UI parameters
Below is a table with parameters available for modification through the Passwork web interface, indicating possible values and comments:
| Parameter Name | Value | Comment |
|---|---|---|
| System Settings | ||
| Additional protection and signing of cookie files | Enable | PHP session cookies are signed using entropy and data from the HTTP request header, including the user's IP. This enhances protection against session number brute force, as well as against cookie transfer (theft) between browsers. Each user will automatically lose the session when the IP address changes. |
| Connection requests | Enable | User connection to vaults after request confirmation. |
| Limit of failed login attempts within the set period | 3–5 | Maximum number of failed login attempts allowed within a certain period before lockout is triggered. |
| Period for counting failed login attempts (in seconds) | 300–600 | Time window in seconds during which failed login attempts are tracked. A smaller value may miss slow brute force attempts; 600 seconds (10 minutes). |
| Account lock duration (in seconds) | 300–900 | Duration of account lock in seconds after exceeding the failed attempts limit. 15 minutes is sufficient to prevent most automated attacks. |
| Self-service password recovery | Disabled | Only the Owner or a user with a Role in Passwork can reset the user's authorization password. |
| Role Settings | ||
| Mandatory two-factor authentication | Enable | All users assigned to this role must set up 2FA before logging into Passwork. |
| Maximum session inactivity timeout (in minutes) | 15-30 | Defines the maximum lifetime of an inactive session. Recommended to set this value in high-security environments to minimize session hijacking risk. |
| Mandatory PIN code in the extension | Enable | Requires creating and entering a PIN code for authorization in the browser extension. Enabling this feature provides an additional security layer, especially on shared devices. |
| Access token lifetime (in minutes) | 60-240 | Duration of the access token validity. Recommended 1-4 hours to limit potential damage from token compromise. |
| Refresh token lifetime (in minutes) | 1440–10080 | Duration of the refresh token validity. For enhanced security, it is recommended to limit the refresh token lifetime to 1-7 days. |
| Account: — Use of mobile application; — Use of browser extension; — Create and revoke API tokens via the web interface. | Allows disabling API usage. Client applications (mobile apps, browser extensions) use the API. If the API is disabled, the user will only be able to log into the web version. |