this post was submitted on 12 Dec 2025
574 points (99.3% liked)
196
5029 readers
2108 users here now
Community Rules
You must post before you leave
Be nice. Assume others have good intent (within reason).
Block or ignore posts, comments, and users that irritate you in some way rather than engaging. Report if they are actually breaking community rules.
Use content warnings and/or mark as NSFW when appropriate. Most posts with content warnings likely need to be marked NSFW.
Most 196 posts are memes, shitposts, cute images, or even just recent things that happened, etc. There is no real theme, but try to avoid posts that are very inflammatory, offensive, very low quality, or very "off topic".
Bigotry is not allowed, this includes (but is not limited to): Homophobia, Transphobia, Racism, Sexism, Abelism, Classism, or discrimination based on things like Ethnicity, Nationality, Language, or Religion.
Avoid shilling for corporations, posting advertisements, or promoting exploitation of workers.
Proselytization, support, or defense of authoritarianism is not welcome. This includes but is not limited to: imperialism, nationalism, genocide denial, ethnic or racial supremacy, fascism, Nazism, Marxism-Leninism, Maoism, etc.
Avoid AI generated content.
Avoid misinformation.
Avoid incomprehensible posts.
No threats or personal attacks.
No spam.
Moderator Guidelines
Moderator Guidelines
- Don’t be mean to users. Be gentle or neutral.
- Most moderator actions which have a modlog message should include your username.
- When in doubt about whether or not a user is problematic, send them a DM.
- Don’t waste time debating/arguing with problematic users.
- Assume the best, but don’t tolerate sealioning/just asking questions/concern trolling.
- Ask another mod to take over cases you struggle with, if you get tired, or when things get personal.
- Ask the other mods for advice when things get complicated.
- Share everything you do in the mod matrix, both so several mods aren't unknowingly handling the same issues, but also so you can receive feedback on what you intend to do.
- Don't rush mod actions. If a case doesn't need to be handled right away, consider taking a short break before getting to it. This is to say, cool down and make room for feedback.
- Don’t perform too much moderation in the comments, except if you want a verdict to be public or to ask people to dial a convo down/stop. Single comment warnings are okay.
- Send users concise DMs about verdicts about them, such as bans etc, except in cases where it is clear we don’t want them at all, such as obvious transphobes. No need to notify someone they haven’t been banned of course.
- Explain to a user why their behavior is problematic and how it is distressing others rather than engage with whatever they are saying. Ask them to avoid this in the future and send them packing if they do not comply.
- First warn users, then temp ban them, then finally perma ban them when they break the rules or act inappropriately. Skip steps if necessary.
- Use neutral statements like “this statement can be considered transphobic” rather than “you are being transphobic”.
- No large decisions or actions without community input (polls or meta posts f.ex.).
- Large internal decisions (such as ousting a mod) might require a vote, needing more than 50% of the votes to pass. Also consider asking the community for feedback.
- Remember you are a voluntary moderator. You don’t get paid. Take a break when you need one. Perhaps ask another moderator to step in if necessary.
founded 11 months ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
If this is a login for a work/school account, it's because someone in your IT department thinks that applying a short "max session length" policy is "extra secure".
Basically no different than shitty password rules or some places that make you change your password every 90 days.
If your session gets hijacked, max session lengths ensure the attacker doesn't retain access once the session expires. It's more likely someone in your company was phished and the attacker retained access to their Outlook for a few days or weeks before anyone noticed.
The weakest link in any system is the user, not the security policy (or lack thereof).
I've seen this particular policy aggravate users to the point where they would rather export sensitive company data onto their own personal machines rather than deal with having to reauth once per hour into some Entra ID SSO-backed web app.
Or even users who generate service account credentials that they share around with their team such that nobody uses their own account to login anymore
When your policy teeters towards aggravating users, many of them will just find clever ways to circumvent it, which is a losing situation for everyone.
Once per hour is just stupid, but once per shift is reasonable in my opinion.
If your users can't be bothered to auth once a day, they probably shouldn't be working with anything remotely sensitive.
Correct. No policy is an adequate substitute for security training or phishing awareness training. That doesn't mean to allow abuse cases though
Intune can be (and usually is) used to enforce logins only from enrolled devices. Personal devices can be enrolled, then Conditional Access policies can be applied to silo app data from company data, preventing this abuse case
No way. One per day, at most. No one should have to re-auth every hour, except maybe Global Admin accounts, which shouldn't be used for day-to-day tasks anyway.
To do this in Entra, you need the Application Administrator role assigned, which is a Privileged Role, so it should be controlled by PAM to prevent/detect this abuse case.
Not for long. And usually not without leaving an audit trail that indicates violating acceptable use policies, security policies, or access control standards, which then becomes an HR issue, not an IT issue
Yeah but it should be 24 hours at least
I'm sympathetic, but I'm of the mind that it should just be the duration of the workday. Certainly not an hour like some places.
Half that at best. Unless you have people regularly working 12-14 hour shifts, 24 hours is excessive (and will annoy your employees more because that 24 hour clock will slowly migrate later in the day throughout the week - the expiration is never exactly on your limit in my experience).