Disabling prompt for master password every 14 days?

matze787
matze787
Community Member

Hi there!

I switched from Bitwarden to 1Password with my whole family but I can't believe there is NO way to disable the repetitive prompt for the master password every 14 days. I can alter the settings but the max. length is 14 days. There's no "never".

We keep our devices (Mac, iPhone, iPad etc) secure by using Face ID so I don't see any reason why I have to reenter my master password every here in then or at least every 14 days. My family refuses to use 1Password due to the issue.

We are paying customers so why 1Password won't let their users to set the parameter individually?

If this will not be changed I have to switch back to Bitwarden (where is no issue at all - all can be set according to the wishes of the users)...


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hey @matze787:

    The general point of this is to ensure that you haven't forgotten your account password. Face ID or Touch ID is not a 1:1 replacement for your account password, and indeed you may run into a situation where Face ID or Touch ID is disabled for one reason or another. Without memorizing your account password, at that point you would be locked out of your 1Password account. My colleague Ben has spoken a bit about what we would love as the ideal for this:

    I think the ideal would be for this to be a two week timer, reset any time you type your account password on any device. There are some technical hurdles to implementing that, but they may be surmountable. The point is to help ensure you have your Master Password memorized, not to punish you for using a device with a tiny virtual keyboard. 😆I'm not in a position to make any promises but this is a pain point we're aware of, especially for folks who use 1Password across a lot of different devices (such as ourselves!!).

    With all that said however, if this is an absolute dealbreaker for you, stay safe out there with whatever password manager you do decide to go with!

    Jack

  • matze787
    matze787
    Community Member

    Yep, I'm confident enough to remember my master password. But having to enter it when you're in a hurry and on the road (for example) is not acceptable. It should at least be an option to turn it off.

    Regards,
    Matthias

  • Dunecat
    Dunecat
    Community Member
    edited June 2022

    You're not alone, @matze787. Delegated unlock (e.g. using the computer or phone's lock mechanism to protect an unlocked vault) has its risks, but these risks can be mitigated, and the benefits are substantial.

    For example, if you use Windows Hello with Windows login, then here's the Windows unlock flow:
    1. PC boots
    2. Windows activates the IR camera and starts looking for you
    3. Windows automatically unlocks once it sees you. Nice!

    That's what I call a good user experience.

    On the contrary, even if you use Windows Hello & the TPM with 1Password, then here's the 1Password unlock flow:
    1. Steps 1-3 above (because you need to get into Windows to start)
    2. Launch 1P
    3. 1P calls the Hello API
    4. The Hello prompt appears and asks for your biometrics, at which point it might randomly decide to use a different biometric, like a registered fingerprint instead of the expected face unlock
    5. Once it's prompting for the correct biometric, THEN you can complete the Hello prompt
    6. Once it's confirmed the expected biometrics, then you have to click 'OK' to confirm
    7. THEN 1Password finally unlocks.

    And that's presuming that 1P successfully completed the TPM read and didn't randomly decide that "Windows Hello was reset".

    This is all security theatre, anyway--if you set the vault to not auto-lock, then you can sleep or hibernate the PC and when it wakes, 1P will still be unlocked. That's good, and no complaints there--but it just goes to show that the unlock-on-start requirement that 1Password imposes amounts to a penalty for shutting down my PC when I'm not using it. That's just absurd.

    Does the 1Password team believe that Windows Hello is secure or not?

    • If it's secure, then if I'm using it to unlock my PC, let the Windows unlock be the only unlock required.
    • If it's not secure, then why go through all the effort of supporting it and supporting TPM modules?

    To be frank, the conscious choice to require unlock upon every launch is nonsense security theatre and very user-hostile. Power users should have the option to delegate the unlock to avoid this bizarre rigmarole. There is NO BENEFIT to requiring a duplicate Windows Hello unlock!

    Now, if you want to offer enterprise customers the ability to set certain policies on how enterprise-owned vaults can be unlocked, that's a different story, but not relevant to consumer users who should have the control over their own vaults.

    It's so incredibly frustrating to try to have serious conversations about these types of things, and you get flip brush-offs like the following:

    stay safe out there with whatever password manager you do decide to go with!

    This isn't a helpful response, but it is patronizing.

    Unfortunately, this isn't the only place where 1P imposes deaths by prompt. Along the same lines, there are certain browser prompts that you simply cannot bypass, like the one to autofill addresses. ADDRESSES! Things like ZIP codes! Why do I need to 'confirm' an autofill on a ZIP code? A ZIP code is 5 numbers! 1Password, please. Please!

  • matze787
    matze787
    Community Member

    Excellent posting! I already switched to Bitwarden where I can choose how my personal workflow is. And it's free and open-source as well.

    Win/Win I think ;-)

  • Hi @matze787:

    Thanks for your thoughts. We'll be here if you'd like to give us another chance in the future.

    Jack

  • n9yty
    n9yty
    Community Member

    Go pound sand is the basic reply. Nice.

  • Dunecat
    Dunecat
    Community Member

    It's true. sadlol.png

  • xtiman82
    xtiman82
    Community Member

    Bump, I do agree why people having an issue with entering there 'Master' password every 2 weeks. I do understand that "security risk", but with alternative authentication methods available (fingerprint, face unlock), you (1Password) should leave that up with the customer.

    Last week I was a bit drunk, wanted to login somewhere and 1Password required my password (apparently it was 2 weeks already). Do you think I was able to login? No! I do remember my master password for 1Password when I'm not drunk, anyway ... In worst case scenario everyone has their recovery sheet printed out right? So what's the problem.

    My mom is using 1Password (we have a family account), and she has issues with 'passwords', so a Password manager with fingerprint / face unlock did the trick, but now forcing such an 'feature', I'm really not too happy with this! I'm paying good money and I am the customer. I want this fixed!

    Also considering relocating my stuff to a different Password manager, if this will not be fixed. :(

    Disappointed!

This discussion has been closed.