Cybersecurity

9810 readers

42 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

Do extremely short credential lifetimes actually help security? (piefed.social)

submitted 1 day ago by lnklnx@piefed.social to c/cybersecurity@sh.itjust.works

10 comments fedilink hide all child comments

My company has an external auth provider for the whole organization, and MFA is required (push notification to a phone app). This all works well and I agree with it, BUT they have configured the credentials to expire in 20 minutes. In practice this means everyone in the company is typing their password and fiddling with their phone dozens of times per day to work with any application except for email (somehow it gets away with caching the credentials).

Timeouts for credentials are good, but does this aggressively low setting actually provide increased security?

you are viewing a single comment's thread
view the rest of the comments

[–] sylver_dragon@lemmy.world 1 points 1 day ago

That does seem like bad design. If it's causing you and your team an inordinate amount of time to constantly re-login, you may want to go up your management chain and try to quantify it. e.g. in an 8 hour day, you would expect to re-login around 24 times in the day. If that takes an average of 2 minutes per login that 48 minutes per day. Across 260 days (assuming a standard work year), that's 12,480 minutes per year or 208 hours. Multiply that by the rate it costs to keep you employed. This includes both your pay and all the costs of employment, the common rule of thumb is to multiply your hourly rate by 2. So, if you're paid ~$50/hr then it costs ~$100/hr to keep you employed. So, 208 hours of your time is costing the company ~$20,800/yr of lost productivity. That's a significant amount of lost productivity and that is only accounting for 2 minutes per login and not the lost time as you deal with mental context switching. It's not a cheap cost and is not increasing security by all that much.