Insecure default settings #4

Closed
iandunn opened this Issue Aug 28, 2012 · 6 comments

Comments

Projects
None yet
2 participants

iandunn commented Aug 28, 2012

I think pwpush.com is a great service, but IMO the default expiration settings are way too loose. If a client sends me an e-mail with a link that doesn't expire for 30 days and 10 views, then that's a really large window for an attacker.

Ideally, I'd go for 3 days and 1 view, but that's probably too tight more the general public. Maybe 8 days and 2 views?

Owner

pglombardo commented Aug 31, 2012

Thanks iandunn. I agree as well. For pwpush.com I need to find the right balance between enough but just enough.

In the code, I think I should make it easer to change the defaults in a single place as well.

I'll take a look and post back here. Thanks for logging this.

iandunn commented Sep 11, 2012

Awesome, thanks. Another idea would be to set a cookie for the defaults. That way, a frequent user could have their own if they don't like the ones the application has.

Owner

pglombardo commented Nov 4, 2012

Hi @iandunn. I didn't change the defaults on the front page yet but I've added a cookie save options for the defaults like you suggested. Great idea.

I also added a button for viewers to manually delete a password regardless of the view count or age:
http://d.pr/i/6TOt

Owner

pglombardo commented Nov 5, 2012

FYI I posted about the new features on reddit

iandunn commented Nov 12, 2012

Looks great :)

Owner

pglombardo commented Feb 4, 2013

Closing this issue now as the user can save cookie defaults. If I get more requests to lower the page defaults I'll revisit. Thanks for filing @iandunn!

pglombardo closed this Feb 4, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment