Preventing 1Password from Logging Out
I'm on day 2 of my 1Password trial after being a LastPass user for many years. I'm liking 1Password a lot, but it seems to be lacking one key feature of LastPass that I really miss: LastPass will keep me logged in to LastPass until I explicitly log out - even if I close my web browser and even if I restart my computer. This is really handy, because I open and close my browser many times during the day. With 1Password I have to enter my very long master password every time I start my web browser. This is an inconvenience.
Staying indefinitely logged in is not good security practice - as LastPass will tell you - so I only do it with my computer when I'm at home. But when I'm home, it's a terrific feature that I really miss in 1Password.
The closest I can come to achieving this with 1Password is to leave my web browser open all the time and set a long period of time before 1Password closes from inactivity. That's not a convenient solution, and it's easy to forget and close my web browser.
Is there some way for me to achieve with 1Password what I have with LastPass, i.e., to keep my vault unlocked until I explicitly lock it?
1Password Version: 7.3.684
Extension Version: 1.15.1
OS Version: Windows 10
Sync Type: 1Password
Comments
-
@BulldogX: Thanks for reaching out. We don't have any plans to allow 1Password to stay "unlocked" indefinitely because "unlocking" requires the Master Password (to decrypt the data), and in order for it to stay "unlocked" we'd need to save the Master Password to disk, and there's just no way we're going to do that. It may be in the future that as things like Windows Hello and hardware security technologies improve we can come closer to your ideal without sacrificing security, but only time will tell.
I guess the question I have is, what benefit do you see 1Password (or any password manager) offering you if it's unlocked all the time? At that point, anyone can walk up to your computer and access your data, which is why we've got auto-lock. This cannot be disabled completely, but can be customized fairly heavily, so that if you're actually actively using your computer, 1Password will not lock; it would after the period of inactivity you set. So I'm not sure why you need 1Password to be unlocked if you're not using it. If you can tell me more about your particular use case, maybe I can suggest something.
But another piece of this puzzle is that you appear to be using 1Password X, not the 1Password desktop extension that integrated with the Windows (and Mac) app. You may want to try the latter, since that locks and unlocks with the app:
https://support.1password.com/1password-extension/
1Password X is designed as a self-contained extension that runs only in the browser, since some people aren't able to use the native apps. Therefore, when you close the browser, it will absolutely be locked again when you open it because it quit along with the browser in was running inside.
Anyway, I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
"I guess the question I have is, what benefit do you see 1Password (or any password manager) offering you if it's unlocked all the time?"
Perhaps I didn't explain myself well the first time, so I'll try again. You probably know that LastPass operates exclusively as a web browser extension. It doesn't have a separate desktop app, as does 1Password. To use LastPass I open my (Chrome) web browser and then I sign in to LastPass. I don't have to sign in to LastPass every time I open my web browser, but since so many of the websites I read require a login, it's just more convenient to be signed in to LastPass whenever I open my web browser.
With LastPass, I need only enter my 19-character master password once at the beginning of the day and then I'm signed in to LastPass indefinitely, no matter how many times I open and close my web browser, until I sign out. I'm sure you can see how this is a convenience. We agree that it's not the best security practice, but it's appropriate for my use case, so I'm glad that LastPass offers me the discretion to do this.
If I understand correctly, 1Password won't stay unlocked indefinitely, but it can remain unlocked for an extended period of time, depending on whether I am using the app or the browser extension:
If I'm signed in to the app, my computer can be idle for up to 12 hours before the app will lock and require me to sign in again.
If I'm using the web browser extension, my web browser can be idle for up to 300 minutes before the extension will lock and require me to sign in again. It will also lock as soon as I close my web browser.
Is that correct?
0 -
I spent a fair bit of time composing a reply which vanished after I posted it. That didn't make me happy. I'll try to re-create it below.
I guess the question I have is, what benefit do you see 1Password (or any password manager) offering you if it's unlocked all the time?
