How often should the master password be changed?
How often (if ever) does 1Password recommend users change the master password?
It's not easy to find concrete recommendations on this subject from the docs.
This page seems to contain Agilebits' consolidated account security recommendations, but contains no recommendation one way or the other. Why is this recommendation not prominently made somewhere?
Here's one recommendation from a blog post:
But it’s not a good idea to regularly change your Master Password. Ideally, you should pick a good Master Password at the outset and never change it.
Can that really be true? Why does it make sense to assume it never gets compromised? For that matter, why doesn't it make sense to assume that the master password, along with all passwords, are eventually compromised?
I realize it depends on what networks I'm using and how physically secure my computer is, but all systems are subject to compromise and mistakes.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:change master password
Comments
-
You raise some good questions in your post. I will attempt to answer them in order here.
How often (if ever) does 1Password recommend users change the master password?
Our recommendation is usually to avoid changing your Master Password unless you fall into one of the following scenarios:
- You have reason to believe that your Master Password might have been compromised;
- You fear that you might struggle to remember your Master Password;
- You are using the Master Password on some other website.
Points 1) and 3) help you mitigate the risk of an actual compromise of your Master Password, while point 2) helps you lower the risk of data loss, caused by not being able to decrypt your data anymore. Because your Master Password is never sent to us for your privacy as security, we cannot help you to recover it: therefore, reducing data loss risk is a very good reason to change your Master Password if you believe that it is not easy enough to remember, and that forgetting it is a realistic risk for you.
This page seems to contain Agilebits' consolidated account security recommendations, but contains no recommendation one way or the other. Why is this recommendation not prominently made somewhere?
What matters most for your 1Password security is choosing a strong Master Password, and we tried to make that clear both in the documentation page you linked to (How to keep your 1Password account secure) and in the following documentation page as well, which focuses specifically on how to choose a strong Master Password:
How to choose a good Master Password
Can that really be true? Why does it make sense to assume it never gets compromised?
Indeed, it doesn't make sense to assume this: this is not the assumption you should make. You should not assume that your Master Password will never get compromised. But on the other hand, you should also not assume that your password is regularly being compromised, so as to make it necessary to also update it on a regular basis. After all, you don't change your door locks every month just in case someone managed to get a duplicate of your house keys. You might want to do that though if you, let's say, dropped your keys and lost them in a parking lot [1].
From a more technical 1Password perspective, there is a distinction between your actual Master Password and the actual encryption keys used to encrypt your 1Password data. Changing your Master Password does not impact the underlying encryption keys, so changing the Master Password for the sake of changing it would not result in an improvement in security (from a purely cryptographic perspective).
From a less technical perspective, your Master Password is not like a typical account password. It's the only password you should remember, and there is no need to make your life more difficult without reason: it is better to choose a long Master Password from the get to, which is unique and memorable, rather than artificially adding friction to the process: the risk is that you become burned out by the regular changes, and default to choosing shorter or weaker Master Passwords; or, worse, that you forget your new Master Password and lose access to your data.
More in general, the idea is that frequent password changes, and increasing their complexity too much (at the cost of ease of remembering them) can lead to poorer password management behavior. This is why the password world has been slowly going towards recommendations to not mandate password changes (I should probably emphasize slowly however). NIST themselves have been recommending against changing passwords on a regular basis for a while now. However, this is so ingrained in our behaviors, that I think it will take a while for everyone to get familiar with this new policy.
Of course, nothing is stopping you from changing it on a regular basis if you prefer anyway. The password change feature in 1Password allows you to do that if you wish. You are ultimately in control of your data.
I hope this clarifies things a little bit.
===
Daniel
1Password Security Team[1] Although, in the real world, it would be debatable whether changing the locks in this case would make sense either.
1 -
@DanielP thanks very much for your thoughtful reply, outlining the risks versus the benefits of changing the master password with some frequency, and the potentially weakened security that might result. The main emphasis is on the strength of the master password as the primary pillar in the security fortification.
As I was reflecting on this, it occurred to me that one thing I am almost certain I have done at least once is to have absent mindedly keyed in my master password while the 1Password window did not have focus, thus keying it into some other open application. Given the number of times each day I type in the master password, this type of leakage strikes me as inevitable. In this sense, the master password is different from other passwords because of the number of times it's keyed in, and the increased likelihood of an inadvertent leak.
Along the same lines, what are the ramifications of a compromise? If I have reason to believe the master password was compromised, say in the manner above, then it makes sense to assume the same about all passwords it protects. However, I know that 1Password requires the account key in addition to the master password to enable 1Password on a new device. Is it accurate to say that 1Password requires a double compromise in order for an attacker to do any damage? In other words, if I accidentally paste my master password into Slack and then immediately change it, am still protected against all attackers without physical access to my devices?
1 -
@jordanpg - without question, the Master Password is the single most important thing (that you can control) protecting the data you store in 1Password. Each of us has different use-cases and frequencies with which we type our Master Password. If you're on a Mac with Touch ID, you might not type it more than once every couple of days, even if you're using 1Password all day every day in the course of your work. If you've got biometry turned off or a very short timeout, you might be typing in your Master Password many times a day. It really depends on the user.
And certainly, many of us have had that feeling of realizing another application had focus when we typed our Master Password. Whether that constitutes a "compromise" is less clear, and depends on specific circumstances. Which application had focus? Was
Enter
pressed, or did you realize your mistake halfway through typing? Does the application in question connect to the internet? Does it auto-save entered text, like some word processors and text editors do, on a regular basis? The answers to these questions will vary depending upon circumstances, but also depending on an individual's own perception of their threat model. If I typed my Master Password into Google and pressedEnter
before realizing what I'd done, I might consider that disclosed and want to change the Master Password. But if I just typed a few characters of it into a random application where it wasn't saved to disk - and probably not even into process memory, once erased/backspaced? Then I might consider that not worth going to the trouble to re-train myself on a new Master Password.Is it accurate to say that 1Password requires a double compromise in order for an attacker to do any damage?
Only if the attacker does not possess a copy of your encrypted 1Password data and is trying to obtain it from our servers instead. On your own local device(s), it is the Master Password which protects your data. The Secret Key will be required only the first time you sign into your 1password.com account from any new browser/app. After that, it is stored locally, and any competent attacker will be relatively trivially able to acquire a copy of your Secret Key because it's not intended to be a secret on your own device. Your Secret Key protects you if WE get hacked.
...if I accidentally paste my master password into Slack and then immediately change it, am still protected against all attackers without physical access to my devices?
Physical or remote access, yes. Presuming no one else already has a copy of your encrypted 1Password data (and they shouldn't), then if no one can access your device(s) physically or remotely in the short time it takes you to change your Master Password, you should be fine.
1