Entering master password so often.
I recently changed from Lastpass to 1 password. If I knew I would have to enter the master password so often, I may not have changed. I consider it an annoyance. I'm a big boy and should be able to opt out of the requirement. It's not like you would be responsible if someone broke into my computer. There are ways around so much typing of the password, but still an annoyance. I know the spill, it's your information bla bla bla we are trying to protect, correct, it is my information not yours, I should have a say. My be looking for yet another password manager.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
In the desktop app, go to Settings > Security and change the Auto-lock options.
0 -
Hi @garymong,
You can change how often you need to unlock 1Password by managing your auto-lock settings - your settings aren’t synced between devices, so you can use the ideal settings on each one.
As mentioned above, you can find this within your settings; depending on your specific device, you can find the steps within our How to set 1Password to lock automatically article.
I hope that helps!
0 -
I have a 20 character password. If I have to type it once a day I'm already frustrated. Twice and I'm livid. Because of security policies I have no control over my PC locking constantly. I have a yubikey for this issue. Yet any suggestion that this be used as a primary authentication method is met with resistance. Password decryption with no 2fa is one keylogger away from giving away every password I use. This issue is both disappointing and security wise unacceptable.
0 -
I understand that different companies have different security policies on their devices, which can affect how 1Password behaves. In this scenario, I recommend employing biometrics via touch/face id or via Windows Hello so you won't need to input your Account Password as frequently. As most modern devices include biometrics, hopefully this is an accessible solution for you. I'd also recommend looking into extending the time before the 1Password apps lock.
Use Windows Hello to unlock 1Password on your Windows PC
Use Touch ID to unlock 1Password on your Mac
How to set 1Password to lock automaticallyI also understand your concerns about password decryption without 2FA. However, it's important to remember that 1Password keeps a local cache of the data for viewing, editing, and creation reasons. For that reason alone, 2FA would not provide any meaningful security. If 1Password was entirely web-based and could only be used while online, this would be different but this would also need to change how the 1Password apps work entirely.
However you unlock, an unlocked app has the Account Unlock Key in memory, which malware on a compromised system could read and use to get your data. If your computer is compromised with such software, no unlock method can protect against that.A keylogger logging your password alone is not sufficient to gain access to your vaults, because the attacker also needs your secret key, which you do not type in except when setting up the device and sometimes not even then as there are other methods of setting up your 1Password account.
0 -
I can confirm that if you are using a keylogger on your device that this can leave your account vulnerable if you've manually entered your Secret Key and password while having it active.
0 -
When referring to being able to see the Secret Key in clear text, can you expand on where this appears? Is this in reference to your Emergency kit?
0 -
Thank you for confirming. Yes, you are seeing this file on your computer because your Secret Key is meant to protect your data on our servers. Your Secret Key isn't intended to be secret within your own system. The purpose of the account password is to protect your data that is on your computer. The two work together to keep your data safe.
Even if the server data was stolen and the user had a weak account password, your Secret Key would protect your data while also validating your device. This is why you don't need to re-input your Secret Key every time you sign in. However, yes this does mean it's located in the "1password.sqlite" file you mentioned, which we do try to obfuscate it on your system.
0 -
This is the correct behavior - Your Secret Key (and to a lesser extent, your Account Password) keeps you safe if your encrypted 1Password data is stolen from our servers where as your Master Password is what defends you if your encrypted data is stolen from your device; your Secret Key is not intended to be a secret on your own device.
For more information on this, I would suggest reading our Whitepaper, specifically page 79:
https://1passwordstatic.com/files/security/1password-white-paper.pdf0
