People who say things like "just don't get hacked or it's your own fault" are missing the point here. The security token is supposed to be an extra layer of security that the user can set up to prevent outside sources from accessing your account. So that even if someone were to obtain your user name and password, they would not be able to easily access your account. If a hacker can easily grab an unencrypted session ID that never expires and use that and only that to access your account indefinitely, it bypasses the token and makes it essentially worthless. Yes, users should take precautions not to get hacked, but SE should also take the necessary steps in ensuring that the security options they're giving to the users are working properly.