Password Update Policy

Is there any way to specify a policy for a password or vault that alerts you or reminds you to update a password on at a scheduled interval such as every month or every other week?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @User_93854745

    At present there is not; sorry. Perhaps that is something we can consider for the future. Thanks for the suggestion. :)

    Ben

  • +1 for this one.

    Watchtower is great, I like to be able to see my password risk at a glance across all accounts, especially if you vault by account sensitivity. But the next logical step for those serious about managing risk is to establish your own personal policy, right? e.g. All sensitive accounts, need to have a password strength of excellent or better and must be changed at least every x days. You've got the first one already which is great, but if it's out on some breach list (that doesn't get picked up by your fancy watchtower feature), an excellent password strength isn't going to help you.

    I saw another thread asking for this feature and it was dismissed as "not appropriate for watchtower". I disagree, isn't providing an assessment of your risk across accounts exactly what watchtower is for?

    There's a good reason we establish password policies at work

    Even if we could sort by the password last changed attribute, it could be accomplished ad hoc. Sorting by last modified will include changes on any attribute on that record I presume, so that doesn't cut it.

    Feature request aside. Nice work on the product, I recommend it when asked.

    Rob

  • Shoudn’t passwords be changed only when there is a risk of compromise?

    https://www.infoworld.com/article/3194705/nist-to-security-admins-youve-made-passwords-too-hard.html

  • Indeed! That happened. The collective gasp of the security industry was quite impressive. The premise makes a lot of sense. People are more likely to use good long passwords and not write them on sticky notes if they don't have to think of new ones every 90 days. But, Those are general guidelines and certainly not appropriate for all situations. In most cases the sensitivity of the data and surrounding compensating controls available and in use will dictate how much you can/should relax your password policies e.g. If you are doing MFA, or have really good monitoring in place, or if it's your kids roblox account vs a bank account. As for your 401k and financial accounts, I would suggest doing an all-of-the-above strategy. If you have a strong password that you're not using for multiple accounts and MFA is available (and you're using it)... I don't see reason to change it every 90 days but I would discourage letting a sensitive password age over a year or two.

  • LarsLars Junior Member

    Team Member
    edited January 10

    Welcome to the forum, @rob2342! Lars from the Security Team here. There are certainly competing and sometimes even contradictory pieces of advice available on a multitude of topics, and password practices are no exception. An example would be the way two versions of the same publication from a generally respected source - NIST - from different eras directly contradict one another on the advisability of frequent password changes. The newer version recommends against it in most cases:

    Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

    We concur with that advice, and in fact were advocating for it back when Bill Burr's original version of the guidelines that recommended frequent password changes was still in effect and considered common knowledge and best practice. Until this new version was released, it was much tougher sledding for us to explain what we believed were best practices when well-read users could point to NIST's own guidelines that differed from what we suggested. We are glad to see their recommendations in alignment with ours now. And in fact, in the updated (current) guidelines, the very next paragraph reads:

    Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

    In 2003, 1Password did not exist, and neither did any of today's major players in the password manager space (that I'm aware of). Fast-forward to 2021, and one of the reasons this space (password management) is so robust is because humans are terrible at remembering dozens or hundreds of randomly generated passwords, and all of us have a lot more of them to remember/manage than we used to. In the pre-password manager days, it was still possible to generate passwords randomly, and to write them down -- but very few people did so. Instead, most people re-used passwords, or made minor iterative changes from one service to the next with the same base password as the underlying core - adding initials of the service or a digit to the end of the same password for different services, etc.

    Today, using a password manager with a good CSPRNG allows even the least technically-proficient to create truly strong, unique passwords for every site and service, without having to worry about remembering them in their own head. As a result, what's a strong password today will remain a strong password tomorrow (and thus not need to be changed) unless either the service itself is breached, or the user is somehow socially engineered or tricked into divulging their password, or their device is stolen/hacked. Yes, it's not always immediately apparent that one's device has been breached -- but often, it is. And most reputable and competent companies with an online presence will responsibly disclose password breaches as quickly as they happen. As a result, we don't suggest people regularly change passwords generally unless they suspect (or know) that either they or the service in question has experienced a breach.

    It's certainly a matter of personal choice (as it is in nearly everything), which guidelines and recommendations to choose and which to alter or ignore, and we don't deny there may be very good reasons for not taking a particular piece of advice on a topic, depending on one's own personal situation. In fact, I would argue that using one's own powers of discernment and judgment in assessing the applicability of various guidelines/recommendations to one's own situation is practicing good security, in most cases. And if users want to change passwords on a set schedule or whenever else feels comfortable, 1Password will be right there to help them by making it easy to change their passwords and make them stronger, then get right back to whatever they were doing. But - since we don't suggest changing one's passwords regularly - there are no current plans to build in the functionality User_93854745 was suggesting in the OP. If you're using 1Password for Mac, you can use Search Options to select age of last password change to find passwords that have not been changed in a certain time-frame, but on Windows or elsewhere, I'd suggest using calendar or task reminders to accomplish this for accounts where you believe it's beneficial.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file