change request: "Password required every two weeks" - remove, change or make optional
Hi. Being a long long time user of 1Password, this is the first time I am genuinely bothered by a feature of the software;
The "Password required every two weeks" feature.
I know it is "for security" but most Macs have biometrics now. I would love to have the option to skip the password entirely because I use a fingerprint (this would either be "remove" or "make optional")
Secondly, when using multiple vaults (accounts), it was always so that the primary vaults (account) unlocks all. Still does for biometric unlock. Why then does that not do so anymore with this bi-weekly password requirement? this would be "change"; keep the bi-weekly password requirement, but unlock all vaults with the primary one. This would ease the burden on unlocking secondary (and more) vaults, but the security problem remains;
We use strong passwords for everything, our vaults as well. Can't remember the password even if my life depended on it. Having to dig up the password from a source other than 1Password (because it's locked) to get the bi-weekly unlock started feels much (MUCH!) less secure than using biometrics as I now have to store the password in a text-file somewhere, instead of just in the vault at the office.
(What I am saying here, it seems is this; "the security measure bi-weekly-password reduces the security of the software greatly because insecure methods of password storage are required.")
Final note; I love the beta, the software works perfectly otherwise. love it!
With kind regards,
Remon.
1Password Version: 8.6.0 80600006
Extension Version: n.a.
OS Version: 12.1
Comments
-
Interesting situation, @rmpel. Am I right in assuming your company has a 1Password for Business subscription? I was under the impression that 1Pw for Business had flexible sharing of vaults, so it surprises me that you need to keep track of multiple passwords for multiple different vaults. But I haven't used 1PW for Business, so perhaps I'm not clear how it's supposed to work.
Would it be an option for you have one vault to which you remember the password, and then store the passwords for the other vaults inside that one vault? In general, I believe the requirement for a maximum 2-week unlock period isn't for security per se, it's for availability. It's to ensure that people have to type their password periodically so that they don't forget it.
0 -
Hey @rmpel:
The short version is we never want you to forget your account password as @EnerJi mentioned (thanks for the assist! 😎). Biometry is great, but there are situations where for whatever reason or another, biometry fails, and in that situation you'd have to enter your account password to unlock 1Password. Without remembering your password, there's a risk of being permanently locked out of your 1Password account.
As for why accounts can no longer unlock each other, and instead require to be unlocked with each individual account password (generally speaking, we'd recommend using a single account password across all 1Password accounts you may have), our Principal Security Architect Jeffrey Goldberg has written a much better explanation of why the change than I could: https://1password.community/discussion/comment/608291/#Comment_608291
Let me know if that makes sense, or if you'd like me to dig into it further with you!
Jack
0 -
@EnerJi
I suspect at least one company I work for has a 1P4B account at work as they have precise control over who gets to see which vault. And I'm sorry, I'm mixing up the words vault and account. We used to have only 1 vault per account (I'm THAT old).My Primary account is a personal one, with only 1 vault, and have a secondary and tertiary (and for a brief time a quaternary) account with multiple vaults. At current time, I unlock with my personal account for which I simplified the password to a memorable one, instead of 32 random characters -- which reduces security. Then I need to get the password for the other accounts from 1Pass itself.
It's doable, but annoying.A "full unlock" with the primary account password would therefore be a great solution, and, if memory serves, in 1P 7 and before, this used to be the case.
Your remark about this feature being for "availability", I can understand that point of view. But I don't want to use rememberable passwords. If I can remember it, I can leak it.
And with that comes repetition; my dad (79) uses LastPass (because it's Dutch, not because it's good -- sidenote; when are you translating to Dutch please, 1P ?? I offered to help a few times a while back, doing so again now ;) ). Even with LP, he uses the same password practically everywhere. ... why? because he can remember it.Anyways, I digress.
@Jack.P_1P
I understand biometry can fail, but so does a persons mind. So for security/continuity, the primary password should be stored in hardcopy in a safe anyways (again; in my opinion ;) ), or with a family member (assuming you can trust them, obviously).The trick with "same passwords for all accounts", I will use, although that too feels far less secure, because now I have 3 accounts with the same rememberable password ...
As for the article by Jeffrey; I understand! (good read by the way, and I can relate to much if not all of the history ;) )
But I also agree fully with the words of shadcollins in that thread.Maybe it's just a matter of getting used to it, I don't know. But the comfort and ease of use I experienced with 1P before is diminished by this "feature". I don't like it. I might have to get to like it, I probably don't have a choice, but a diminished UX nonetheless.
Anyways, thank you all for your time, appreciate it!
Remon.
0