I worry about sites that use authenticators or that I have a text sent to me for extra security?
-
Log out and log back in to those sites. If they have an option to "log out all active sessions", use it.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.