Feature request: Exposing password age in the UI, including sorting

bewilson
bewilson
Community Member

First, having recently switched to 1Password from LastPass, I wish I'd made the switch a long time ago. Some parts of the UI are simply different, but most of it is a lot better. And the security is clearly a lot better.

BLUF: The main thing that's missing for me (and LP didn't do this well, either) is a way to sort and filter based on password age. The modification date is useful, but the date I changed the tags or added a note is almost useless to me. The date I most recently changed the password is.

Details:
First, I'm not interested in password rotation generally. I am grateful that NIST 800-63-3 finally made the comment that forced password changes are counterproductive. One should, generally, only change strong passwords when there's a good reason to do so. And I can go into any given 1Password item and see when I last changed that password.

However, I think there are a couple of use cases where being able to sort things by password age is a useful feature.

1) in a case like mine, where I've switched to 1Password due to a different product's f-up. Because of the LastPass breach, I am changing every single password. I've done all of the critical ones, but there are about 1000 items in my vault. I need to review all of them. Sorting by modification date is a good start, but it's only a correlated variable. I've changed tags on some things, doing bulk tagging based on some searches, to help me prioritize which passwords needed to be changed first. I really want to be able to sort on password age, so that I can go through and make sure that I have changed all of the passwords.

2) While strong passwords don't need to be changed in the absence of a good reason, what constitutes strong does change over time. I was a LP user for well over a decade. What constituted a strong password back then isn't the same as what constitutes one now. Some sites had limitations on password length -- I can think of several that limited passwords to 16 characters. My opinion is that periodically (once a year or so), taking a look at my oldest passwords and deciding if they should be changed, is a reasonable security practice (on top of services like WatchTower). Now services like Watchtower go a long way on that, particularly in terms of highlighting what are understood to be weak passwords. But, I'd argue that reviewing the oldest passwords on a very periodic basis, such as by exposing a "sort by password age" is a reasonable security practice.


1Password Version: 8.9.13
Extension Version: Not Provided
OS Version: Mac, Window, iOS, Android
Browser:_ Not Provided

Comments

  • Hello @bewilson! 👋

    Welcome to 1Password! Thank you for the thoughtful and detailed feedback, I really appreciate that you took the time to post.

    First, you're right that regular password changes for no other reason but because an amount of time has passed is no longer recommended as a security practice by many cybersecurity experts and organizations such as the National Institute of Standards and Technology (NIST). I recommend that you change your passwords if one of the following conditions is met:

    1. The password for a website/account is not a secure and unique password generated by 1Password.
    2. 1Password's Watchtower sends you a warning that your password for a website/account has been reused or was found in a data breach.

    And for those migrating from LastPass it's also a good idea to change any passwords that you had stored in that service. When you import your items from LastPass I suggest that you tag them with a lastpass tag. Then you can remove the tag from each item as you change the password for that item. Another option is to import your items into a separate vault that you can call temp-vault and then move the items over to your Private vault as you change each password.

    1Password's Watchtower will indeed warn you if an account's password is too weak. And if our security team finds reason to update the recipe on what constitutes a weak password in the future then Watchtower will be automatically updated to check all of your items using the new recipe.

    That all being said, I can see how being able to sort by password age would be useful and I've passed along your feedback to the product team for consideration. 🙂

    -Dave

    ref: PB-30497352

This discussion has been closed.