Version: 7.0

UI parameters

Below is a table with parameters available for modification through the Passwork web interface, indicating possible values and comments:

Parameter Name	Value	Comment
System Settings
Additional protection and signing of cookie files	Enable	PHP session cookies are signed using entropy and data from the HTTP request header, including the user's IP. This enhances protection against session number brute force, as well as against cookie transfer (theft) between browsers. Each user will automatically lose the session when the IP address changes.
Connection requests	Enable	User connection to vaults after request confirmation.
Limit of failed login attempts within the set period	3–5	Maximum number of failed login attempts allowed within a certain period before lockout is triggered.
Period for counting failed login attempts (in seconds)	300–600	Time window in seconds during which failed login attempts are tracked. A smaller value may miss slow brute force attempts; 600 seconds (10 minutes).
Account lock duration (in seconds)	300–900	Duration of account lock in seconds after exceeding the failed attempts limit. 15 minutes is sufficient to prevent most automated attacks.
Self-service password recovery	Disabled	Only the Owner or a user with a Role in Passwork can reset the user's authorization password.
Role Settings
Mandatory two-factor authentication	Enable	All users assigned to this role must set up 2FA before logging into Passwork.
Maximum session inactivity timeout (in minutes)	15-30	Defines the maximum lifetime of an inactive session. Recommended to set this value in high-security environments to minimize session hijacking risk.
Mandatory PIN code in the extension	Enable	Requires creating and entering a PIN code for authorization in the browser extension. Enabling this feature provides an additional security layer, especially on shared devices.
Access token lifetime (in minutes)	60-240	Duration of the access token validity. Recommended 1-4 hours to limit potential damage from token compromise.
Refresh token lifetime (in minutes)	1440–10080	Duration of the refresh token validity. For enhanced security, it is recommended to limit the refresh token lifetime to 1-7 days.
Account: — Use of mobile application; — Use of browser extension; — Create and revoke API tokens via the web interface.		Allows disabling API usage. Client applications (mobile apps, browser extensions) use the API. If the API is disabled, the user will only be able to log into the web version.