UI parameters
Below is a table with parameters available for modification through the Passwork web interface, indicating possible values and comments:
| Parameter Name | Value | Comment |
|---|---|---|
| System Settings | ||
| Additional protection and signing of cookie files | Enable | PHP session cookies are signed using entropy and data from the HTTP request header, including the user's IP. This enhances protection against session number brute force, as well as against cookie transfer (theft) between browsers. Each user will automatically lose the session when the IP address changes. |
| Connection requests | Enable | User connection to vaults after request confirmation. |
| Limit of failed login attempts within the set period | at least 3 (default 7) | Maximum number of failed login attempts allowed within a certain period before lockout is triggered. |
| Period for counting failed login attempts (in seconds) | at least 60 (default 180) | Time window in seconds during which failed login attempts are tracked. A smaller value may miss slow brute force attempts; for enhanced security, 300–600 seconds is recommended. |
| Account lock duration (in seconds) | at least 60 (default 60) | Duration of account lock in seconds after exceeding the failed attempts limit. 300–900 seconds (5–15 minutes) is recommended for enhanced security. |
| Self-service password recovery | Disabled | Only the Owner or a user with a Role in Passwork can reset the user's authorization password. |
| Role Settings | ||
| Mandatory two-factor authentication | Enable | All users assigned to this role must set up 2FA before logging into Passwork. |
| Maximum session inactivity timeout (in minutes) | 0–999999 (default 60) | Defines the maximum lifetime of an inactive session. 15–30 minutes is recommended in high-security environments to minimize session hijacking risk. |
| Mandatory PIN code in the extension | Enable | Requires creating and entering a PIN code for authorization in the browser extension. Enabling this feature provides an additional security layer, especially on shared devices. |
| Access token lifetime (in minutes) | 30–1,000,000 (default 10,000) | Duration of the access token validity. 60–240 minutes (1–4 hours) is recommended to limit potential damage from token compromise. |
| Refresh token lifetime (in minutes) | at least access token lifetime + 600 min (default 129,600) | Duration of the refresh token validity. 1440–10080 minutes (1–7 days) is recommended for enhanced security. |
| Account: — Use of mobile application; — Use of browser extension; — Create and revoke API tokens via the web interface. | Allows disabling API usage. Client applications (mobile apps, browser extensions) use the API. If the API is disabled, the user will only be able to log into the web version. |