Administration
Advanced settings
UI settings
1min
below is a table with the parameters available for modification via the passwork web interface, with possible values and comments parameter name value comment system settings additional protection and cookie signing enable php session cookies are signed using entropy and data from the http request header, including the user's ip this increases protection against session hijacking and transfer of cookies between browsers the session will automatically close when a user's ip gets changed сonnection requests enable connecting users to vaults after confirming the request limit on failed login attempts within a specified time frame 3–5 maximum number of failed login attempts allowed within the defined time frame before triggering a lockout time frame for tracking failed login attempts (in seconds) 300–600 time window in seconds during which failed login attempts are tracked a lower value may miss slow brute force attempts; 600 seconds (10 minutes) account lockout duration (in seconds) 300–900 duration of account lockout in seconds once the failed attempts limit is exceeded 15 minutes is sufficient to deter most automated attacks self recovery of authorization password forbidden only the owner or a user with a role in passwork will be able to reset the user's authorization password role settings maximum session lifetime when inactive (in minutes) 15 30 specifies the maximum lifetime of an inactive session it is recommended to set this value in high security environments to minimize the risk of session hijacking mandatory pin code in extension enable required to create and for authorization in the browser extension, enter a pin code for access enabling this feature adds an extra layer of security, especially on shared devices mandatory 2fa enable all users assigned in role will be required to configure 2fa before logging in passwork access token lifetime (in minutes) 60 240 access token validity duration 1 4 hours is recommended to limit the potential damage from token compromise refresh token lifetime (in minutes) 1440–10080 indicates how long the refresh token is valid to increase security, it is recommended to limit the validity of the update token to 1 7 days account — enable mobile app; — enable browser extension; — generate and revoke api tokens via the web interface allows you to disable the use of api client applications (mobile applications, browser extensions) use api with the api disabled, the user will only be able to log in to the web version
Updated 28 May 2025
Did this page help you?