Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Insecure default settings #4

Closed
iandunn opened this Issue · 6 comments

2 participants

@iandunn

I think pwpush.com is a great service, but IMO the default expiration settings are way too loose. If a client sends me an e-mail with a link that doesn't expire for 30 days and 10 views, then that's a really large window for an attacker.

Ideally, I'd go for 3 days and 1 view, but that's probably too tight more the general public. Maybe 8 days and 2 views?

@pglombardo
Owner

Thanks iandunn. I agree as well. For pwpush.com I need to find the right balance between enough but just enough.

In the code, I think I should make it easer to change the defaults in a single place as well.

I'll take a look and post back here. Thanks for logging this.

@iandunn

Awesome, thanks. Another idea would be to set a cookie for the defaults. That way, a frequent user could have their own if they don't like the ones the application has.

@pglombardo
Owner

Hi @iandunn. I didn't change the defaults on the front page yet but I've added a cookie save options for the defaults like you suggested. Great idea.

I also added a button for viewers to manually delete a password regardless of the view count or age:
http://d.pr/i/6TOt

@pglombardo
Owner

FYI I posted about the new features on reddit

@iandunn

Looks great :)

@pglombardo
Owner

Closing this issue now as the user can save cookie defaults. If I get more requests to lower the page defaults I'll revisit. Thanks for filing @iandunn!

@pglombardo pglombardo closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.