Less is more security (sometimes)
We have an application that uses a login token which expires. This is for an admin panel. The login token expires after a number of hours, after which you have to re-login. Initially this expiration time was set to 8 hours. I lobbied for this to be changed to 12 hours, but not just because it is more convenient, also because I think it might increase security, or at least it’s not clear it reduces security. ...