I don't understand the constant denial position about the usefulness of a master password reprompt

Thorz
Thorz
Community Member

Hello

I have been testing the family plan for some days and there is a ton of things that I like.

But, I don't understand 1Password's constant denial position about the topic of the usefulness of a master password or biometric reprompt (double verification) for eligible items.

I have been following the support and discussion channels about the service (in this website, Reddit, Twitter, Facebook) for a long time and this is something that gets asked quite often by users.

I understand perfectly that this is not something that is going to protect vault contents against a professional cyber attack executed locally on the machine, but protecting against this has never been the point of this feature. The point is to have an extra barrier of protection on your most critical items in case you forget to lock your OS. Who hasn't been in that situation?

Let's say you are alone at home and go to the bathroom. Being alone in your own house you aren't thinking that someone is going to enter, it is easy to forget to lock your PC / Mac at that moment. Suddenly, your kids or partner enter the house. They will have a moment to easily access information from one of the sensitive items stored in 1Password, like your master password, secret key, credit card number or content in a Secure Note. Neither your kids nor your partner are NSA operatives that are going to be able to breach your machine to extract your 1P master password from a memory dump, but anyone that uses the unlocked PC/Mac at that moment can access sensitive info under a situation like this. A simple master password or biometric reprompt is enough to stop this from turning into a bad situation for you and will keep the items you decided to activate such option for out of their prying eyes.

Do you really think that every other respectable password manager out there is wrong in implementing this, or that all of them are putting their customers at risk engaging in a dangerous "security theater" as I have seen this called by 1Password team members in many threads about this topic in the past?

This is something really trivial for the devs to implement and isn't going to hurt anyone. The option could be easily accompanied by an explanation text like the one you use beside the already implemented Watchtower option if you really think that this could give a false sense of security to a minuscule portion of 1P users, that text says today "This feature may pose a small risk to people that reuse similar passwords". This small risk hasn't stopped you from implementing the option to use Watchtower, isn't it? "Options" is the keyword here, please let us have the option for a password or biometric reprompt, and if you want, just explain the risks you think it’s use can bring, as every other good password manager on the face of the earth already does in 2023.

Thank you for your time.

Comments

  • Hi @Thorz,

    Thanks so much for taking the time to share your thoughts on this topic in such detail. I see your point and also think there's merit in giving users as many options as possible to choose how they keep themselves and their data secure, even if those options aren't all technically equal in strength.

    I'll add this internally for further consideration from the rest of the team. I found this thread that I suspect you've already read but if there are others in particular you'd like to highlight let me know and I'll include them as well. 🙂

    ref: PB-30334336

This discussion has been closed.