The damage of an intercepted cookie is limited to the site you're logged into - if I intercepted your Hacker News cookie, I can't use it to log into your bank account.

The damage of an intercepted password is much bigger. It's a fact that most people reuse passwords. You can't say the issue doesn't exist just because you shouldn't do it.

There're also services that are a lot more careful than that. e.g. Facebook Connect's API uses HTTPS for (at least) the login so you can't intercept the passwords, and then it uses an HMAC-like authentication so that even if an attacker can intercept any non-encrypted messages, they can't change it or impersonate you.

My point is I fail to see how this is an unusual or new situation. You can probably accuse millions of sites of sending passwords in the clear on login.

Besides: say I steal your HN (or whatever) cookie and hit logout from your account. Your auth cookie is now no longer valid, you get a login prompt. You assume it's some kind of glitch and re-login with your password, which I intercept. Is that much better?

Thing is.. very few people go into random restaurants and login (and I mean, login, in which you type in your password) to sites like Hacker News or Slashdot every day. The chance of you opening a public AP in a crowded place and getting back a Hacker News password is slim to none - I'm not saying it's safe though.

Foursquare passwords, on the other hand, is something you can very easily intercept in the open - due to the way it's used, and that it sends your passwords out every time you open it without you typing anything - that's already unusual. There're surely a lot more poorly secured sites and mobile apps, but something like Foursquare's authentication scheme is a big problem for its users.

It's not new. It's an old vulnerability. And no large application would survive an audit without this geting flagged.

sessions are a one-time token. passwords are an all time token. biometrics are a forever token.