We really are a strange bunch in infosec.
For humans:
- No simple logins
- Strong password rules
- Mandatory 2FA
- Location constraints
- Complex character requirements
For apps:
- Fixed length, predictable tokens
- Long lived, never expiring
- No 2FA
- No location checks
- Nothing else
- Lets store them in environment variables
Then we proudly say, βHuman is the weakest link.β π
Maybe it is not just the human. Maybe our love for forever tokens could use a little threat modeling too.