Please change need to enter master password every two weeks.

Mr. K.
Mr. K.
Community Member
edited May 2022 in Desktop betas (Mac, Windows, and Linux)

Security requires I enter my master password once every two weeks. I have Touch ID. Please remove that requirement, unless you are concerned that I will forget my master password, which is possible!

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • EnerJi
    EnerJi
    Community Member

    The risk of forgetting the master password is absolutely the reason for the 2-week requirement. :)

  • Gilles9
    Gilles9
    Community Member

    @EnerJi
    Agreed

  • Mr. K.
    Mr. K.
    Community Member

    Not a problem. I have my master password and all of my other passwords written down in my password notebook which I keep next to my computer! Seriously, I'm not going to forget it.

  • Ben
    Ben

    Hi @Mr. K.

    I have my master password and all of my other passwords written down in my password notebook

    While we do recommend writing your account password on your Emergency Kit, and storing that in a safe place (such as a fire safe or bank deposit box), that is the only place we'd recommend physically recording it. Additionally I'd have to point out that by keeping a paper copy of your other passwords, you're effectively defeating much of the security benefit (and convenience) of having 1Password in the first place...

    Security requires I enter my master password once every two weeks. I have Touch ID. Please remove that requirement

    I don't know that this is something that will change, but I will share your feedback with the product team for further consideration. Thanks for sharing, and I hope you'll consider the above.

    Ben

  • Mr. K.
    Mr. K.
    Community Member

    I think you know I was kidding about the password notebook next to my computer, although that is what my Uncle did, and I assume many others do too.

  • Ben
    Ben

    Sorry about that; I genuinely wasn't sure. As you say, unfortunately it isn't an uncommon practice, and sarcasm can be hard to detect especially through text on the internet. 😁 I'm glad to hear that isn't actually what you're doing. 🙏🏻

    Ben

  • rzzz
    rzzz
    Community Member

    @EnerJi it should be an option turned on by default, not a requirement. I don't feel this is secure at all. Re-entering master password so frequent increases the chance of exposing your password.

  • EnerJi
    EnerJi
    Community Member

    @EnerJi it should be an option turned on by default, not a requirement. I don't feel this is secure at all. Re-entering master password so frequent increases the chance of exposing your password.

    @rzzz You must have unusual requirements if entering your master password every two weeks significantly increases your chance of exposing your password. My hunch is that people forgetting their master password is a much bigger risk.

  • rzzz
    rzzz
    Community Member

    @EnerJi well I didn't say significantly, but thanks for trying though.

  • Qutrit
    Qutrit
    Community Member

    What would be the issue with making this an advanced option that is hidden for most users? I honestly thing that making it up to us to decide wether we need to be forced to input the password on a mobile device every two weeks is worth the extra risk/effort. Above all when we input it on our desktop computers quite more often.

  • Ben
    Ben

    @Qutrit

    Three main issues I can think of off-hand:

    1. The bar for adding a preference is pretty high. If you do a search of this forum for "add a preference" you can get some idea why (tl;dr there are hundreds of requests for various preferences).
    2. Doing so would add complexity to the lock service. This is not ideal for a number of reasons. For example, complexity can lead to mistakes, and mistakes are the last thing anything wants in their password managers lock service.
    3. If such an option existed, inevitably someone (multiple someones) will enable it either for themself, a loved one, a friend, a colleague, their boss, ... and then that person will forget their account password as a result. That isn't something we want to encourage by building such a feature.

    Ben

  • Qutrit
    Qutrit
    Community Member
    edited August 2022

    Hello Ben,

    Thanks for the answer. I am a bit surprised about the reasons you gave me. They would make sense to me if it weren’t for the fact that this preference was there in 1password7. This is not an issue of adding a preference. Rather it is an issue of removing it from a previous version. That leaves your reasons 1 and 2 in a weaker standpoint from my perspective.

    At the end of the day it is indeed a preference of the developers of course. Were you having many people losing their password because they enabled that feature in previous versions where it was already implemented and the technical difficulties of incorporating that preference into the lock service were solved?

  • Ben
    Ben

    @Qutrit

    Were you having many people losing their password because they enabled that feature in previous versions where it was already implemented

    Yes, we did: thousands; perhaps tens of thousands, but I'll say thousands to be conservative.

    and the technical difficulties of incorporating that preference into the lock service were solved?

    The complexity issues were not solved. Preferences always add complexity. There are bugs in the 1Password 7 lock service to this day in part due to that complexity.

    Ben

This discussion has been closed.