Cybersecurity

9810 readers

64 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

Do extremely short credential lifetimes actually help security? (piefed.social)

submitted 2 days ago by lnklnx@piefed.social to c/cybersecurity@sh.itjust.works

10 comments fedilink hide all child comments

My company has an external auth provider for the whole organization, and MFA is required (push notification to a phone app). This all works well and I agree with it, BUT they have configured the credentials to expire in 20 minutes. In practice this means everyone in the company is typing their password and fiddling with their phone dozens of times per day to work with any application except for email (somehow it gets away with caching the credentials).

Timeouts for credentials are good, but does this aggressively low setting actually provide increased security?

you are viewing a single comment's thread
view the rest of the comments

[–] sylver_dragon@lemmy.world 0 points 2 days ago (1 children)

Is the expiration every 20 minutes, no matter what; or, is the expiration after 20 minutes of inactivity? The two have different answers. The former sounds like a misconfiguration and you may want to reach out to your IT team and ask them about it, sometimes mistakes are made and it could just be you having a strange problem. The latter is pretty common and does serve a purpose. Inactivity timers deal with the issue of people logging in, and then walking away from their system. This is common enough that solutions like inactivity timers are used. There are cases where this is a problem and they need to be disabled, but those will usually be policy exceptions and will need to be requested and documented.

If you're getting logged out of your system every 20 minutes, that really sounds like a bug and not a security feature. Get in touch with your IT and/or security team about it.

[–] lnklnx@piefed.social 0 points 2 days ago* (last edited 2 days ago) (1 children)

I checked. It's deliberate. And it is not inactivity, it is 20 minutes, full stop.

[–] sylver_dragon@lemmy.world 1 points 2 days ago

That does seem like bad design. If it's causing you and your team an inordinate amount of time to constantly re-login, you may want to go up your management chain and try to quantify it. e.g. in an 8 hour day, you would expect to re-login around 24 times in the day. If that takes an average of 2 minutes per login that 48 minutes per day. Across 260 days (assuming a standard work year), that's 12,480 minutes per year or 208 hours. Multiply that by the rate it costs to keep you employed. This includes both your pay and all the costs of employment, the common rule of thumb is to multiply your hourly rate by 2. So, if you're paid ~$50/hr then it costs ~$100/hr to keep you employed. So, 208 hours of your time is costing the company ~$20,800/yr of lost productivity. That's a significant amount of lost productivity and that is only accounting for 2 minutes per login and not the lost time as you deal with mental context switching. It's not a cheap cost and is not increasing security by all that much.