opensuse / ap4rc Goto Github PK

In your default configuration, you have:

$config['ap4rc_expire_interval'] = "2 MONTH";
$config['ap4rc_warning_interval'] = "1 WEEK";

Could you please explain, why such (especially: short) intervals are needed?

I like to vote for longer times, as latest studies show that it's even better for security to allow users to have longer intervals for changing their own, memorized secrets - which are seen as much more insecure than generated ones.

Even the NIST guidelines removed the need for regular password (memorized secrets) changes since a while: "Users should change their password if they are compromised (or suspected to have been compromised)."

Enforcing a change of a generated application password in such short time frames looks contra-productive in this regard, but I agree that it can be an additional option for certain circumstances.

But your defaults will result in additional load for people inside support and confuse people. Just think about customers, who just notice that their application does not allow them to log in any longer. They will open support tickets just because they did not visit the WebUI.

Therefor I like to suggest longer default expiry times - or even allow to set the expiry time to '0', to disable expiry times completely.

Hello,

I added a (still a bit experimental) feature to display the last access date+time and IP address for each application password.

https://github.com/listerr/ap4rc/blob/p1/README_LAST_ACCESS.md

Works okay for me so far. (Though the way dovecot seems to update the database is a little awkward, but there might be a better way.)

R

Maybe make it ajax as well or at least redirect so we end up in a get.

Add Brazilian Portuguese localization.