1Password 8: account password required every 2 weeks?

2»

Comments

  • BenBen AWS Team

    Team Member

    Awesome. Thanks @volcom45. It is something I'm pushing for us to try out, if feasible. 🤞

    Ben

  • BackspazeBackspaze
    Community Member
    edited June 7

    @Ben I'll quote myself below from this post, but if that request is out of the question, then sure, I'm all for syncing unlock time. Anything is better than the current state.

    I'm only interested in bringing back the option "after reboot" in 1Password 8 on iOS, as that was my preferred setting, but I understand the other use cases for those that want the "never" option as well. As long as it's implemented as an option tucked away in the settings, with (multiple) warnings when choosing the option, I don't see the problem. Hiding the setting somewhere deep down in a menu and having the warnings when enabling it should be enough to scare of the users who'll probably be most likely to forget their password.

  • skatchskatch Junior Member
    Community Member
    edited June 7

    @Ben thanks for following up and pushing for this. My opinion is that syncing the 2 week password entry period across devices would be a significant improvement over each device having an independent 2 week expiration timer. However it would still be a pain if the 2 weeks ended when I'm using my iPhone, and avoidable in my case since I use 1Password on my computer all the time. If possible, I'd rather see a system that takes into account the device type, and prioritizes password entry on physical keyboard-based devices.

    This is my situation:

    • I use 1Password on 2 computers every single day. I don't mind having to type my password here occasionally.
    • I use 1Password on my phone a couple times a week. I never want to manually type my password here for the reasons already stated (allowing for rare circumstances – e.g. my device's biometric enrollment has changed).

    I know that what I'm suggesting is more complicated than what you've proposed (needs thought around a lot of different device type combos & usage frequencies). But if the goal is to make the use of a password manager frictionless, I feel that taking into account where password entry is requested is important. However, if this level of nuance isn't possible, then your "sync 2 week entry period across devices" proposal would at least do a lot to reduce the pain of the currently implemented biometric timeout.

  • BenBen AWS Team

    Team Member

    @Backspaze

    Thanks for that. I don't know that "after reboot" is completely off the table, but based on the current discussion I think this proposal is more likely to be the one to run the gauntlet.

    @skatch

    Great idea. One of our developers had thoughts along the same lines. Their suggestion was that the timer reset be synced, but that we set the timeout to 3 weeks on mobile and 2 weeks on desktop. This would make it much more likely that the prompt for MP hits your desktop devices vs mobile devices, particularly for those such as yourself that are regularly using a desktop.

    Ben

  • DenalBDenalB
    Community Member
    edited June 8

    @Ben
    Thanks for your suggestion. I think it will help a lot, although it's not that perfect as it sounds. But it is better than typing the password on every device after 2 weeks... 👍

    EDIT:

    but that we set the timeout to 3 weeks on mobile and 2 weeks on desktop

    Sounds much much better. 😘

  • skatchskatch Junior Member
    Community Member

    Their suggestion was that the timer reset be synced, but that we set the timeout to 3 weeks on mobile and 2 weeks on desktop.

    This seems like a good idea! 🙂

  • BenBen AWS Team

    Team Member

    Fingers crossed. 🤞 😃

    Ben

  • tomatoshadow2tomatoshadow2
    Community Member

    @skatch You're setup is very similar to mine, I agree if I'm typing it out on my computer constantly, would prefer less on mobile with the Pin option.

    @Ben thanks for keeping us updated on this!

  • mick99mick99
    Community Member

    @Ben
    I really don't want to be forced to ever type my master password. I can use biometrics or yubikey but please don't force me to type the master password every 2/3 weeks. I like the idea of adding this as a hidden feature under some developer options for power users if you don't want to make it available for everyone.

    I just don't get the reason you want to force users to type their passwords. When I created an account I was instructed by 1Password that I should make a copy or print the password and store it in a safe place. I've generated secure, long master password because it's the most important password after all. If someone has access to it, they have access to all my passwords. I don't want to change my master password to something sort/easy so that I can type it quickly, especially on mobile.

    Btw have you considered a case where the 1Password user wants to login onto some website and they are forced to enter their master password in a place like a bus or other place where someone may be watching what you're typing? A thief can just see the master password that way, then stole the device and access whatever they want.

    It seems like LastPass found a better, more convenient way for handling this:

  • PoisonPoison
    Community Member

    I doing my yearly research on password managers and stumbled over this thread.
    My suggestion: Just make an option „Never ask for master password“ and let the user double opt it.

  • chrisrosachrisrosa
    Community Member

    I think the idea that this every two week system will assure that people know their master password isn't really well thought out. This feature is particularly annoying when running with two accounts, because they both lock out at the same time. Luckily I can look up both on my phone and (continuity) copy/paste, but I would prefer a single unlock password like we used to have with 1Pass7. Maybe Yubikey or "authenticate on authorized device" type system would work too.

  • clakulusclakulus
    Community Member

    Just chiming in to say that I hope the suggestion of synchronising the reset period and extending the period to three weeks on mobile is considered as having to enter the MP on mobile defeats the entire purpose of AutoFill, especially seeing as the device is already secured with a password and biometrics.

    Thanks

  • philippemercurephilippemercure
    Community Member

    @Ben It doesn't solve all case. If you are primary working on MacOS, use Touch ID every day and then, at the end of the 2 weeks window go out and need to access 1Password on your iOS device. You still have a chance that 1Password would require you to manually provide the password on iOS. Which isn't great. It's still a step in the good direction. You could had logic that would know if the user is using both MacOS and iOS, then only ask the password on MacOS in the 2 weeks windows and allow a 4 weeks window on iOS. You would have more chance to input your password only on MacOS, when not in a rush on iOS. Or just allow a window of 4 weeks across all devices. At least we would have to input it 12 times in a year and not 26 times. Thanks.

  • mick99mick99
    Community Member

    The world (Apple and Google) is going into a direction where passwords are not needed. A password manager should be a thing that lets me stop thinking and worrying about passwords. Master password should be very strong, if I'm forced to enter it then I have to remember it or keep it on a paper that I'm carrying with me everywhere, another solution is to have a weak master password. It defeats the purpose of having a password manager in the first place.

  • sectwykrsectwykr
    Community Member

    I'd also like to add a big +1 to the situation where you have more than one 1P account. I've used 1P for years, and convinced the company where I work a few years back on using it too - so I'm logged into 2 separate 1Password accounts constantly (primary: personal, secondary: work).

    With 1Pv8, now when I'm forced to re-auth (with my strong but memorable passphrase) every 2 weeks - it's a real pain especially on mobile, but I cope.

    However, what really bothers me is that I'm never prompted to log back into the 2nd (work) account. Instead, I'm forced to go through a convoluted process to get it unlocked (have to use the program menus, select Accounts, then select "Sign in to another account", then go to "Sign in on 1Password.com" for some reason, then click on a web link that takes me back to the app (???), then finally I get to authenticate). I don't even bother to try that on my mobile device anymore, which as everyone noted can be a pain for other reasons.

    I seriously hope at least the latter issue can be addressed - and agree that the "until reboot" option, at the very least, should be given to the users - rather than force-treating everyone as being incapable of remembering their master password :)

  • ManaburnerManaburner
    Community Member

    Today another 2 weeks seems to have passed and I was forced to enter my master password again while I was trying to use autofill in the German DHL app.
    What I then did was open the 1Password App and enter my MP there. However this does not seem to have unlocked autofill in the app, i.e. I am still asked to enter my MP there.
    Is this intended to work that way or is this a bug?

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file