If you make users sign in too much, they will just make their passwords short and easy to remember, even 24hrs is too much and people bitch about it all the time, especially since we have password managers enforced, meaning every time they need to Auth they need to Auth into their system, Auth into their password manager, copy the password, auth into their phone, look at the 2FA code and type that in.
Doing this every day just to open email is understandably fucking enraging even to me as a security “”“engineer”“”/analyst/${bullshitblueteamemailreaderjob}
Press it harder and they will use simple passwords that will inevitably be passed through to something external (e.g. cockpit which even I can bruteforce) or reused somewhere at some point, and then someone just has to get lucky once and run whatever run0 sudo su <reverse shell bs here> to bypass all protections.
If you make users sign in too much, they will just make their passwords short and easy to remember, even 24hrs is too much and people bitch about it all the time, especially since we have password managers enforced, meaning every time they need to Auth they need to Auth into their system, Auth into their password manager, copy the password, auth into their phone, look at the 2FA code and type that in.
Doing this every day just to open email is understandably fucking enraging even to me as a security “”“engineer”“”/analyst/${bullshitblueteamemailreaderjob}
Press it harder and they will use simple passwords that will inevitably be passed through to something external (e.g. cockpit which even I can bruteforce) or reused somewhere at some point, and then someone just has to get lucky once and run whatever
run0 sudo su <reverse shell bs here>
to bypass all protections.I agree with you. If i had to add my password everytime I’d just add my personal account to sudo group.
Good security works with people, not against them.
SELinux has left the chat.