this post was submitted on 18 Aug 2023
13 points (100.0% liked)

Security

846 readers
3 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
LinearArray
13
Short session expiration does not help security (www.sjoerdlangkemper.nl)
submitted 2 years ago by canpolat to c/security
1 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] towerful 1 points 2 years ago

Tbh, for typical consumers I think 2-4 hours is fine.
Chances are, if the user cares, they will reuse a session in that timeframe. Otherwise, they log in again.
Any good password manager will clear the clipboard after 10s or so!

Anything that is critical should use a physical key. Is it YubiKey that do this? (I'm sure it's becoming a web standard).
If the YuniKey needs more? Add a biometrics reader on it. Or a password decrypt.
Have multiple identities or are worried about privacy? Have a key that can provide multiple identies, along with the infra to support this.

Even if we make passwords absolutely tied to a physical sack of meat.... There is still social engineering that can use the user to bypass all that!