Skip to main content
Version: 7.0

UI parameters

Below is a table with parameters available for modification through the Passwork web interface, indicating possible values and comments:

Parameter NameValueComment
System Settings
Additional protection and signing of cookie filesEnablePHP session cookies are signed using entropy and data from the HTTP request header, including the user's IP. This enhances protection against session number brute force, as well as against cookie transfer (theft) between browsers. Each user will automatically lose the session when the IP address changes.
Connection requestsEnableUser connection to vaults after request confirmation.
Limit of failed login attempts within the set period3–5Maximum number of failed login attempts allowed within a certain period before lockout is triggered.
Period for counting failed login attempts (in seconds)300–600Time window in seconds during which failed login attempts are tracked. A smaller value may miss slow brute force attempts; 600 seconds (10 minutes).
Account lock duration (in seconds)300–900Duration of account lock in seconds after exceeding the failed attempts limit. 15 minutes is sufficient to prevent most automated attacks.
Self-service password recoveryDisabledOnly the Owner or a user with a Role in Passwork can reset the user's authorization password.
Role Settings
Mandatory two-factor authenticationEnableAll users assigned to this role must set up 2FA before logging into Passwork.
Maximum session inactivity timeout (in minutes)15-30Defines the maximum lifetime of an inactive session. Recommended to set this value in high-security environments to minimize session hijacking risk.
Mandatory PIN code in the extensionEnableRequires creating and entering a PIN code for authorization in the browser extension. Enabling this feature provides an additional security layer, especially on shared devices.
Access token lifetime (in minutes)60-240Duration of the access token validity. Recommended 1-4 hours to limit potential damage from token compromise.
Refresh token lifetime (in minutes)1440–10080Duration of the refresh token validity. For enhanced security, it is recommended to limit the refresh token lifetime to 1-7 days.
Account:
— Use of mobile application;
— Use of browser extension;
— Create and revoke API tokens via the web interface.
Allows disabling API usage. Client applications (mobile apps, browser extensions) use the API. If the API is disabled, the user will only be able to log into the web version.