The ones that puzzle me even more are the intranet websites that log you off after x minutes whereas they work with single sign on, ie no password entered, so not sure what security benefit that achieves. But they make you lose whatever you were doing in the process.
What continues to grimly amuse me is that many of these websites that also have a mobile app will basically keep you signed in forever on the mobile app. It's just the website, where most people would prefer to do their heavy lifting work on, that has the anti-usability nonsense that makes you install plugins like auto-refresh-every-10-minutes.
The problem with the security industry is that there's no way for non-experts to reliably assess "I'm an expert, trust me!" from a practitioner.
I'm not really sure what the best fix is; there are many possible ones. I've seen total clowns pushing decades-old nonsense be taken seriously by competent businesses simply because they thought "hiring an expert" was enough, like they're a plumber or something.
It is no different than doctors or mechanics or lawyers. Reputation is your best guide. In security-land, there are some certifications that are fairly rigorous; some of those can serve as a distant second.
Doctors and lawyers are professions that are regulated by licensure, of which unauthorized practice comes with actual real and not made up legal consequences. Where is the similar licensure that tech security professionals are regulated by?
You may have missed the point being made. You find a good security professional the same way you find a good lawyer or doctor. Ask around for a reference for a good one. Then check their credentials (e.g., what certifications they have).
I believe there was an article on HN recently about a startup that used a "lawyer" that wasn't because they didn't check their credentials after getting a great reference. Just because there are consequences doesn't mean it doesn't happen.
I feel quite certain that I haven't, I just think the point is poorly made and I've spoken specifically to why I think that to be the case. You can get all the recommendations and referrals you want for an infosec professional; nothing stops that person from holding themselves out to be such a professional, quality of work or competency performing it notwithstanding.
You can absolutely suck as a pentester, but still legally hold yourself out to be one and advertise yourself as one to anyone who will hire you.
You can NOT do the same, holding yourself as an attorney or a doctor without very real risk of legal action if you are in fact-not licensed to do either. There are bar associations and medical boards governing various aspects of their work, and how their work is conducted, performs ethics and competency investigations on license holders, and can take away their license to continue working in such capacity if said investigations deem fit. No such governing board or ethical board exists for infosec professionals.
That is a pretty important difference that shouldn't be ignored just to make a petty point about how easy is is to ask for a referral.
Just because there are consequences doesn't mean it doesn't happen.
Which is only supplemental to all of this. My entire point is that it happens, and the prudent do the diligence to make sure it doesn't.
> You can get all the recommendations and referrals you want for an infosec professional; nothing stops that person from holding themselves out
Here is where you missed the point.
You are correct that we do not license, say, pen testers the same way we license doctors. You are incorrect in thinking that this matters.
The point is that in both cases, reputation is the best general-purpose measure of who you want. That's all.
My mentioning certs may have steered you wrong, and that was a bit of a distraction. My point there was that certs tell us something, usually not much, but are still better indicators than their self-advertising.
Let's dispense with the "right or wrong" aspect of this, because I don't think it's helpful towards moving the needle on this, and instead evaluate this as a matter of complementary perspectives.
Does reputation matter? Yes. This I will openly concede. Do I think credentials are meaningless? No.
Where we disagree is "thinking that this matters". I still think it absolutely does, and think the analogy is a poor one. You clearly think it doesn't, that's fine, but I don't think it makes either one of us less or more wrong. Perhaps that's all there is at play here, a difference of opinion in how an organization prosecutes the search for a qualified expert in security, medicine or law; and I think it's revealingly disingenuous to frame such organizational decision making and risk tolerances when seeking professional services with rigid and inflexible absolutes of "right way" or "wrong way" or whether or not method A matters whereas method B doesn't.
After 15 minutes, or 15 minutes of inactivity? The latter is defensible at least, in e.g. a public area where there is a risk of people leaving their desktops without locking them. I mean that's another policy issue that can be addressed (a policy that locks a system after x amount of inactivity), but as an app developer you can't know much about the system things are running on.
sounds like what an extension could do. store in localstorage the last hour of forms. I especially hate clicking submit to get an error and an empty form again.
Ugh, a form that takes 15 minutes or more to fill out, without any feedback or other interaction, is itself a UX problem. It should at least be auto-saving.
More likely it will have a “submit” button that runs a script that blocks submission wen you missed a field. And wipes out a couple of other fields (usually passwords) so that you have to re-enter those after hitting that “submit” button again.
But should all sites really be optimized for the user at a public library computer? At the expense of convenience for the large majority of users that are on a personal or work computer? Doesn’t make much sense to me.
Also the computer itself solves this problem for you in many cases, a guest profile typically deletes all browser session info when you log out.
I hate _all_ sites that do this and I actively avoid them. There are many very good reasons why I might not be able to complete a form without interruption. It's not for them second guess me.
And it's not just extremely annoying, it's also completely unnecessary. Just put a "trust this browser" checkbox on the sign-in page and adjust the session timeout accordingly.
We're actively harming the user experience (and driving paying customers away) because of some "expert" advice.