Perhaps I didn't explain myself well in my original post. As you probably know, LastPass is only a browser extension - it doesn't have a separate desktop app as does 1Password. To use LastPass I open my browser - Chrome - and then sign in to LastPass. I do this because many of the websites I visit require a login, so it's simpler to just sign in to LastPass as soon as I open Chrome.
Once signed in, LastPass allows its users to remain signed in to LastPass indefinitely, even after they close their browser, until the user signs out. LastPass will warn you about doing that, but it gives users the discretion to remain signed in. For certain use cases and with the proper precautions, it's a great convenience that I appreciate. It means that I don't have to type my 19-character master password dozens of times a day.
1Password has a browser extension and a desktop app. Once I've used the browser extension to sign in to 1Password, I am also signed in indefinitely, unless one of two things happens: 1) I haven't used the extension for a configurable length of time up to 300 minutes, or 2) I close the browser. So when using the extension, if I want to avoid typing my 19-character password again and again, I've got to remember to keep the browser open and use it at least once every 5 hours.
If, instead, I've used the desktop app to sign in to 1Password, I am also signed in indefinitely, unless my computer has been idle for a configurable length of time up to 12 hours. But if I try to log in to a website from the app, and my web browser isn't open and already signed in to 1Password, I'll have to sign in to 1Password again.
So there it is: It's very important to have a master password that is long and uncrackable, but it's a nuisance to have to type that password over and over. I am hoping to find something similar in 1Password to what I have in LastPass.
0 -
It sounds like you're probably using 1Password X in your browser, is that correct, @BulldogX? As brenty mentioned, we have no plans to allow 1Password to stay unlocked indefinitely. Doing so does require your Master Password be written somewhere and while we understand some folks may understand that risk and accept it, that can't be said of every customer we have. Sure, we could show a warning, but I'm not going to trust that everyone who chooses this highly convenient option is going to read that warning and make an informed decision. One thing I hope we'll always make a priority is not compromising the security of our less technically-savvy customers for the sake of allowing power users to choose less security, however well-informed that decision might be.
With that said, you should see improvements on this front in future updates, if you are using 1Password X. Right now, 1Password X doesn't integrate with your desktop app at all on Windows, but we have such integration in beta on Mac. That will allow you to close your browser and keep 1Password X unlocked so long as the desktop app is. There is also an option to prevent your desktop app from locking at all except after a reboot, which should come as close to what you're looking for as we're willing to offer.
I don't have a meaningful ETA on this at the moment. It's something we know we want to do on Windows as well, but we have a few higher priority projects to polish off before we can start work on this integration. These are bigger projects that require a lot of work, so it could well be a long way out yet. For now, you can disable auto-lock (both for the desktop app and 1Password X if you'd like). You'll still need to unlock each once, but you can certainly minimize locking with the settings that exist today. :chuffed:
0 -
This content has been removed.
-
I don't know the technicalities behind leaving 1Password unlocked, and it's certainly not my place to criticize. I only know that 1) LastPass makes this possible, although it certainly discourages it; and 2) under the circumstances I described above, 1Password allows itself to be unlocked for long periods of time during which "anyone can walk up to your computer and access your data." So the distinction between 1Password and LastPass in this regard seems to be the length of time each application allows itself to remain unlocked.
It's only Day 4 of my trial so I still have plenty of time to discover 1Passwords' features. I already like its good-looking and logical interface.
0 -
The best way to discourage unsafe behaviour is to not allow it in the first place. No one needs to use 1Password to be less secure, after all. My experience is that people choose to use 1Password to be more secure. Rather than being a matter of time, it's an issue of persistence. Having the Master Password stored on an ongoing basis (in order to enable not having to unlock it) means that it could be captured. It's as simple as that. If we can find a reliable solution that doesn't have that significant downside, this may change in the future. For now, it's not something that's on the horizon.
I'm really glad that you gave 1Password a try in the first place, and that you're enjoying it! Hopefully this one thing won't be a deal breaker for you, but certainly different people have different preferences. We're not going to be able to accommodate every preference, especially when it would mean putting countless others at risk. But I appreciate you sharing your feedback on this, as everyone has an opinion! :)
0