Security Risk? Why does 1Password (all platforms) now require your Master Password every 2 weeks?

ChrisPro
ChrisPro
Community Member

This is a MASSIVE SECURITY RISK in my opinion.
It opens users up to multiple different attacks, Keyloggers, Screen Capture Software and onlookers can all capture you as you frequently type in your Master Password.

Why can't this be disabled?

Biometrics have proven to be far more secure and work well on Android and Windows.

I feel extremely unsafe logging into any accounts with another person nearby as they could just watch me type in my Master Password rather than scan my fingerprint.

I have continued to use the old release of the 1Password app because of this, sometimes I need to login to an account in public or when at an event/gathering and you can't avoid people.
I have sensitive accounts in my vault that I need to keep secure that may include logins for work and/or any financial services I use.

There's also screen capture software, this is harder to do on mobile but on desktops or any device with an on screen keyboard feature you are basically screwed if someone captures your screen, Desktops are different as they require a login on every startup rather than every 2 weeks (as far as I know) which I'd like to see alleviated as well, I see no reason why Biometrics couldn't be used to unlock the vault. I understand the Master Password is needed to decrypt the vault initially but if it can be stored during use (or for 2 weeks) why can't it be stored indefinitely or instead be decrypted with biometrics?

And then there's keyloggers, while this is a less common attack it could be easily performed and steal someones Master Password without any evidence, there are external devices that can do this just by being plugged into the victims machine and there's even simple software programs that can do the same, these wouldn't be a threat if Biometrics were always allowed.

I expect people using accessibility features (such as keyboards) will suffer worse from this if they ever need to login to something away from home.

I'd like an explanation as to why these issues now exist on android and why they Desktops have been vulnerable to begin with?

Comments

  • Hey there @ChrisPro

    You can change how frequently 1Password asks you for your account password in Settings > Security, and changing the "Require password" setting to 2 weeks, 30 days, or never.

    Give that a try and let me know how you get on. I'll be here if you need further help. :)

    — Grey

This discussion has been closed.