Brutkey

sarah tonin :wlfBlep:
@SRAZKVT@tech.lgbt

how long should i make it so that session gets invalidated ? for idle, owasp recommends 2-5 minutes for high value systems, 15-30 minutes for low value systems, and for absolute, after 4-8 hours after the session is created

but that will log you out all the fucking time won't it ? won't that be annoying ? how much time do most modern platforms take before logging you out ? do they even invalidate your session at all and instead spit on owasp's recommendations ?

alis 🇳🇱
@alice@transgirl.cafe

@SRAZKVT@tech.lgbt is a comfort/security balance

like if u have a session last for a day which is like super high value and stuff its obviosly gonna be explosited an stuf

i mean imagine like idk running ur ssh session w nopassword sudo for a day that sounds sketchy af right cuz u wood usually want to have it like run for a minute to get teh commans executed an stuff and not any longer than that

alis 🇳🇱
@alice@transgirl.cafe

@SRAZKVT@tech.lgbt i have created a nice way to make it balance pretty good in teh latest system i designed

so u hav like this 2 step system

1 is device authorization like yk when u authorize new device u have to use ur passkey and mfa and shit

2 is session authorization like when u have the per-device key u just plug in the passkey and type in password and u hav access for like 10 minues or somethinh