CLI to force password reset

Hi all,

I understand between a combination of scripting and PowerShell Secrets Module that you can extend the CLI. I am working through a scenario where I use the CLI to search for a specific password in shared vaults and force a reset on the password to the end user. I am thinking this is possible but can't be certain. Any thoughts?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • Hey @Kennyties – are you wanting to get the user to reset the password there and then from your script?

    If you're wanting to mark an item as needing to be reset, and for the 1Password apps to force someone else to reset it at another time, this isn't possible right now. But if resetting the password there and then is an option, you can update an item's password like so:

    $ op edit item <item> password=<new password>

    Where <item> is the item name or UUID. Or, if you'd prefer to automatically generate a new password, then just run:

    $ op edit item <item> --generate-password

    You can then implement these into your scripts using your preferred language's method of running other apps. You can also find the full documentation for the CLI over here:

    Let me know if that helps!

  • Hey @Matthew_1P thank you for following up. What I am wanting to do is find all passwords that don't meet my requirements then reset the password. Ideally these password resets would be done by me so that I know they meet my requirements.

  • ag_yaronag_yaron

    Team Member
    edited December 2020

    Hey @Kennyties ,

    As I mentioned in another discussion, you'll want to build a script that retrieves the passwords of all items using the list and get commands:

    $ op list items --categories Login --vault Staging | op get item - --fields password --format CSV

    This will grab all passwords of login items from a vault called "Staging". You can change the format to JSON if you prefer.
    Once you have all the passwords, in your script, you can index them to match your login items, run a strength check on the passwords and change the ones that fail the strength test.

  • Hey @ag_yaron thanks this is super helpful! I am going to try this out. I just need to find my batch script that connects to the CLI.

  • ag_yaronag_yaron

    Team Member

    Great! I hope you manage it easily :)

  • Hi @ag_yaron or @Matthew_1P is their a way to query all shared vaults in one request?

    I am trying to work through my logic which is as follows.
    1. Get shared vaults (Could I query the groups to see what shared vaults they have access to, then store that information in a variable and repeat. After everything is in a single variable, I could then call that variable)
    2. Get list of logins and passwords
    3. Find passwords that do not meet my requirements and create a CSV. (I have done this partially with a single vault. I am able to query a shared vault and format the data as JSON or CSV. I am still working through the logic of how to handle specific fields)

    What is everyone's feedback on this?

  • ag_yaronag_yaron

    Team Member

    Hey @Kennyties ,

    You can definitely use op list vaults --group NameOfGroup | op get vault - as shown here:

    What you describe is definitely possible, the end goal makes sense, but I'm sure you'll find more logical ways to implement things as you move forward with this workflow :)

  • Hey @ag_yaron,

    Thanks, I was able to get a list of shared vaults and store them as a variable and I was able to get a list of logins and passwords. I am just stuck on the "less than x characters" portion of my code. I ran a "Where-Object" but it was given me characters more than X characters.

    Thanks, I am glad my logic is possible and makes sense. :)

  • ag_yaronag_yaron

    Team Member

    I'm glad to hear it @Kennyties ! :+1:

  • Hey @ag_yaron,

    I was able to figure out this entire process.
    Here are my steps:
    1. I used the .\op list item of by using this command .\op list vaults --group "Group Name" | .\op get vault - | .\op list items| .\op get item - --fields website,username,password --format JSON |ConvertFrom-JSon |
    2. I then saved the command as a variable then did a | format-table
    3. Then I used a $variablename.where($_.password.length -lt 14}) The last portion of the .length -lt 14 gets password strings less than 14.
    4. I then installed the ImportExcel module to save and open the file in excel automatically.
    5. I then used this $VariableName.where({$_.password.length -lt 14}) |Get-Process | Export-Excel "File location" -Show

    I hope this can help those who have a similar request.

  • ag_yaronag_yaron

    Team Member

    Very well done @Kennyties !
    I believe it will help others as well, so thank you for sharing :+1:

  • Thanks @ag_yaron!

    I am always happy to share what I learned. Now that I got that under my belt it is time for me to look at my own vaults for passwords that don't comply and/or are duplicates.

  • ag_yaronag_yaron

    Team Member

    Sounds good :chuffed:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file