> right in front of ultra short timeouts everywhere

> If only I could meet the people who make these decisions in person...

For what it's worth, I was once forced to implement a half hour auto-logout on a website that could hardly be considered as containing sensitive data because an external pentest firm flagged the lack of a short timeout as an issue. The only way we could show clients a passing pentest was to comply with all of the findings. We all knew it was stupid but management gave us no choice but to implement it.

You must have had your shit pretty tight for the pen-tester to have to scrape that from the bottom of the barrel.

Sometimes they will just be excessive because nobody applies any kind of critical thinking and/or because they favour looking like they find a lot over any kind of precision. I once had a site where they insisted on disabling ping responses for the website, citing it as a serious security concern. Because surely nobody would otherwise know that the very public website was there.

I replied with listing a number of websites of security focused organisations whose websites responded to ping, including assorted security services, military, and the pentesting company's own website.

(I didn't object to them querying what actually responded to the ICMP requests - none of them made it past the firewall, which is what replied and revealed nothing of our internal infra - I objected to them ignoring that answer and still insisting it revealed things it demonstrably didn't, and that lack of understanding was consistent through their report)

I mean at that point isn’t the pushback “hey Management, this pentester is clearly incompetent. We need a new one.”?

Yes, but with the problem that the pentester had been hired by our client and our client was a multibillion budget quasi-governmental organisation (transit authority) that was not inclined to listen because that'd involve mid-level managers sticking their necks out when they didn't need to and didn't know who was right.

So we did the British thing and went for a lot of passive-aggressive "oh, but how come it's ok for the CIA and your own website?" etc. to force them on the defensive and demonstrate that a lot of what they did was basically ticking pointless boxes.

We did manage to carve out some willingness in the client organisation to ignore bits and pieces as we clearly increased our credibility relative to the pen testers, but it was a massive pain.

Hah..you just reminded of me of something I implemented at my old company. We had a similarly short timeout, so I put in a 'heartbeat' that would refresh the timeout if you move your mouse or do anything.

"management gave us no choice" - Would you have done differently?

"The only way we could show clients a passing pentest..."

Push back on the pentest firm and explain reasoning, rather than bubbling pointless requirements to the engineers.

That might work if your company hired the pen testers, it's a lot less likely to work if they were hired by a client. In the latter case, the overhead of all the required explanation and smoothing of ruffled feathers for the client likely costs a lot more than implementing the stupid timeout in the first place.

Pen testers are often very resistant to pushback. They get it a lot, and usually on things that are real concerns.

Good points.

Here was a dumb one from me the other day.

- I had to use login.gov

- My password manager had a saved login for it, I didn’t remember it, but it worked

- Then the site asked me for an authenticator app code. I checked my authenticator apps and there was nothing there for login.gov.

- There’s a login another way button so I click that and the other way is use the authenticator app!

- I click what if I can’t get my code?

- It says I must DELETE my account.

- I click to delete my account and it sends me an email.

- The email says to wait 24 hours for another account deletion email.

- 24 hours later I get an email that allows me to delete my account.

What was in the account? I have no idea, but it seems that it must be sensitive for some uses of the login. But if it’s sensitive and important why am I able to delete the account, the most destructive thing? Why is an email enough for me to delete it but not enough for me to get an auth code?

I would guess that the 24 hour delay is to allow the real owner of the account a change to cancel the delete if someone tries to mess with their account.

That said, you're right. This is really weird.

How is the real owner going to know to cancel the delete? Did it send them...an email?

It's been too long and I don't clearly remember, but I think I had to use login.gov to establish an account for mumble. There was an option to print out a onetime pad (for 2FA); I chose it just for kicks. Haven't used it but I have it on file "against the day" I lose my normal second factor.

While an attacker being able to use just a password (and no 2fa) to delete someone else’s account is pretty bad, stealing information from their account may well be worse. There is a lot of personal information that I have that I'd rather see destroyed than fall into the wrong hands.

Even MS Remote Desktop doesn't allow it.

Why do they think password managers exist?

Mstsc doesn't allow it because the login screen for windows doesn't have copy-paste. It's not that it has been disabled, it's that it was never programmed to have something in the clipboard before logging in. Still, they probably could load the thing first easily, but it's Microsoft we're talking about.