Make login sessions for the app LOTS longer

Users Who Are Viewing This Thread (Total: 1, Members: 0, Guests: 1)

J

jafoca

New member
Joined
Mar 9, 2021
Messages
14
Reaction score
6
Location
MI, USA
Hey guys - here I am on the forums posting this instead of doing tank maintenance I need to get done because I am really tired of this happening. I log into Hydros pretty much only when I am doing maintenance to shut down my sump - and lo and behold, I am logged out of the app.

I am not sure if you are doing this intentionally (for fake security benefit - I work full time in security and have done application security testing work...) or if it is a byproduct of the app not handling auto-upgrades well, but logging in AGAIN is about the last thing I want to do right before I need to do a water change.

If this is being done out of some mis-guided attempt at security, please note that most 'normal' apps on phones do not require re-auth on a monthly basis. Look across types, too - social networks, other home IoT like Kasa, Amazon shopping... the only one I can think of on my phone that requires frequent login is my bank, which rightly so.

If you were really keen on boosting the security of Hydros, consider implementing MFA instead. Funnily enough, this forum has it when the actual app controlling stuff does not.
 
This is odd the app will occasionally make me log back in when I first start it but it takes several days between logins to do that. It has never logged me out once I am in the app unless I loose internet for some reason.
 
@Danny and I both upgrade much more frequently than average users and can both say we don't experience login issues post-upgrade. So there is no reason to believe error handling post-upgrade is forcing a logout.

It's difficult to please everybody. Some would argue timeouts should be much shorter. Others would prefer longer. I don't have a strong preference other than to discourage infinite. What would you prefer? Quantify your ask. I personally don't see re-authenticating once a month as a significant inconvenience.

Would certainly agree with you on the two-factor authentication suggestion. It most certainly should be implemented. Unlikely but not unheard of an aquarium controller could be used to compromise a network. The aquarium controller hack to transfer sensitive high roller information out of a Las Vegas casino network is legendary among security professionals.
 
Some would argue timeouts should be much shorter.
Click to expand...
Why would any end-user want the timeout to be shorter?

For me, the once a month login (or whatever it is) isn't that big of a deal. But I just don't see why it has any value.

If Gmail, Amazon, and my bank allow me to stay logged in, seems like Hydros should be ok with it.
Just may require the ability to remotely kill a logged-in session from another device.
 
thom_smith said:
@Danny and I both upgrade much more frequently than average users and can both say we don't experience login issues post-upgrade. So there is no reason to believe error handling post-upgrade is forcing a logout.

It's difficult to please everybody. Some would argue timeouts should be much shorter. Others would prefer longer. I don't have a strong preference other than to discourage infinite. What would you prefer? Quantify your ask. I personally don't see re-authenticating once a month as a significant inconvenience.

Would certainly agree with you on the two-factor authentication suggestion. It most certainly should be implemented. Unlikely but not unheard of an aquarium controller could be used to compromise a network. The aquarium controller hack to transfer sensitive high roller information out of a Las Vegas casino network is legendary among security professionals.
Click to expand...
Ran into this again today, so back here again to follow up.

If two factor were implemented, I would say infinite timeout on sessions unless there is some kind of security event like a change in password, brute force detection for the account, etc.

Once a month seems too frequent because that ends up being every other water change for me, and because I do care about security, that means first two-factor login to my password manager on my phone, then finding my super-secure Hydros password, then logging into the Hydros app which certainly adds a few minutes to my maintenance routine for what I would say is very little security value.

Quarterly re-auth seems like it could give enough of a "we do something!" feeling while being way less inconvenient.
 
static416 said:
Why would any end-user want the timeout to be shorter?

For me, the once a month login (or whatever it is) isn't that big of a deal. But I just don't see why it has any value.

If Gmail, Amazon, and my bank allow me to stay logged in, seems like Hydros should be ok with it.
Just may require the ability to remotely kill a logged-in session from another device.
Click to expand...
That is odd all of my bank apps I have to enter my password each time I use them. So once a monthis not that big a deal to me. You can be logged in on more than one device at a time the only issue is when you change things on one it will cause a stale configuration on the others.
 
Another annoyed user by this issue here. And an aquarium controller is not a bank. Bank logins are the only exception, for a (obvious) reason. Everything else let's you stay connected nearly indefinitely. In this day and age we don't remember passwords in our head (except for that obvious case!) or write them down on a piece of paper . They are securely stored. If Hydros logs me out of my controller when I'm on vacation, for example, they cause me huge trouble and risk for the well being of my creatures.
 
You must log in or register to reply here.
Back
Top