Yeah, my boss routinely shares logins for things over slack group channels. 😟

The weakest link in any system is the user, not the security policy (or lack thereof).

I’ve seen this particular policy aggravate users to the point where they would rather export sensitive company data onto their own personal machines rather than deal with having to reauth once per hour into some Entra ID SSO-backed web app.

Or even users who generate service account credentials that they share around with their team such that nobody uses their own account to login anymore

When your policy teeters towards aggravating users, many of them will just find clever ways to circumvent it, which is a losing situation for everyone.

I’m sympathetic, but I’m of the mind that it should just be the duration of the workday. Certainly not an hour like some places.

If this is a login for a work/school account, it’s because someone in your IT department thinks that applying a short “max session length” policy is “extra secure”.

Basically no different than shitty password rules or some places that make you change your password every 90 days.

Right? It’s oozing with sarcasm, like—ArCh LiNuX

lmao